Much ado about milCloud

DISA launches its internal cloud service, and industry players worry the deck may be stacked against them.

Cloud security

Agencies in the Defense Department now have a government-operated cloud services portfolio they can tap for cloud computing.

The Defense Information Systems Agency announced the service, dubbed milCloud, on March 18, billing it as a deliverer of cloud services tailored to DOD that can reduce costs and increase control, flexibility and security for mission partners that handle classified and controlled unclassified information.

DISA Chief Technology Officer David Mihelcic said two Defense Enterprise Computing Centers -- in Oklahoma City and Kansas City, Mo. -- have implemented milCloud, which he described as "a government-operated private cloud internal to the DOD's unclassified network, the NIPRnet." He added that a version of milCloud internal to the SIPRnet classified network is expected to be activated this spring, perhaps as early as April.

According to DISA, milCloud features a "shared, virtualized computing infrastructure environment" commonly referred to as a virtual data center (VDC) "in which mission partners can manage compute, store and network resources." Within the virtual environment, consumption of computing resources is enabled via "a self-service, on-demand, Web-based, management interface that enables mission partners to order, provision, and directly manage their VDC resources."

Mihelcic said users who place orders for service are given a quote for recurring costs before those services are provisioned through existing DISA IT contracts.

"We avoided making large capital investments by leveraging a series of previously awarded capacity services contracts for processing, storage and networking components," Mihelcic said. "We pay for capacity as we use it versus buying it upfront. The capacity services costs as well as our other costs for milCloud are recovered through rates customers pay when they use the service."

Cloud competition heating up at DOD

Cloud service providers (CSPs) have been competing for several years over contracts in the private sector and civilian federal agencies, but DISA's milCloud signals a new era of competition for cloud services at DOD -- this time between the agency's own offering and commercial providers. Many industry leaders, however, feel the deck is stacked against them.

To compete for cloud contracts at DOD Impact Levels 1 and 2, which cover the department's unclassified public and unclassified private information, CSPs must comply with 298 baseline standards under the Federal Risk and Authorization Management Program. They must also comply with two dozen controls and enhancements in the latest version of the National Institute of Standards and Technology's Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations."

This is a complex process for cloud providers, and it can take an average of six months to comply with FedRAMP alone. It's not cheap either: One large CSP reportedly spent some $5 million to earn approval from FedRAMP's Joint Authorization Board.

Although DISA has mandated that CSPs must be assessed against complex NIST-based controls as impact levels increase, milCloud has not been evaluated against those controls. Instead, it was assessed against the DOD Information Assurance Certification and Accreditation Process (DIACAP).

In mid-March, Mihelcic told FCW that FedRAMP alone would not adequately address DOD's needs and that milCloud did not undergo FedRAMP accreditation. He explained that milCloud was measured against DIACAP -- DOD's long-established information assurance certification requirements, which are one of the standards from which FedRAMP requirements are essentially derived.

Days later, news emerged that DOD CIO Teri Takai had written a memo declaring that DOD had adopted NIST's risk-based security approach rather than DIACAP for all IT endeavors. In a follow-up interview, Mihelcic said, "DOD is planning to assess milCloud utilizing FedRAMP controls coupled with the impact-level criteria defined in DOD's Cloud Security Model. This approach supports the department's use of the Risk Management Framework for continuous monitoring and ongoing authorization."

A recent draft memo written by Takai and obtained by FCW called for the suspension of cloud services that do not have a DOD provisional authorization. DISA officials did not respond to a follow-up question asking whether milCloud's operations would be suspended.

FCW spoke with executives from numerous cloud vendors about competing with DISA's cloud services platform. None would speak on the record for fear of damaging relationships with the agency that must assess their cloud solutions, but most of their comments called for fairness.

"We hope DISA creates a level playing field for cloud security, features, service and price," said one high-level executive at a CSP that is in the process of achieving an authority to operate from DOD. "DOD needs to embrace the cloud, and anybody that meets all the criteria should be allowed to participate. If cloud is being done to create choices for DOD to increase security posture and get utility-based pricing, I'm all for competition. We just want a fair shake."

An executive at another well-known CSP, however, called milCloud "a bastardization of DISA data centers" that imitates cloud "but will never be cloud." MilCloud appears to meet a large portion of NIST's definition of cloud computing, but many industry leaders question whether it is actually a cloud.

"Why doesn't DISA just leverage what industry already has?" the executive said. "If you're building all these impact levels and you expect more than one provider to get to Level 5, why do you need to build your own?"

Mihelcic told FCW that milCloud gives DOD's component agencies the option to use cloud services for sensitive or classified information. He also said no cloud service providers have come forward to be assessed against DOD Impact Levels 3-5, though those standards only recently came out of draft status.

"The real issue isn't that we're competing with commercial industry, it is how DOD is going to acquire and implement computing services, in this place, to meet sensitive but unclassified information at Impact Levels 3-5 and Level 6 [for] classified information," Mihelcic said. "Part of the goal is to ensure that our customers -- DOD program managers and operators -- truly desire this cloud capacity. The reality is if we can make it simple for DOD users to transition to the cloud, there are benefits to the entire cloud industry moving forward. If we make the burden of cloud adoption go down, there is room in this space for lots of different players in lots of different technologies."

Critics have also called into question DISA's sole-source contract award in March 2013 to Jackpine Technologies. According to DISA officials, the $1 million engineering services contract is for one year with two one-year options and continues the work the company began several years ago when DISA started down the road to infrastructure as a service.

A subsequent special notice from DISA for non-competitive contract action with Jackpine, published March 19, stated that the company has developed approximately 85,000 lines of code for milCloud.

"Jackpine Technologies is [principal] architect and developer and owner of the milCloud CONS3RT software solution and is the only contractor who understands the code and can efficiently modify it," the notice states. "Jackpine Technologies has proprietary information and critical knowledge of the integration tool and the technical infrastructure [that] is utilized in the development of the DOD milCloud, not possessed or available to any other known contractor."

Jackpine officials did not respond to inquiries from FCW.

What about cost and performance?

DISA is not sharing milCloud's price points, but DISA Chief of Staff Brig. Gen. Frederick Henry was recently quoted as saying that milCloud's costs for services are comparable to providers such as Amazon Web Services, "but in a more secure fashion."

AWS did not comment when FCW asked about the comparison. It is interesting to note, however, that the CIA awarded a $600 million contract to AWS in 2013 to build a cloud infrastructure for the intelligence community so that the agency could avoid the cost pitfalls and challenges of doing the work itself.

MilCloud will be DISA's third approach to internally offered cloud computing services since the Secure Technology Application Execution and the Rapid Access Computing Environment were launched in 2010. Both programs will expire in 2014, and milCloud is a likely destination for those services' DOD customers.

Although pricing comparisons might still be fuzzy, what is clear from existing information is that milCloud has performance issues to address.

A brief obtained by FCW that appears to come from a pilot test of the milCloud environment in December notes myriad issues, including several multihour downtimes, one of which approached a full day in duration. Other general findings include virtual machines with slow (120 kilobytes/sec) transfer rates, users being disconnected every 15 seconds to 10 minutes for virtual private network access and timeouts during large asset loads.

Mihelcic admitted that provisioned orders were taking longer than DISA would like at the two Defense Enterprise Computing Centers where milCloud is currently deployed.

"We have it down to hours now," he said, though the stated goal is minutes or seconds. It is unclear whether those issues can easily be fixed.

Also unclear is the total cost of milCloud. DISA officials said about five man-years went into building milCloud, including the use of primarily government employees to design the cloud, conduct the pilot tests and implement the operational system. DISA also spent about a $500,000 on management tools in addition to the contract with Jackpine.

DISA must "fully recover all its costs for anything we do in milCloud," Mihelcic said, adding that funding for the project comes from the Defense-Wide Working Capital Fund, which is required to break even each year. Therefore, a higher cost to build and manage milCloud translates to higher costs for customers.

Amid all the questions and competing opinions, one point is undisputed: DISA clearly wants DOD agencies to use cloud services. Time will tell whether those agencies favor DISA's system.

Note: This article was updated on March 28 to clarify the certification standards used to assess milCloud.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.