Much ado about milCloud

Agencies in the Defense Department now have a government-operated cloud services portfolio they can tap for cloud computing.

The Defense Information Systems Agency announced the service, dubbed milCloud, on March 18, billing it as a deliverer of cloud services tailored to DOD that can reduce costs and increase control, flexibility and security for mission partners that handle classified and controlled unclassified information.

DISA Chief Technology Officer David Mihelcic said two Defense Enterprise Computing Centers -- in Oklahoma City and Kansas City, Mo. -- have implemented milCloud, which he described as "a government-operated private cloud internal to the DOD's unclassified network, the NIPRnet." He added that a version of milCloud internal to the SIPRnet classified network is expected to be activated this spring, perhaps as early as April.

According to DISA, milCloud features a "shared, virtualized computing infrastructure environment" commonly referred to as a virtual data center (VDC) "in which mission partners can manage compute, store and network resources." Within the virtual environment, consumption of computing resources is enabled via "a self-service, on-demand, Web-based, management interface that enables mission partners to order, provision, and directly manage their VDC resources."

Mihelcic said users who place orders for service are given a quote for recurring costs before those services are provisioned through existing DISA IT contracts.

"We avoided making large capital investments by leveraging a series of previously awarded capacity services contracts for processing, storage and networking components," Mihelcic said. "We pay for capacity as we use it versus buying it upfront. The capacity services costs as well as our other costs for milCloud are recovered through rates customers pay when they use the service."

Cloud competition heating up at DOD

Cloud service providers (CSPs) have been competing for several years over contracts in the private sector and civilian federal agencies, but DISA's milCloud signals a new era of competition for cloud services at DOD -- this time between the agency's own offering and commercial providers. Many industry leaders, however, feel the deck is stacked against them.

To compete for cloud contracts at DOD Impact Levels 1 and 2, which cover the department's unclassified public and unclassified private information, CSPs must comply with 298 baseline standards under the Federal Risk and Authorization Management Program. They must also comply with two dozen controls and enhancements in the latest version of the National Institute of Standards and Technology's Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations."

This is a complex process for cloud providers, and it can take an average of six months to comply with FedRAMP alone. It's not cheap either: One large CSP reportedly spent some $5 million to earn approval from FedRAMP's Joint Authorization Board.

Although DISA has mandated that CSPs must be assessed against complex NIST-based controls as impact levels increase, milCloud has not been evaluated against those controls. Instead, it was assessed against the DOD Information Assurance Certification and Accreditation Process (DIACAP).

In mid-March, Mihelcic told FCW that FedRAMP alone would not adequately address DOD's needs and that milCloud did not undergo FedRAMP accreditation. He explained that milCloud was measured against DIACAP -- DOD's long-established information assurance certification requirements, which are one of the standards from which FedRAMP requirements are essentially derived.

Days later, news emerged that DOD CIO Teri Takai had written a memo declaring that DOD had adopted NIST's risk-based security approach rather than DIACAP for all IT endeavors. In a follow-up interview, Mihelcic said, "DOD is planning to assess milCloud utilizing FedRAMP controls coupled with the impact-level criteria defined in DOD's Cloud Security Model. This approach supports the department's use of the Risk Management Framework for continuous monitoring and ongoing authorization."

A recent draft memo written by Takai and obtained by FCW called for the suspension of cloud services that do not have a DOD provisional authorization. DISA officials did not respond to a follow-up question asking whether milCloud's operations would be suspended.

FCW spoke with executives from numerous cloud vendors about competing with DISA's cloud services platform. None would speak on the record for fear of damaging relationships with the agency that must assess their cloud solutions, but most of their comments called for fairness.

"We hope DISA creates a level playing field for cloud security, features, service and price," said one high-level executive at a CSP that is in the process of achieving an authority to operate from DOD. "DOD needs to embrace the cloud, and anybody that meets all the criteria should be allowed to participate. If cloud is being done to create choices for DOD to increase security posture and get utility-based pricing, I'm all for competition. We just want a fair shake."

An executive at another well-known CSP, however, called milCloud "a bastardization of DISA data centers" that imitates cloud "but will never be cloud." MilCloud appears to meet a large portion of NIST's definition of cloud computing, but many industry leaders question whether it is actually a cloud.

"Why doesn't DISA just leverage what industry already has?" the executive said. "If you're building all these impact levels and you expect more than one provider to get to Level 5, why do you need to build your own?"

Mihelcic told FCW that milCloud gives DOD's component agencies the option to use cloud services for sensitive or classified information. He also said no cloud service providers have come forward to be assessed against DOD Impact Levels 3-5, though those standards only recently came out of draft status.

"The real issue isn't that we're competing with commercial industry, it is how DOD is going to acquire and implement computing services, in this place, to meet sensitive but unclassified information at Impact Levels 3-5 and Level 6 [for] classified information," Mihelcic said. "Part of the goal is to ensure that our customers -- DOD program managers and operators -- truly desire this cloud capacity. The reality is if we can make it simple for DOD users to transition to the cloud, there are benefits to the entire cloud industry moving forward. If we make the burden of cloud adoption go down, there is room in this space for lots of different players in lots of different technologies."

Critics have also called into question DISA's sole-source contract award in March 2013 to Jackpine Technologies. According to DISA officials, the $1 million engineering services contract is for one year with two one-year options and continues the work the company began several years ago when DISA started down the road to infrastructure as a service.

A subsequent special notice from DISA for non-competitive contract action with Jackpine, published March 19, stated that the company has developed approximately 85,000 lines of code for milCloud.

"Jackpine Technologies is [principal] architect and developer and owner of the milCloud CONS3RT software solution and is the only contractor who understands the code and can efficiently modify it," the notice states. "Jackpine Technologies has proprietary information and critical knowledge of the integration tool and the technical infrastructure [that] is utilized in the development of the DOD milCloud, not possessed or available to any other known contractor."

Jackpine officials did not respond to inquiries from FCW.

What about cost and performance?

DISA is not sharing milCloud's price points, but DISA Chief of Staff Brig. Gen. Frederick Henry was recently quoted as saying that milCloud's costs for services are comparable to providers such as Amazon Web Services, "but in a more secure fashion."

AWS did not comment when FCW asked about the comparison. It is interesting to note, however, that the CIA awarded a $600 million contract to AWS in 2013 to build a cloud infrastructure for the intelligence community so that the agency could avoid the cost pitfalls and challenges of doing the work itself.

MilCloud will be DISA's third approach to internally offered cloud computing services since the Secure Technology Application Execution and the Rapid Access Computing Environment were launched in 2010. Both programs will expire in 2014, and milCloud is a likely destination for those services' DOD customers.

Although pricing comparisons might still be fuzzy, what is clear from existing information is that milCloud has performance issues to address.

A brief obtained by FCW that appears to come from a pilot test of the milCloud environment in December notes myriad issues, including several multihour downtimes, one of which approached a full day in duration. Other general findings include virtual machines with slow (120 kilobytes/sec) transfer rates, users being disconnected every 15 seconds to 10 minutes for virtual private network access and timeouts during large asset loads.

Mihelcic admitted that provisioned orders were taking longer than DISA would like at the two Defense Enterprise Computing Centers where milCloud is currently deployed.

"We have it down to hours now," he said, though the stated goal is minutes or seconds. It is unclear whether those issues can easily be fixed.

Also unclear is the total cost of milCloud. DISA officials said about five man-years went into building milCloud, including the use of primarily government employees to design the cloud, conduct the pilot tests and implement the operational system. DISA also spent about a $500,000 on management tools in addition to the contract with Jackpine.

DISA must "fully recover all its costs for anything we do in milCloud," Mihelcic said, adding that funding for the project comes from the Defense-Wide Working Capital Fund, which is required to break even each year. Therefore, a higher cost to build and manage milCloud translates to higher costs for customers.

Amid all the questions and competing opinions, one point is undisputed: DISA clearly wants DOD agencies to use cloud services. Time will tell whether those agencies favor DISA's system.

Note: This article was updated on March 28 to clarify the certification standards used to assess milCloud.