The Pentagon’s Silicon Valley outreach arm will soon choose a vendor to secure access to cloud services to increase collaboration between the Defense Department and outside companies.
As part of the Defense Innovation Unit’s secure cloud management pilot, three vendors could potentially be awarded success memos that would allow them to sell secure cloud access technology to any DoD component without re-competing, providing DoD components with an easier route to access software tools over the internet at a time when the department is increasing its use of software as a service offerings. DIU will choose just one of the three vendors as its own provider.
Since last year, DIU has worked with Google, McAfee and Zscaler on prototype capabilities to protect cloud access portals and will choose one for the job, which will help eliminate a hinderance to industry-DoD coordination.
The effort kicked off in 2019 when DIU solicited proposals for its secure cloud management prototype project. The test solutions for cloud access already are easing challenges for communication and shared work with the private sector, and the technology will break down one roadblock to DoD’s work with nontraditional companies.
The Defense Department’s overall cloud access architecture inhibits the department’s ability to efficiently collaborate outside of government because it mandates the “use of a cloud access point gateway to secure and control communication between endpoints and cloud service providers,” Rick Simon, program manager for the project, told C4ISRNET.
“This gateway is composed of fixed hardware at a few locations,” said Mike Daniels, vice president of global public sector at Google Cloud. “It was not designed for a world where many DoD and non-DoD users would seek secure, controlled access to cloud services from outside the DoDIN [Department of Defense information networks].”
The underlying problem for the department is that its network isn’t cloud-ready, so cloud-based collaboration can be difficult, slow and insecure.
“The DoD-Information Network … was not built with cloud in mind,” said Drew Schnabel, vice president of federal at Zscaler.
Schnabel described the technology as similar to the idea behind devices placed in vehicles to deduct road tolls automatically, letting people avoid tollbooth lines. The cloud connections avoid user traffic bottlenecks and securely connect people to applications.
Prototype reviews by independent assessors started in February, using criteria set in collaboration with the Defense Information Systems Agency, the DoD combat IT support agency. Assessment reports evaluating vendors on security and performance are expected in May, Simon said. If their solutions are adequate, DIU will issue a vendor a success memo, which will allow the vendor to sell its technology to other DoD components.
Though DIU will choose only one vendor, Simon was hesitant to use the word “winner” to describe the selected company because the other two businesses could still sell to the rest of the Defense Department if issued a success memo.
“We have a set of characteristics that might be very different than another in the DoD,” Simon said. “For us, we will pick the one that fits our needs better.”
DIU has unique needs because it runs entirely on software as a service, meaning that all of its software is third party and accessed through the cloud. That puts DIU’s use of cloud far ahead of other DoD organizations that heavily depend on the in-house software systems. With increasing cloud use across the department, organizations need secure cloud access tools.
More than 120 DIU users are protected by one of the three prototypes. According to Simon, the proposals received “dozens” of responses from industry. In May 2020, DIU and the three vendors signed other transaction agreements, allowing prototyping outside the more stringent competitive regulations for standard procurement contracts.
“These solutions, if successful, should increase security, control, and real-time performance when accessing software-as-a-service applications directly over the internet, thereby enhancing DIU’s, and DoD’s ability to efficiently engage with non-traditional technology vendors,” Simon said.
For the prototype assessments, criteria include requirements and test cases from DISA, DoD groups working to implement zero trust cybersecurity architectures, the director of operational test and evaluation, Cyber Command, and the department’s CIO office.
“The success memos … will absolutely help jumpstart some of the projects that are already going on within the DoD itself,” said Alex Chapin, vice president of DoD and Intelligence, at McAfee. “The good work that they are doing here will definitely be able to transfer back over to the DoD.”
The COVID-19 pandemic, which forced the majority of DoD employees to work from home, has highlighted the need for people to securely collaborate from offsite locations. That requires secure cloud access.
“I don’t think the DoD will go back to its old ways,” Chapin said. “I think in the future the DoD will continue to have people work remotely, more so than ever. Being able to have access to those collaboration tools and security around that is going to continue to grow.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.