New docs outline scope, security requirements for CIA enterprise cloud

cloud applications (chanpipat/

The CIA has released an updated draft RFP for its massive, multi-billion dollar enterprise cloud, providing new details around the scope of services, cybersecurity protections and contract requirements.

According to the draft request for proposals, the resulting indefinite-delivery, indefinite-quantity Commercial Cloud Enterprise contract will include multiple awarded vendors proposing a range of cloud services, including infrastructure-as-a-service, platform-as-a-service and software-as-a-service offerings. The C2E contract would also include a separate acquisition for cloud integration services and multi-cloud management support tools. It will have a base term of five years, with two additional five-year optional amendments.

The agency will establish new clouds for each level of the classification process, relying on one commercial-off-the-shelf offering and a corresponding Federal Risk and Authorization Management Program-authorized offering for the unclassified portion, while building more restrictive versions to handle secret and top secret information. The plan calls for broad dissemination of data centers, on land, undersea and in space, both on and off government premises where required.

In particular, CIA wants to reap the flexibility and benefits of operating in a multicloud environment, and it said it believes the approach will help it reach disconnected and low-bandwidth environments and monitor for insider threats.

"Multi-cloud architectures allow cloud services to be selected based on development strategy and project objectives," the RFP states. "In a multi-cloud ecosystem, the Government will gain advantages from use of each [provider's] unique area of investment in technology, cybersecurity strategy, and best practices."

The agency also hopes to leverage C2E and its computing capabilities to further current efforts around artificial intelligence and machine learning.

"These capabilities require unified security processes and acceptance that enable quick adoption and portability of applications, data, and code," the draft RFP states. "The IC will leverage these capabilities in an approach that favors vendor flexibility, simplifies use and adoption of new and cloud-native technologies, and promotes necessary culture changes."

The chosen cloud service providers must also ensure that their supply chain security practices are aligned with requirements in the Secure Technology Act and Federal Acquisition Regulations. Those procedures include providing detailed information about all subcontractors and third-party software and hardware providers involved in their offerings, down to the third level, as well as what steps companies have taken to vet their security practices.

According to draft proposal's introduction, the agency's foray into the cloud has been "transformational" for the intelligence community, "increasing the speed at which new applications can be developed to support mission and improving the functionality and security of those applications." The agency's cloud services and computing resources are also used by a range other intelligence agencies and federal partners.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    DOD photo by Senior Airman Perry Aston  11th Wing Public Affairs

    How DOD's executive exodus could affect tech modernization

    Back-to-back resignations raise concerns about how things will be run without permanent leadership in key areas from policy to tech development.

  • Budget
    cybersecurity (vs148/

    House's DHS funding bill would create public-private cyber center

    The legislation would give $2.25 billion to DHS' cyber wing and set up an integrated cybersecurity center with other agencies, state and local governments and private industry.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.