Is DISA’s Commercial Cloud Services Acquisition Dead?

Published: April 02, 2014

Cloud ComputingDEFENSEDISA

The recent announcement that Amazon Web Services received provisional authority to provide cloud services to Defense customers raises big questions about the necessity for DISA to compete a multiple award IDIQ contract vehicle for commercial cloud services. As more commercial providers receive authorizations, the larger the pool of vendors becomes to compete for cloud work advertised by any Defense customer without the need for a contract vehicle. In other words, has DISA killed its own Commercial Cloud Services Provider contract competition?

March was an interesting month for cloud computing at the Defense Information Systems Agency (DISA).  First, on March 18th the agency posted an announcement on its website that it “now offers milCloud, a cloud-service portfolio, featuring an integrated suite of capabilities designed to drive agility into the development, deployment, and maintenance of DoD applications.”  That same day, DISA’s Chief of Staff, Brigadier General Fred Henry, assured an audience at the AFCEA Army IT Day that the offerings of milCloud are comparable to those available in a commercial cloud, both in cost and capability.  One week later, Amazon Web Services announced that its cloud services had received from DISA “a DoD Provisional Authorization under the DoD Cloud Security Model (CSM) for Impact Levels 1-2.”  In receiving the DoD ATO, AWS joined two other infrastructure-as-a-service (IaaS) providers – Autonomic and CGI Federal – eligible to provide cloud services to Defense customers.  This announcement came less than two weeks after DoD CIO Teri Takai told a House Armed Services subcommittee that a total of nine cloud service providers are currently in the process of receiving authorization to provide cloud services to the DoD.

DISA’s milCloud announcement took many by surprise, particularly because the implications of it are that vendors will need to compete with the agency to provide cloud services to Defense customers.  On the face of it, this appears to be the case.  Defense customers will have the option of using milCloud services or those offered by commercial cloud providers at approved data impact levels.  In practice, however, I suspect there will be plenty of business to go around for commercial providers.  I think this because ever since the issue of DoD using cloud services arose some 4-5 years ago, there have always been core systems and capabilities that the DoD said it absolutely would not host in a commercial cloud.  Add to this the security requirements imposed by U.S. Cyber Command, and you can see why DISA would choose to play it safe by developing its own cloud solution.  At the same time, the department has for years sought to effectively leverage the benefits of cloud computing.  The milCloud solution seems to offer DoD the best of both worlds by balancing the need of Defense customers for access to cloud services in a secure, non-commercial environment.

More curious to me has been the issuance of ATOs to commercial cloud providers in the absence of a competitive setting.  I understand why the Cloud Broker PMO has done it, but is DISA now going to hold a competition for the Commercial Cloud Services Provider acquisition among only the handful of CSPs that have received ATOs?  Can you imagine the howl that will rise from industry (and maybe Congress too!) if competition is limited to only a small number of vendors?  How could contracts be awarded without dozens of protests that hold up the acquisition for years?

The question also arises if a competition to put a cloud services IDIQ into place is even necessary.  Now that multiple CSPs have been authorized to provide cloud services, what’s to stop any Defense customer from simply putting out an RFP for cloud hosting or migration services?  Having an ATO would be a requirement like any other professional certification (CMMI or ISO 9001:2000, anyone?).  The competitive pool would be limited to those vendors that have authorization. 

In short, I find the announcement of milCloud less interesting than the announcement from AWS about its ATO.  By awarding ATOs to AWS and others, DISA may have managed to side-step the entire question of whether a commercial cloud services IDIQ is needed.  Anyone want to bet on when the cancellation notice comes out?