UPDATED: Adds A Comment From The DoD Refuting ITAAC’s Report And Its Recommendations
The Pentagon’s plan to award a single enterprise-wide cloud computing contract under the $10 billion Joint Enterprise Defense Infrastructure (JEDI) program runs completely counter to the DoD CIO office’s strategy for how DoD should deploy cloud capabilities.
That’s the finding of a report issued by the non-profit IT Acquisition Advisory Council (ITAAC), which identifies numerous ways that the JEDI proposal ignores or diverges from the DoD CIO’s cloud strategy. As such, the report calls for JEDI to be rescinded and revised.
“We believe a better outcome would come from a multi-cloud approach as detailed in the DOD cloud strategy that includes continuous updates and expansion of MilCloud to house our most sensitive data, and adoption of commercial cloud, hybrid, and private cloud across the department to enable IT modernization across multiple architectures, and enable modern technologies such as artificial intelligence,” says an ITAAC letter signed by Steven Cooper, the former CIO of DHS, FAA, and the Department of Commerce; and Dave Deptula, head of the Mitchell Institute, and others.
The letter and the report were sent to the Defense Secretary, DoD CIO, House and Senate Armed Services committees, and the White House Office of Management and Budget. Last week, President Trump panned the contract and said it should be investigated. JEDI is a potential 10-year contest between Amazon Web Services and Microsoft Azure that is expected to be awarded by the end of the summer.
ADD In response to a request for comment from Breaking Defense, DoD spokeswoman Elissa Smith provided a statement that refutes ITAAC’s characterization of the JEDI RFP. “The President and Secretary Esper share a deep commitment to ensuring America’s warfighters have the capabilities needed to remain the most lethal force in the world. The DOD Cloud Strategy requires an ecosystem that takes full advantage of machine learning and artificial intelligence. The July 23 Information Technology Acquisition Advisory Council (IT-AAC) Report on DOD Cloud Adoption is not an accurate or credible analysis of the department’s efforts to move to the cloud.”
In it’s report, ITAAC states its case. ADD ENDS “While JEDI was intended to be a part of a larger DoD cloud environment, the vision for this larger environment was not articulated until the DoD Cloud Strategy was publicly unveiled in February 2019. The strategy took a different direction from the JEDI RFP, embracing multi-cloud, hybrid, and commercial cloud solutions. Unlike JEDI, the strategy integrated lessons from private sector use of cloud services and explained how DoD would transition from legacy on-premises systems to a modern cloud architecture. It also dictated how DoD would use SaaS (software as a service) in conjunction with other cloud architectures. The net result is that the JEDI RFP and the DoD cloud strategy articulate different, incompatible approaches to cloud adoption across DoD.”
Those incompatibilities are found in many areas, according to ITAAC. The council is a non-profit, public/private partnership of members whose charter is to provide Congress and the Executive Branch with an independent view on IT-related acquisitions.
For example, the JEDI RFP calls for a single, sole-source system rather than a multi-vendor, multi-technology environment with numerous clouds identified by the DoD CIO strategy. “In viewing JEDI as a singular entity, DoD fails to account for the numerous points of connection that the operational system will require with MilCloud, fit-for-purpose clouds, on-premises systems, and other IT environments,” the report states.
In addition, the CIO’s strategy demonstrates an understanding of the security challenges facing DoD. The JEDI RFP doesn’t. “The JEDI RFP…focuses on the most basic compliance measures…which are largely backward-looking standards intended to help cloud vendors integrate with current, lowest-common-denominator federal IT standards.”
The strategy also describes a DoD IT ecosystem where software as a service (SaaS) dominates. Under SaaS, organizations access software and applications via the Internet rather than installing them on individual computers and servers. Cloud computing environments depend on SaaS for operations and security. “Although DoD is clearly envisioning an environment integrating cloud products from many vendors, the JEDI RFP does not reflect this.”
The strategy also injects private-sector innovation and a commercial mindset into cloud deployment. “This stands in stark contrast to the JEDI proposal, which contains highly detailed technical requirements. Multiple cloud vendors have invested heavily in developing autonomous cloud management capabilities and in simplifying migration in response to the challenges large enterprises have had in moving into the cloud. Yet JEDI does not consider these innovations, which would have provided significant additional value to the government.”
To address these shortcomings, ITAAC recommends that “DoD should rescind and revise the JEDI RFP to ensure consistency with the new approach outlined by the (DoD CIO) strategy. At this point, with the JEDI RFP already released and competition under way, DoD is committed to assessing solutions against criteria that do not match the direction outlined in its strategy. Without this adjustment, DoD will embark on a $10 billion, ten-year cloud commitment that will not meet warfighting needs, while also creating significant risk to our most sensitive data by exposing it to commercial networks.”