In a June 2012 memo, DoD Chief Information Officer Teri Takai said all department components must acquire government or industry-provided cloud services using DISA. (DoD / Monica A. King)
DISA's Fort Meade, Md., headquarters. / Army Corps of Engineers
A year and a half since its designation as the Pentagon’s cloud service broker, the Defense Information Systems Agency is still working through the logistics of managing cloud services departmentwide.
More than 40 requests had been submitted to DISA for cloud services, said Jennifer Carter, DISA’s component acquisition executive. Of those, DISA has matched a dozen Defense Department customers with potential services to meet their cloud computing needs, including those offered by DISA and the private sector.
But only one of those arrangements has resulted in a contract award, according to DISA. The others are in various stages of the contracting process.
“As we move to what we would consider more full operational capability, we’ll be basically automating how we do that, and also working to establish more maturity on the cloud offerings that DISA has, as well,” Carter said of matching customers with cloud offerings.
One apparent challenge is that the qualified pool of commercial cloud services is slim.
Autonomic Resources’ Cloud Platform (ARC-P) is the only commercial cloud offering in DISA’s service catalog, which the agency uses to match customers with available services. The company’s solution was cleared by a joint board as having met governmentwide cloud security standards and received DoD approval for meeting its additional requirements.
DISA said it also is matching customers with cloud services that are in the process of receiving DoD approval, known as a provisional authority to operate. By doing so, customers can use the service as soon as possible if it meets DoD security requirements.
In a June 2012 memo, DoD Chief Information Officer Teri Takai said all department components must acquire government or industry-provided cloud services using DISA. The only exception is to obtain a waiver from a review authority designated by Takai.
“There are a lot of cloud providers potentially approaching DoD customers and trying to sell cloud,” said John Keese, president of Autonomic Resources. This confuses buyers, he said. Part of DISA’s role is helping the department understand who is authorized to manage military data in the cloud and who is not.
The Army, Navy, Air Force and U.S. Strategic Command are among the services in talks with Autonomic, Keese said.
For now, vendors like Autonomic must prove they can secure the military’s public and unclassified information. DoD security standards will become more rigorous as the department looks to move controlled unclassified and eventually classified data to the cloud.
DoD has yet to finalize requirements for those data classification levels, although DISA has indicated most of DoD’s cloud spending will be on solutions that meet security standards for storing controlled unclassified data, Keese said.
In the absence of a departmentwide contract for buying commercial cloud services, DoD customers can use any information technology services contract vehicle with cloud computing in its scope, including Encore 2, ITES-2S, Netcents-2 and the General Services Administration’s blanket purchase agreements and 8(a) STARS 2, according to DISA.
“We do see it as a good thing,” Susie Adams, chief technology officer for Microsoft’s federal government business, said of DISA’s cloud broker model. “They have some hurdles to overcome to get operational.”