As part of its accelerated push toward commercial cloud services, the Defense Department has ordered more than 100 data centers in what DoD calls its “Fourth Estate” agencies to migrate their applications to milCloud 2.0, a commercially run cloud hosted by the Defense Information Systems Agency (DISA).
What DoD’s considers to be Fourth Estate organizations include 31 agencies that support DoD across the board but don’t answer directly to one of the military services. It includes DISA itself, as well as the Joint Chiefs of Staff, Defense Advanced Research Projects Agency, the Defense Intelligence Agency, the National Security Agency, and the National Geospatial-Intelligence Agency. Rep. Mac Thornberry, R-Texas, chairman of the House Armed Services Committee, put the Fourth Estate in the crosshairs last month with proposed legislation that would eliminate DISA and six other agencies as part of a cost-cutting plan.
In a May 3 memo signed by then-acting DoD CIO Essye Miller (replaced May 7 by new CIO Dana Deasy), the Pentagon said the agencies must migrate their virtualized workloads by the end of March 2019, with the rest of their workloads following by the end of September 2020. The moves, involving 108 data centers in all, will continue DoD’s efforts to cut back on its data centers while improving its cybersecurity infrastructure, according to the memo, which was first reported by NextGov.
Thornberry’s proposal quickly ran into some pushback and was left out of the committee’s final draft for the 2019 National Defense Authorization Act, leaving only one agency–the Washington Headquarters Services–on the chopping block. Some lawmakers and others had questioned the plan, noting that the agencies in question provided essential services across the department (DISA, for example, has a global reach) that would only have to be moved elsewhere.
Moving data center workloads to the cloud would be in keeping with DoD’s overall plan for streamlined operations. MilCloud 2.0 was launched Feb. 1, initially at two DoD locations, offering commercially-run scalable Infrastructure as a Service (IaaS) to DoD customers. It offers pay-as-you-go services from a commercial provider, General Dynamics Information Technology (GDIT), unlike the first version of milCloud, which is government-run. DISA awarded a maximum $498 million contract in June 2017 for milCloud 2.0 to CSRA, which was acquired in April of this year by General Dynamics in a $9.7 billion deal.
MilCloud 2.0 offers storage, database, security, migration, and other services up to Impact Level 5 (IL5) of the Cloud Computing Security Requirements Guide, allowing it to host unclassified national security systems, and high-sensitivity systems containing controlled unclassified information (CUI), and mission critical information (MCI), according to the contractor. Although run by the contractors, milCloud 2.0 is hosted within DISA data centers, with DoD retaining ownership of its applications and data.
DoD is making a concerted move toward greater use of commercial cloud services, most notably with its Joint Enterprise Defense Infrastructure (JEDI) and Defense Enterprise Office Solutions (DEOS) acquisitions, each of them multibillion dollar projects that could run up to 10 years.
While security has always been a concern in adopting cloud systems, DoD said it expects that its cloud systems will operate at higher levels of authorization. Currently, DISA is among a handful of cloud providers–including Amazon Web Services, IBM, Microsoft and Oracle–with IL5 authorization (AWS also has gotten to IL6 for Secret information), though the list is likely to grow.