Ever since the Department of Defense announced its intention to acquire a commercial cloud solution, Amazon Web Services has been commonly cited as the likely frontrunner to lead the Pentagon away from its Cold War-era IT infrastructure and into the 21st century.
Given its experience hosting classified data for the intelligence community and being the only commercial cloud provider with an authorization to host the most sensitive defense information, there’s no doubt AWS will make a strong case for why it should win the Joint Enterprise Defense Infrastructure contract, estimated to be worth $10 billion.
But the DOD hasn’t even issued a final request for proposals. So it’s probably premature to think about any company as the winner. At least that’s the thinking of Teresa Carlson, head of AWS’ public sector business.
In the middle of a 14,000-person AWS Public Sector Summit in Washington, D.C., Carlson gave FedScoop an exclusive look into her thinking behind the landmark contract, why a single award is the best option and how AWS will “compete to win,” as well as how cloud is maturing on the civilian side of the federal government and much more.
Editor’s note: The transcript has been edited for clarity and length.
FedScoop: AWS has been positioned by the public as a front-runner for the Defense Department’s JEDI contract. There’s not even a final solicitation out for that, but what’s your take on the contract and Amazon’s push as a leading contender?
Teresa Carlson: Well, first of all, we’re very excited about it, because we’ve been working with DOD since day one of being here, and really trying to educate them over time on what cloud computing is and what that journey can be like.
In terms of where do we think we stand, obviously as AWS in general, we had a six-year head start on all the other vendors just because we sort of are the cloud computing company that no one even thought would work in government. So we’ve been here now almost eight years, very dedicated, which I think shows from our work with GovCloud, which we launched in August of 2011, to our work with the intelligence community with our secret and top secret clouds. So I think it’s a natural fit for us to be able to support and work with the Department of Defense.
What we’ve always said is we think competition is a really good thing — it keeps the market healthy, it pushes innovation of other companies to move faster, and then the third thing, it allows for choice. And choice is always a good thing.
But I think for this particular contract, for this particular customer, whatever choice they make, single vendor or multi-vendor, we really don’t care, because we’ll work with them either way. We’re just so excited that they’re getting going. And they need to move, they need a sense of urgency, because they’ve got to get past these World War II sort of applications they’ve been driving.”
FS: But what do you think is better for DOD at this point — a single cloud or a multi-cloud environment?
TC: We believe for them at this point in time, a single cloud is a good thing — a single award with one cloud for now. And primarily for a couple reasons. One is today they just really don’t have the experience that they need with cloud computing, and there’s still a lot of cloud-washing going on where people say they’re cloud and they claim to have cloud capabilities, but if you sort of look under the cover, they’re not true cloud computing, how we define it. The second thing is, it could mask security issues if you’re trying to work within a multi-cloud environment. And they’re so large, that they really need to learn and get experience and build these capabilities. And then in the fullness of time, they could have multiple clouds that they’re working with and probably will.
We’re ready for the final RFP, we’re excited for the DOD to be moving in some way, shape or form. And I think they put a line in the sand that says, “We’re going now.” So we’re like, “OK, let’s go, we’re ready to go with you.” And we’ll see what happens.
But it’s a little funny to me, because how can we be the vendor of choice when we don’t even know what [the final solicitation] looks like? But we’ll compete, obviously, and we’ll compete to win. And we hope we are the winner. But no matter what DOD chooses in this contract, we will be there with them along the journey to help them with their mission and their warfighters.
FS: You mentioned the work AWS has done with the IC. How has that proved, perhaps as a sort of proof of concept for this JEDI contract, that commercial cloud is secure enough for very sensitive data? Many agencies still seem hesitant that that’s the case.
TC: Clearly you’ve heard from our customers they don’t feel [cloud is less secure]. And there’s a variety of reasons. One is, think about where a lot of the vulnerabilities are in terms of how the infrastructure is set up. We take away the need for them to do their own patching. We take away the need for them if a server goes down — they don’t worry about that. They’re just scaling as they need to scale. Their security and compliance controls that they deem needed or necessary, we build into that infrastructure. … [It takes] the human factor out of all that.
What the intelligence community has figured out is that with cloud computing, they can literally accredit their workloads much faster and then move faster at the application level. And that’s exactly what, I think, DOD will see when they get moving. Right now, it’s a little bit of an unknown to them, how they’ll do it. But they can learn through other customers, like the intelligence community, how to make it happen faster.
FS: So you think it can serve as a blueprint for the DOD’s JEDI work?
TC: I do, because if you think about it, the intelligence community and the Department of Defense have to work closely through groups like the National Reconnaissance Office, the Defense Intelligence Agency and others … they have to be able to share and maneuver together around the world. Actually, just like I think many of the federal agencies can work and share best practices together. That needs to be done anyway. … We have a saying: “There’s no compression algorithm like experience.” There really is not.
FS: On the other side of government, the civilian side, it’s hit-or-miss on how cloud is maturing. I’d like to get your take on how cloud in the civilian agencies is maturing and what you think needs to be done. What do you see as the big barriers?
TC: I really think it’s things like acquisition — it’s a big barrier for some of them still. They don’t know how to write a good cloud contract. There’s great examples out there. And even within an agency, you’ll see some doing a really great job and others sort of just struggling a bit more. So I think we’ve go to work on that, this sort of cloud acquisition workforce. And we’ve talked a lot about that with Congress and others the need for that.
And I believe the other area is the compliance and accreditation part. It was really sort of new for me — you wouldn’t think it would be — but in the last two days I’ve heard a lot from my partners that they are really struggling with getting the compliance and accreditation through. And I asked why, and they said because they don’t know how to do it — they literally don’t have the skills, because they’re used to the old model. And that tells me we need to get more engaged at the agency level helping them. But that’s not the AWS part — that’s ready. It’s their application that they’re building on top of it, because they just don’t have that experience. So we need to do more training and education and help them with better “how to.” And then we gotta get GSA really involved in this process. They did a great job on FedRAMP, and we’re big fans of it. I just think it’s being used very differently all over the U.S. government.
FS: Is there any place you see cloud being done right that others can learn from?
TC: I still think, the early days of customers, we have HHS that has a lot of workloads with us. They were the ones that helped us get through FedRAMP. And then of course NASA is continuing to do amazing stuff… And then I would tell you some of the customers like the SEC, like FINRA, like the IC, and then DOD is starting to do some workloads. There are some pockets where they do some really good things. At VA and now DHS has some really good workloads. But it’s in pockets.
Here’s the difference: I see them expanding the type of workloads they’re doing. They’re becoming more mission-critical versus that website-hosting, a little bit of data storage — they’re really becoming more thoughtful. The other area of change I’ve seen is that instead of just lifting and shifting a workload, many of them are learning that you don’t have to throw away all the data that you had in your data centers and tools. You can take advantage of that while you build applications in the cloud and then have a new application, but still take advantage of that data as you begin to migrate and move things over. So we’re seeing them build net-new applications versus just trying to lift-and-shift an old one.”
FS: What’s your advice to agencies who are lagging?
TC: It might sound simple, but it’s “get going.” In cloud, one of the biggest mistakes I see is where they over-consult on something… They’ll overthink it. And what we’ve seen is the most successful commercial enterprises and the most successful government enterprises happen when they just put a line in the sand and they say, “We’re going to migrate…we’re going to do it.” And they sort of dive in, and you see this step-change in them.
You have so many naysayers still that if you don’t demonstrate that it can be done and how it can be done and the impact of it being done, then people will sometimes just not move — they’ll just sit there.
FS: GovCloud East is going to launch later this year. What will that mean for federal agencies?
TC: It’s what they asked for from us. We built it because they said they need disaster recovery [DR] and backup capabilities … they said “If we’re going to move this to the cloud, we need DR and [continuous operations] capabilities.” So we heard that. This will be for a lot of those very large workloads — now this is going to give them that DR, that backup they really want and need. And also it gives them a new location, they can make a choice if they don’t need a lot of DR, or that’s not a requirement, they can make a decision: Is your workload better on the East Coast or is it better on the West Coast?