The US Department of Defense has released a draft solicitation for its $8.2 billion Defense Enterprise Office Solutions contract.
DEOS is a cloud-based platform for the military's office systems, serving as a "replacement for disparate DoD legacy enterprise information technology (IT) services, such as voice, video, collaboration, email, content management, records management and productivity suite."
Using Outlook is already enough of a battle
The DEOS cloud service offering "may scale to an anticipated 3.15 million DoD consumers, and over 4 million directory objects, which includes supporting DoD CC/S/As across many locations to include local base/post/camp/station (B/P/C/S), deployed and afloat organizations," the solicitation states.
Bidders must have documentation that proves they have Defense Information Systems Agency (DISA) Impact Level 5 authorization when they make their Phase One quote submission, and must have a DoD Impact Level 6 or provisional Level 6 authorization at the time of submission.
These security considerations limit the number of potential providers to just a handful - AWS, DISA itself, IBM, Microsoft Azure and Oracle.
According to the latest DoD Cloud Service Catalog (download here), Google Cloud currently reaches Impact Level 2, but is thought to be trying improve its rating.
The Department of Defense Cloud Computing Security Requirements Guide (viewable here) lists Level 5 as "a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). As such, NSS must be implemented at Level 5."
Level 6 takes things further - covering "information that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD). At this time, only information classified as SECRET, in accordance with the applicable executive orders, is applicable to this level.
"Services running at higher classification levels, to include compartmented information, are governed by other policies and are beyond the scope of this document. Impact Level 6 requires a similar set of tailored controls as Level 5 and includes the CNSSI 1253 Appendix F, Attachment 5 Classified Information Overlay C/CEs."
DISA's catalog lists just one provider as capable of providing Level 6 - Amazon Web Services. Last year, however, Microsoft said it would open facilities designed for Level 6 soon, while in 2017, IBM told DCD it hoped to reach Level 6 at its Redstone data center by 2018,
With DEOS serving as a massive cloud contract that appears to be available to just a handful of suppliers, it is in many ways similar to the DoD's other big contract - JEDI.
Yesterday, we investigated the DoD's frontline cloud plans, spanning JEDI, the tactical edge, its own data centers and supercomputers, and milCloud 2.0.
Unlike JEDI, however, DEOS could go to multiple vendors.