How DOD plans to automate classified cloud provisioning

The Pentagon wants to automate cloud provisioning at the classified level, and a stop-work order on its $10 billion Joint Enterprise Defense Infrastructure cloud program won't help, the department said.

key in cloud (Blackboard/Shutterstock.com)
 

The speed and agility of buying cloud services with the click of a mouse are not a perfect fit for secret and top-secret government programs.

This is coming to bear on the deployment of the Pentagon's $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud program, currently the subject of two lawsuits in federal courts.

The Defense Department has been planning a Feb. 14 go-live date when JEDI opens for task orders for unclassified services. That launch sets a 180-day clock ticking for Microsoft to roll out cloud services at the classified level.

Amazon Web Services is looking to block that start date in court, and a ruling on the injunction is expected later today. Documents in the lawsuit provide a window into the Pentagon's plans to make JEDI provisioning work at the speed associated with commercial cloud.

A delay to the JEDI go-live date would set back plans to automate cloud provisioning at the classified level, Sharon Woods, the director and program manager of the Cloud Computing Program Office in the DOD's CIO shop, explained in sworn declaration dated Jan. 31 and released with redactions on Feb. 12.

Currently DOD has no mechanism for buying classified cloud services directly from a vendor.

According to Woods, there is a gap of "weeks or months" between an order being submitted and verified in DOD's contracting systems and it being executed on the vendor side, because of security checks and requirements.

"The potential security implications of mishandling this process are enormous," Woods stated.

To reduce this gap, the Cloud Computing Program Office entered into a contract in March 2018 -- while JEDI was still being developed -- to create a tool that, as Woods stated, "automates this process gap in a manner that supports user authentication and security auditing."

DOD acquired this service more than a year ahead of the planned JEDI award to make sure the tool was in place at launch. In a footnote to her declaration, Woods explained that the CIA "did not automate provisioning when it first launched Commercial Cloud Services (C2S), and expressed to DOD that its failure to do so earlier was one of its more significant lessons learned."

The ordering tool will still need to be tested at the unclassified level. That can't happen, Woods explained, if JEDI isn't open for business. "It cannot be deployed into the classified environment until at the unclassified level it is validated as functioning properly and the reporting and auditing capabilities are more mature," she stated.