Thoughts on the DOD’s Updated Cloud Strategy
Published: June 29, 2022
Where the DOD’s cloud computing strategy might be heading.
The Department of Defense (DOD) published a new software modernization strategy in February 2022. For those who missed it, the strategy “builds on, supplements, and in some ways replaces” DOD’s previous cloud strategy. The strategy outlines 4 objectives that the department will pursue in order to accelerate the development of its enterprise cloud capability.
Objective #1: Create an Innovative Portfolio of Cloud Contracts
This objective aims to:
- Provide access to cloud services across the enterprise in order to maintain parity with the commercial market.
- Award a meaningfully differentiated set of enterprise contracts that avoids duplication.
- Improve contracting processes for cloud services to ensure access to the full breadth of cloud security services.
The first part of Objective 1 refers to the pending award of enterprise-wide Joint Warfighter Cloud Capability (JWCC) contracts in December 2022. Four contracts are expected to be awarded, although the DOD has reserved to right to award more or fewer contracts than those offered to the cloud service providers (CSPs) AWS, Microsoft, Oracle, and Google. Additional CSPs may also be awarded contracts, but in order to receive one a CSP must be able to demonstrate that the required security controls are in place.
The third part of Objective #1 hints at what is coming down the road – the creation of a Defense Cloud Marketplace. Notably, all of the named JWCC awardees are large Infrastructure-as-a-Service (IaaS) providers that host capabilities developed by other (typically smaller) companies.
The establishment of secure commercial hosting environments for approved capabilities will enable the creation of a catalog of cloud services that customers can buy and use on a consumption model. This suggests that the days of contracting for separate categories of cloud capabilities will become a thing of the past and that the DOD’s cloud spending will become centralized in the JWCC construct.
Objective #2: Accelerate Cloud Adoption through Automated Design Patterns
This objective will:
- Provide reusable automated design patterns, such as Infrastructure as Code, Compliance as Code, and hardened software containers, to simplify standing up and configuring virtual development environments.
- Integrate automated design patterns across the DOD, including authorization processes that are continuously updated and configuration controlled.
This part of the strategy will enable Defense customers to rapidly acquire and use cloud services in a secure manner based on zero trust principles and in a software-defined environment. Software-defined infrastructure is something that the Defense Information Systems Agency has been working on for a while, but it is possible that much like the Enterprise IT-as-a-Service (EITaaS) effort, which provides a modern commercial transport infrastructure to Defense customers parallel to government-provided networks, the DOD envisions the JWCC as both a computing paradigm a software-defined infrastructure for cloud services.
Objective #3: Secure DOD Data in the Cloud
This objective seeks to:
- Improve authorization processes for cloud providers, such as FedRAMP and continuous Authority to Operate (cATO) approval.
- Establish Defensive Cyber Operations in the cloud by maturing capabilities currently in use.
This objective signals the DOD’s interest in speeding up the ATO process for commercial partners. There is another factor to consider here as well; current security requirements allow capabilities to be deployed in a secure DOD-approved cloud infrastructure even if the capability itself did not receive a separate authorization.
Put differently, if a small company builds a capability to run on the platform of an enterprise service provider, the capability can be securely hosted in that environment, thereby limiting the number of environments to be continuously monitored. Effectively, the DOD is “baking” security into its cloud capabilities by requiring them to be hosted in JWCC clouds that have already been authorized to operate. Continuous monitoring capabilities can then be focused on the smaller number of JWCC CSPs vs. the plethora of small, mid-sized, and large providers now serving the department.
Objective #4: Prepare OCONUS Infrastructure for Cloud
This objective calls for:
Improving OCONUS infrastructure, from facilities to networks, to fully take advantage of cloud services and enable persistent warfighter access to data sources and producers.
Building out cloud infrastructure globally will be a boon for the large CSPs. Smaller partners, too, should benefit from providing supporting hardware and services.
Development Security Operations (DevSecOps) are moving to the center of DOD’s cloud operations. Winners of the JWCC contracts will be used as the DOD’s enterprise software development providers, consolidating existing capabilities and limiting broader business opportunities in the space.