The agency published a new draft request for proposals and a statement of work for its forthcoming Commercial Cloud Enterprise (C2E), which could be awarded as soon as September, according to the documents obtained by FedScoop. C2E is the highly anticipated follow-on cloud procurement to its like-named Commercial Cloud Services (C2S) awarded to Amazon Web Services in 2013 for $600 million.
The pending acquisition could be worth “tens of billions” of dollars, according to earlier contracting documents. According to this latest draft RFP, the contract will have a five-year base with two optional five-year periods.
The new draft RFP stresses the intelligence community’s need to adopt a multi-cloud environment for its unclassified, secret and top-secret networks to “allow cloud services to be selected based on development strategy and project objectives.” The IC would then “gain advantages from use of each CSP’s unique area of investment in technology, cybersecurity strategy, and best practices.”
Additionally, the acquisition will “promote competition and capitalize on commercial investment and innovation,” focus on security from threats inside and out, and look to extend the IC’s reach to “disconnected and low-bandwidth environments.”
“The IC requires an integrated, interoperable cloud ecosystem that promotes mission success through reliable, available, dynamic, and innovative information technology (IT) services with secure access to functions, capabilities, and data anywhere, anytime, and under all conditions,” the statement of work says. “Based on the IC strategic plan, the IC will leverage Government and multiple commercial cloud capabilities that are interoperable and support workflows within and across multiple security fabrics. The goal is to maximize rapid reuse of data and sharing of data in mission systems to support these capabilities.”
Intelligence community CIO John Sherman spoke about the multi-cloud acquisition last summer as a foundation for adopting emerging technologies. Indeed, the language in the draft supports this vision, saying “These capabilities will provide innovative and contemporary technologies such as artificial intelligence (AI), machine learning (ML), and high-performance computing to meet current and future needs. These capabilities require unified security processes and acceptance that enable quick adoption and portability of applications, data, and code. The IC will leverage these capabilities in an approach that favors vendor flexibility, simplifies use and adoption of new and cloud-native technologies, and promotes necessary culture changes.”
The proposed nuts and bolts of C2E
The acquisition will be split between an indefinite-delivery, indefinite-quantity, multiple-award contract for cloud service providers and another integrator/management contract “for multi-cloud management to support the foundational cloud services acquired in the CSP acquisition.”
The CIA says in the draft that it reserves the right to cycle contractors on and off the contract at before exercising a five-year optional period so that the vendor pool “remains dynamic and can respond to emerging requirements and advances in technology.”
The total C2E operational environment will also be split. One part will be the C2E Commercial Environment, which will feature unclassified commercial off-the-shelf and Federal Risk and Authorization Management Program (FedRAMP)-authorized cloud services with fewer security requirements. The other will be the C2E Regulated Environment, consisting of classified secret and top-secret cloud services, as well as what it calls FedRAMP+ augmented clouds — those that meet FedRAMP “with the addition of a select set of security controls” — for handling controlled unclassified information.
The bulk of the draft statement of work sets forth the system and security requirements the CIA envisions providers will need to meet to compete for a spot on the contract.
One pertinent detail for interested vendors: They must “possess a significant market presence in providing public cloud [infrastructure-as-a-service] service offerings. ‘Significant’ is measured and defined as a CSP that has more than three (3) years of market presence, and demonstrates a minimum of $250 million in annual IaaS service revenue over the last 12 months (excluding all managed and professional services) and a minimum of 100,000 virtual machines (VMs) currently in production, operating simultaneously, within its public commercial cloud,” the draft reads.
The CIA is accepting feedback from potential bidders until Feb. 24. The agency will hold a bidder’s conference Feb. 14 “to highlight critical aspects to the solicitation and allow for vendors to ask questions” at MITRE Corp.’s offices in McLean, Virginia.