DOD

DOD Cloud Strategy: CIO Multicloud Recommendations from JEDI and CIA

The Department of Defense (DOD) awarded underdog Microsoft a massive cloud computing contract on October 25, 2019. This announcement was an enormous surprise to IT analysts and the cloud industry.

This award was stripped down from the original Joint Enterprise Defense Infrastructure (JEDI) $10B cloud plan to a $1million guarantee for Microsoft work. It leaves a crack in the door open for other new cloud vendors and reshaping projects going forward.

On February 13, 2020, the federal court halted Microsoft’s cloud work for an Amazon protest. Further, the federal judge’s ruling on March 13, 2020, upheld Amazon claims for a new award review. What’s different in this case: Amazon is protesting,  and winning in federal court cases, and it’s very unusual to win. With federal court cases delaying the DOD cloud award throughout 2020, DOD will likely issue a new task order or contract to Amazon to speed up its efforts.

DOD’s JEDI secure cloud journey for an enterprise cloud strategy leveraged from the Intelligence Community (IC) led by the Central Intelligence Agency (CIA) playbook offers insight to CIOs too.

CEOs, CIOs, and Chief Cloud Architects must leverage these five lessons to avoid enterprise cloud computing shortcomings:

  1. Strategic Plans: DOD and CIA/IC Clouds – Timely plans with refresh are winners
  2. Enterprise Multicloud Forward –  Reshape enterprise networks using regional clouds
  3. Cloud Goals – Security, regulations, innovation, and market experience/size for success
  4. Budget and Cost Models – Reshape each cloud service cost buildup for better accuracy
  5. Flexible Contract with Exit Ramps – Apply best risk practices from IC and DOD.

Here are CIO key cloud recommendations from DOD and CIA/IC journeys that matter.

Strategic Plans: DOD and CIA/IC Clouds – Timely plans with refresh are winners

CIA/IC Playbook

The Intelligence Community (IC) led by the CIA awarded a sole source contract in 2013 to Amazon AWS private on-prem clouds. A single source made sense with developing a new high-secure cloud platform at that time. In 2020, CIA/IC requirements call for a new multicloud commercial cloud enterprise (C2E) for the next ten years. Its cloud refresh was timed right.

DOD Playbook

Three critical DOD efforts led to the JEDI award. In 2017, DOD released the DOD Cloud Initiative (JEDI) to move to enterprise cloud services. In 2018, the Pentagon issued the DOD Cloud Strategy (DCS). DOD’s strategic position was a multi-cloud, multi-vendor platform with a “variety of vendors that will provide cloud space to the department.” In 2019, DCS was reshaped by the Digital Modernization Strategy (DMS) to include AI, cybersecurity, and others. In late 2019, DOD awarded a sole source contract to Microsoft. It’s either misaligned to top-level DCS and DMS strategies or is planning other cloud awards later to shore up DMS goals. This DOD award is an outdated cloud award out of the gate covering 2020 to 2030. It looks like the old CIA/IC playbook from 2013.

RECOMMENDATIONS:

  • Use agile planning for multicloud architecture with best fit-for-purpose services
  • .Align all strategic plans to enterprise cloud requirements for the right vendor contracts
  • Leverage commercial clouds for the enterprise multicloud and vendor platform

Enterprise MultiCloud Forward –  Reshape enterprise networks using regional clouds

It makes sense reshaping to a multicloud architecture. Multicloud should accelerate enterprise computing that compresses the production time to stand up any new cloud services, increase speed, and apply the best of breed services. It allows a more dynamic enterprise architecture to plug-and-use other functions in more modular design. For example, CIA/IC reshaped its cloud architecture to a multicloud commercial enterprise model. In February 2020, CIAs’ new draft $10B cloud RFP calls for a Commercial Cloud Enterprise (C2E) with multiple vendors for IaaS and other cloud services. CIA pushed PaaS and SaaS efforts to September 2020 by using other CIA, IC, and ODNI HQ cloud awards.

Regional clouds and enterprise networks refresh critical now. Global host data over private telco lines to multiple global regions traffic is expensive. This opportunity is to use global cloud vendors with secure regional clouds instead of using costly old telco data lines to backhaul your data from/to the organizational host center(s) as well as local sites. This effort could save CIOs substantial communications costs and less enterprise network support. Take note that global telco providers now offer their new communication clouds for these country/regional services over their existing network, which usually yields marginal savings.

RECOMMENDATIONS:

  • Refresh enterprise architecture and networks yearly with new services, such as 5G, AI
  • Evaluate and use secure regional clouds for the right global/local coverage
  • Phase-out old telco cost hub-and-spoke backhauling data networks, where possible.

Cloud Goals – Security, regulations, innovation, and market experience/size for success

CEO and CIO 2019 cloud research surveys point to rank #1 and #2 for cybersecurity and data security. AWS co-developed with the CIA/IC for the highest security level. In DOD, AWS has a proven security track record at its Security Impact Level 6. Rankings #2 or 3 are for regulations, compliance, and risk management. These priorities fold into higher disaster recovery and minimizing cloud risks for business continuity.  Cost savings ranking was dead last concern to the CEOs. These top cloud priorities apply to most large-med size organizations.

For cloud vendors’ experience and size, DOD got the shortlist of vendors right. It down-selected four providers – Amazon, Google, IBM, and Microsoft. It was the right decision when mapped to a 2019 global cloud market share and critical capabilities below:

Global Cloud Services: 2019-Q4 Market Share and Key Perspectives 

  1. Amazon AWS 39% – World leader in cyber/cloud security, multi-regional cloud support to 245 global countries and regions, robust cloud integration experience, and leading cloud hardware/software
  2. Microsoft Azure 19% – Second leader, 51 global regions, best and bit cheaper with Microsoft enterprises, WIN10/Office 365 upgrades, comprehensive office automation SaaS leader, Microsoft proprietary tools/stack/ecosystem
  3. Google Cloud 9% – Strong mid-tier services for strong AI, advanced research, Function-as-a-Service, search engine, G suite, quantum research, robust apps and open deployment tools, such as Kubernetes
  4. Alibaba Cloud 5% – Strong, fast-growing mid-tier for scale with office automation with a China focus
  5. Salesforce Cloud 4% – Solid, stable mid-tier for specialty SaaS clouds – CRM leader, and others
  6. IBM Multicloud 3% – Growing leader for multicloud integration and private/hybrid/multicloud with best open-source tools for integration and databases, AI, quantum research, and supercomputing
  7. All other global cloud vendors 21% – Too small or niche players, old tech, and numerous specialty SaaS

Source: Financial Times, February 6, 2020; Cloud vendor market percentages

DOD’s Azure award should require substantial global cloud integration costs and efforts for the general enterprise cloud architecture. Azure enterprise cloud lacks Database-as-a-Service. The Azure Support Options appear to be costly. Options features are very manual with labor-intensive use and support, according to a Fortune100 firm’s 2020 internal cloud engineer review team. It compared and ranked  AWS, Azure, and Oracle for features, functions, and engineering time. For security, Azure is developing to DOD highest security – Impact Level 6 – now. It should have to reinvent the demanding requirements of the IC security ecosystem to share and manage complex, sensitive compartmental data by each user. The Azure award efforts should require rework/money/time for security efforts.

Finally, DOD has a substantial Windows10/Office 365 automation suite, tools, standardization, migration, and cleanup effort with 3+/- million worldwide users. Microsoft has the experience, apps, and tools to do it. DOD should use Microsoft Cloud for this specialized global effort in a future multicloud enterprise. DOD Microsoft’s award missed the multicloud/vendor model.

RECOMMENDATIONS:

  • Don’t reinvent the wheel for new cloud services, such as security for huge savings,
  • Upscale cloud requirements for compliance/regulatory/risk and value-added security cost,
  • Use top-ranked cloud vendors with strong integration/tools suites in a multivendor award.

Budget and Cost Models – Reshape each cloud service cost buildup for better accuracy

DOD and IC have enormous global complex cloud budget/cost models. Each agency’s budgets are top-down. Cost data collections are bottom-up. Budget data calls are from numerous sources and locations and require estimates, data integrations, interpretations, consolidations with different procedures, and human judgment in gray areas. Many organization costs have highly automated budget/consumption for budget/cost capture. There’s a lot of rollup/consolidated cost reporting.

Each organization requires accuracy in all cost models for each existing and before new cloud services and consumption per user. Without defined cloud cost models, there is no accurate way of capturing savings. All related service costs from planning, pilots to full cloud production, and exceptionally costly data moves/transfers to other new clouds must be obtained for baselines.

Complex medium and large organizations usually require multicloud solutions with at least one private on-prem cloud for critical, sensitive high-risk data. Most organizational cloud solutions savings are marginal or cost more than planned.

RECOMMENDATIONS:

  • Capture all refresh, startup, IT, oversight, support, pilots, deployment costs in years 0,1+,
  • Use a centralized and dedicated cloud oversight budget team(s) for cost/performance,
  • Create a cloud common operations picture (CCOP) with executive reviews for actions.

Flexible Contract with Exit Ramps – Apply best risk practices from IC and DOD.

DOD released a Federal Indefinite Delivery/Indefinite Quantity (IDIQ) sole-source contract to Microsoft. This flexible IDIQ contract is a 10-year contract.  It was for enterprise cloud services with unlimited task orders and $10B in funding—the award language can terminate at will. The award calls for a sperate PMO task effort. Notably, the CIA used the same playbook in 2013. In 2020, the CIA cloud award is a multi-vendor for an enterprise commercial multicloud architecture. This multicloud refreshed plan is ideal!

RECOMMENDATIONS:

  • Set a contract ceiling with executive approval not to exceed a firm cloud program limit,
  • Use IDIQ-like contract with fixed priced cloud task orders for each small effort with exit,
  • Use a different cloud vendor for the cloud PMO to support independent oversight reviews.

Go here for more advice and insights:

“Amazon slams Pentagon’s approach to fix messy $10 billion JEDI cloud contract, new court docs show”, CNBC, 03/25/20.

“The CIA wants to upgrade its cloud tech without DoD’s JEDI drama,” TechCrunch, 02/07/2020.

“The CIA trims down cloud RFP,” Bloomberg Government, 02/06/2020.

“Old guard loses its way in the cloud,” Financial Times, COMPANIES section, 02/06/2020

“CIA Opens Competition for Lucrative Cloud Deals to Amazon Rivals,” Bloomberg Technology, 02/5/2020.

“The intelligence community will opt for multiple cloud service providers for its planned Commercial Cloud Enterprise contract,” NextGov, 02/05/2020.

“Seven Key Steps for the Evolving CIO,” MIT Sloan Management Review, 10/17/2019.

Strategic Plan to Advance Cloud Computing in the Intelligence Community,” NDI/CIA, 06/26/2019.

“Secure Cloud Transformation: The CIO’S Journey,” Richard Stiennon, Chief Research Analyst, IT-Harvest, 02/10/2019

Copyright @ 2020 HAWALD ADVISORY, LLC. DISCLAIMER: This article is entirely my opinion without financial payments. The peer review was by Tom Austin and Dr. French Caldwell. The image is by pixabay.com. Member of The Analyst Syndicate.

Disclosure

The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.