The US military's research agency, DARPA, plans to be fully in the cloud by 2022, according to a procurement document, requesting help from IT network services contractors.

The agency currently relies on a mixture of Amazon Web Services and internal server infrastructure, according to the document, which gives details of DARPA's current server and cloud deployments, and its future plans. The request provides a rare glimpse into the IT infrastructure of one of the US government's most secretive agencies, known for its part in the creation of the Internet.

A DARPA deep dive

DARPA Information Technology Directorate

The Defense Advanced Research Projects Agency is seeking a small business to "provide and manage the full range of IT services, support, and infrastructure necessary to support DARPA and implement the DARPA IT strategic direction and operational objectives for all networks from unclassified to SAP/SCI, which will evolve over the course of this contract.

"DARPA’s IT services consist of standalone systems, local area networks (LANs) and wide area networks (WANs) that are located in DARPA, Defense Industry Base (DIB) and Government Partner facilities."

The contract will last one year, with eight optional year-long extensions. To not fail the contract, mission-critical services must have at least 99.99 percent uptime, critical services no less than 99.95 percent and 'non-critical, but essential services' should have 99.9 percent uptime.

In a presentation at an industry day held earlier this month by the agency's internal IT administrative division, the Information Technology Directorate, slides detail DARPA's internal computing resources.

Network Ops maintain 2.3 petabytes of storage and 542 servers for unclassified work, along with 600 terabytes of storage and 294 servers for classified work. Servers are refreshed every 48 months. Its HPC support has "15 HPC Projects" and has access to 25 million CPU hours.

Separate documents reveal that email services are "currently based on Exchange 2013 Servers," while active directory services are "currently based on Windows Server 2012 R2."

The presentation continues: "ITD procured nearly 7,000 substantial items (servers, network infrastructure, laptops, monitors, etc.) over the past year. This is in addition to smaller items (e.g., cables, mice, phone chargers, etc.)." Reference is made to an internal data center, as well as a disaster recovery site.

But, as the document notes, "compliance with US Government and DoD mandates to migrate to consolidated data centers or utilize commercial cloud." Since 2015, the documents reveal, DARPA has used AWS GovCloud for some unclassified workloads.

"Currently migrating all unclassified workloads to Amazon Web Services GovCloud," a slide states. "[Approximately] 30% of unclassified workloads have been migrated."

Single-sign-on and identity access management for users "accessing DARPA custom developed web applications and commercial cloud solutions" is handled by the company Okta.

Box, meanwhile, has been authorized and is being implemented to provide enterprise collaboration, content management, file services, DoD Safe-like file transfer services, and DARPA technical program office research program data archive services

The presentation says that initial engineering and evaluation efforts are underway to assess migrating classified systems to a commercial cloud.

In a roadmap (below), the ITD sets 2022 as the date for its operations to become 100 percent cloud operational, with numerous potential providers shown, including Oracle, Azure, IBM Cloud, and Google Cloud.

DARPA Information Technology Directorate Cloud Services Roadmap

In addition to the increasing reliance on cloud, DARPA's IT operations are set to undergo another shift. In late 2019, the Deputy Secretary of Defense designated the Defense Information Systems Agency (DISA) as the single service provider of commodity/common use IT services for DoD agencies that are not the military services.

"DARPA is currently scheduled for transition of common use IT to DISA in FY24," a procurement document states. It adds: "DARPA mission and research networks, IT services, and other capabilities provided by ITD will persist post transition of common use IT systems."

It is not entirely clear from the documents how the distinction is made between what will become part of DISA and what will remain under the ITD.

While DARPA is pursuing a cloud push - seen elsewhere in the US government with the DoD's controversial JEDI program and the CIA's embrace of Amazon - its networks consist of several distinct systems, created to ensure that if one is compromised the others remain secure.

One of the documents details these networks:

  • DARPA Management Services System (DMSS) is the primary controlled unclassified information (CUI) network with dedicated connectivity to the Internet, the Defense Information System Network (DISN), and commercial Cloud Service Providers (CSPs).
  • DARPA Public Network (DPN) is an unclassified network, separate from the DMSS, to support non-CUI unclassified processing and Internet access for DARPA visitors and employees.
  • DARPA Secret Network (DSN) provides HQ LAN access to external SIPRNet resources.
  • DARPA Secret Wide Area Network (DSWAN) provides an isolated Secret collateral network LAN/WAN environment to support timely collaboration needs with performers whom are unable to obtain SIPRNet access.
  • DARPA Joint Worldwide Intelligence Communications System (JWICS) Network (DJN) provides HQ LAN access to external intelligence community (IC) resources and mission partners.
  • ALCAZAR provides an enterprise platform IT (PIT) LAN/WAN capability to support collaboration up to TS//SCI//SAR levels, as well as controlled interfaces to nonenterprise PIT systems.
  • Savannah (SAV) provides a Windows-based LAN environment coupled with a multilevel security (MLS) cross domain solution (CDS) WAN and circuit transport capability, enabling performer collaboration up to TS//SCI//SAR levels, as well as enabling singular interface access to multiple DARPA enterprise, non-enterprise, and non-DARPA mission partner classified networks

Contract applicants are expected to work with all of the networks.

A formal request for proposals is expected mid-February, with phase one proposals due a month after.

The contract award, which currently has no disclosed budget, is anticipated to be announced in September 2020. The project will start on March 1, 2021.