Lawmakers are seeking the Pentagon's reasoning behind planning the Joint Enterprise Defense Infrastructure cloud services acquisition as a sole source award, according to the fiscal year 2018 omnibus legislation approved by the House today.
The bill would require the Pentagon to provide a report on the JEDI acquisition, which the Defense Department is planning as a single award, indefinite-delivery, indefinite-quantity contract with options for up to 10 years. The Senate needs to pass the legislation by midnight Friday or the government will shut down.
"There are concerns about the proposed duration of a single contract, questions about the best value for the taxpayer, and how to ensure the highest security is maintained," the legislation states.
The report should lay out the framework for all DOD entities acquiring cloud computing services, including "standards, best practices, contract types, and exit strategies to ensure government flexibility as requirements evolve," the bill states.
Additionally, the report should include DOD's "justification to include cost considerations, for executing a single award contract rather than creating an infrastructure capable of storing and sharing data across multiple cloud computing service providers concurrently, to include data migration and middleware costs," the bill continues.
The report would be due within 60 days of the bill's enactment.
A separate report due within 45 days would detail the JEDI request for proposals, which is expected to be released this May. The report should also include the money in DOD's FY-18 and FY-19 budgets, respectively, for JEDI and all other cloud computing acquisitions, the five-year budget outlook for cloud programs and the areas where other transaction authorities will be used to acquire cloud computing services, according to the omnibus.
Furthermore, the document should include a certification from DOD's chief information officer that each of the military services, the combatant commands, the Defense Information Systems Agency and the chief information officers of each of the services "have been consulted during the drafting of the RFP," the bill states.
Signaling concerns with the security of commercial cloud, the 45-day report would also need to identify "provisions within the contract to ensure security is maintained over the period of the contract," as well as "provisions for mitigation actions if the commercial entity were to provide services to or be acquired by a foreign entity or government," according to the legislation.
JEDI has garnered significant interest since Deputy Defense Secretary Pat Shanahan established a cloud executive steering group to guide the acquisition this past September.
The architects of the JEDI draft RFP envision a future where data is easily transported within DOD, whether it's between bases in the United States or warfighters overseas.
The Pentagon is planning the JEDI acquisition as a single, potentially 10-year award for commercial cloud services because "we believe that a multiple-award cloud would exponentially increase the overall complexity," Tim Van Name, deputy director of the Defense Digital Service, told reporters earlier this month following an industry day in Arlington, VA. The Defense Digital Service has led the development of the JEDI acquisition strategy.
"The systems in different clouds, even when designed to work together, would require complex integration, which raises the bar for the development, testing and ongoing maintenance," Van Name said. "The department would have to manage the seams between the various cloud hosted applications and deal with the challenges associated with accessing data in multiple cloud environments."
But many in industry believe the acquisition is being tailored for Amazon Web Services, the largest commercial cloud services provider. Late last year, several industry groups raised concerns that the single-award strategy was flawed. During the industry day this month, however, Pentagon officials made clear they are pressing forward with the single-cloud strategy.