CIA plans multibillion cloud buy for intelligence community

Six years after its initial cloud infrastructure push, the CIA is leading a multibillion dollar, multivendor expansion of cloud services on behalf of the entire intelligence community, with awards expected in 2021.

The new procurement, dubbed IC Commercial Cloud Enterprise or C2E, follows up the 2013 acquisition of an on-premise, top secret cloud capability from Amazon Web Services. The CIA is conducting a two-phase procurement to acquire "foundational cloud services" from multiple vendors and then to obtain specialized software-as-a-service apps and cloud management capabilities.

The overall value of the procurement is expected to be in the tens of billions of dollars, according to contracting documents reviewed by FCW.

A request for information is expected to go out to vendors in April or May, with a draft request for proposals set for January 2020, after back-and-forth with industry. A final RFP is set for May 2020 and awards are expected no later than July 2021.

The intelligence community is going with a multivendor cloud strategy "to increase access to innovation and reduce the disadvantages associated with using a single cloud service provider," the CIA stated in the market research survey. This differs sharply from the Pentagon's plans to put its warfighting data and applications into a single cloud under the $10 Joint Enterprise Defense Infrastructure plan currently being pursued.

At least one of the companies who protested the DOD's cloud deal is taking notice.

"The world's largest enterprises are moving to multi-cloud environments because of their security, flexibility and resilience," IBM U.S. Federal General Manager Sam Gordy told FCW in an emailed statement. "The CIA's approach to C2E clearly recognizes the value of multi-cloud while encouraging competition, supporting legacy applications and ensuring the agency’s access to future innovations."

IBM was the runner-up in the 2013 chase to supply cloud to the CIA. The company is also expected to be declared out of the running in the down-selection process for the DOD's JEDI cloud, in part because of the security requirements. IBM filed a pre-award protest with the Government Accountability Office, arguing that JEDI's single-cloud mandate was flawed. That protest was dismissed because of a  superseding lawsuit in the Court of Federal Claims that is still ongoing.

The intelligence community CIO announced a multivendor plan last year, as part of the second "epoch" of the Intelligence Community Information Technology Enterprise or ICITE program.

CIA's Directorate of Digital Innovation led a March 22 industry day and briefing for vendors interested in the program. According to program notes, the intelligence community is seeking established commercial cloud providers with worldwide delivery options and the ability to provide services at the "tactical edge" that minimize loss of service even in the absence of network communications.

Because it's going with multiple vendors, the CIA is stressing interoperability and the capability to transition data and applications off of provider infrastructure. Vendors picked to provide secret services must have their offerings cleared 180 days after a contract is finalized. At the TS/SCI level, vendors have 270 days to obtain clearance.

The program managers also want to hear from vendors on their ability to supply cloud services from inside government locations -- much as AWS does for CIA.