The Department of Defense must decide how to use Microsoft and build secure applications now that the agency’s $10 billion, enterprisewide cloud computing contract has been awarded to the tech giant.
Peter Ranks, a deputy CIO at DOD, told reporters after speaking at a Professional Services Council event that awarding the Joint Enterprise Defense Infrastructure (JEDI) contract was a “prerequisite” to faster software development.
But plenty more cloud acquisitions are coming with all the major providers, he added.
“Cloud providers give you a set of Legos with no instructions, and you can use those Legos to build really bad applications — or you can use them to build really secure applications,” Ranks told reporters. “And we have not done a good job in providing implementation guidance across the department that says, ‘This is how you build secure things.’”
DOD “encountered some resistance” awarding the contract to Microsoft, Ranks said. The acquisition wasn’t supposed to be the hard part of the department’s cloud strategy, but rather connecting to and authenticating clouds, building apps from the elements providers offer, and ensuring proper cybersecurity without slowing down the development process.
To accomplish those goals, DOD will need to modernize the way it builds software at the same time it modernizes its cloud infrastructure.
“We want software capabilities in the hands of warfighters faster,” Ranks said during his Vision Federal Market Forecast keynote. “We want software that can adjust to changing requirements or the changing dynamics of the battlefield more quickly — that is what’s driving our cloud strategy.”
For instance, Ranks’ team is trying to ensure the work the Air Force is doing within the department’s DevSecOps portfolio is available to the rest of the enterprise. DOD must decouple the way it builds software from the way it builds hardware weapons systems — moving from a few, big deliveries to iterative delivery of capabilities, quickly, Ranks said.
That’s easier said than done within a budget cycle where joint requirements must be locked in two years in advance and acquisition language is “biased” toward major milestones, Ranks said. Acquisition staff at the department are currently working on a new software development pathway and rewriting regulations, while test and cyber personnel work with the CIO to streamline accreditation.
No cloud provider currently offers a solution that meets the Pentagon’s requirements at the tactical edge, Ranks said. For instance, an expeditionary team’s cloud-connected tools need to be survivable when communications go down and able to resynchronize when comms return.
DOD has also struggled to deploy the same software, like the Global Command & Control System – Joint, across all combatant commands because the Army, Air Force and Navy’s cloud infrastructures are very different — one of the things the JEDI contract aims to address, Ranks said.
“What we need is a focused effort to make sure that we have a provider that is filling the gaps in that current multi-cloud solution,” he said. “For all the cloud providers we have today, they still haven’t solved those problems of classification, tactical edge and something that is common across the enterprise.”
Ranks added he’d like to limit the number of separate contracts with major cloud providers and a handful of software-as-a-service providers because it limits DOD’s visibility.
That doesn’t mean agencies will be forced to abandon contracts if, say, the Air Force has a structured way to address cloud migration that meets the goals of DOD’s cloud strategy, he said.
“We don’t have a focus on crowbarring people out of their existing cloud providers if they’re already doing the right things,” Ranks told reporters. “It’s really about solving unsolved problems within the infrastructure.”