The Department of Defense (DoD) has mercifully put the Joint Enterprise Defense Infrastructure (JEDI) out of its misery. Along with the announcement of JEDI’s cancelation, the Pentagon said that it would begin the process of implementing a new enterprise-wide cloud capability.
However, unlike JEDI, which the Department argued had to be a single award to ensure efficiency and security, the new contract, known as the Joint Warfighting Cloud Capability (JWCC), will be what is called an indefinite-delivery/indefinite-quantity (ID-IQ) award with multiple vendors winning the right to bid on task orders.
Regardless of its form, DoD requires an advanced cloud capability that can support the seamless and rapid movement of information and orders at all classification levels across the entire defense enterprise, from the highest headquarters to the tactical edge. While the JWCC may initially invite lots of companies to participate, the truth is that only a few have the range of capabilities to create a cloud environment capable of supporting the military’s vision for Joint All-Domain Command and Control (JADC2).
When it was first proposed, JEDI was intended to be a cloud like no other. DoD envisioned JEDI as a “worldwide, highly available, exponentially elastic, secure, resilient cloud computing and storage environment that seamlessly extends from the home front to the tactical edge.” The JEDI cloud also was supposed to support the rapid development and deployment of virtually any application, store, move, and protect the most sensitive national intelligence information, and enhance real-time decision-making.
The sheer size of the proposed effort, encompassing tens of thousands of nodes and hundreds of thousands of users, suggested that only a handful of companies with extensive experience in developing and managing large-scale cloud environments could hope to be successful. In addition, because JEDI was to be a warfighting cloud, the security requirements for JEDI were extremely exacting. Companies competing for the JEDI contract had to demonstrate in their proposal submissions that within six months of the award they could reach DISA Impact Level 6, which ensures the ability to protect secret data. It is possible to count the number of companies that can meet this standard today on one hand with several fingers left over.
The JEDI contract was awarded on October 25, 2019. From the time the proposal for JEDI was first published, about a year earlier, the effort was mired in controversy and beset by administrative and legal challenges. Several large IT companies protested the way the proposed Request for Proposal (RFP) was constructed, as a winner-take-all award, which made it slanted in favor of the dominant cloud services provider at the time, Amazon Web Services (AWS).
Despite these protests and lawsuits being repeatedly rejected, JEDI continued to face problems. These did not end when the contract was awarded not to the company the community expected to win, AWS, but to Microsoft. AWS and other companies moved almost immediately to challenge DoD’s decision on both technical and procedural grounds. In particular, AWS asserted in court that then-President Trump had exercised undue influence over the award decision. As a result of continuing litigation, Microsoft was unable to begin work on the JEDI program.
By Spring 2021, the JEDI program had already been delayed by some eighteen months. Then, in April, the Court of Federal Claims dealt JEDI a death blow by deciding that AWS’s suit against the Pentagon could move forward. DoD was looking at a minimum of several years of court battles during which it would not have the benefit of an enterprise-wide cloud. The Pentagon made the decision that it was faster and easier to cancel the JEDI procurement and start from scratch.
But canceling JEDI does not solve DoD’s problems when it comes to acquiring the kinds of cloud services it hoped to receive with JEDI. The new program, JWCC, will not release an RFP until October at the earliest, with a reward to be made in April 2022. This is an optimistic scenario given the need to issue draft RFPs and receive comments from industry. Moreover, this assumes no new protests and court suits.
But the Pentagon may be opening itself up to complications in several additional ways. One is by suggesting in its announcement of the JWCC program that it would look first to the two competitors for JEDI, AWS and Microsoft but also favor other so-called “hyperscale” cloud providers: Oracle, Google, and IBM. This would seem to leave out other possible competitors, most notably General Dynamics Information Systems, which manages several extremely large and complex cloud programs for DoD. One can already see the lawyers preparing their briefs.
Another potential pitfall is the decision to make the new competition an ID-IQ vehicle. While this approach avoids the contentiousness of a single award, it is likely to create serious problems down the road. Instead of competing the effort once, with an ID-IQ contract now every task order becomes a mini-competition in itself. This inevitably makes the process of getting work on contract slower, more complicated, and costly.
Making JWCC an ID-IQ also abandons the Pentagon’s erstwhile goals of standardization and interoperability. The Pentagon already operates some 500 different clouds. JEDI was supposed to reduce this number, simplify the acquisition process for cloud services, allow for data to be moved rapidly, seamlessly, and securely across the network and between users, and improve security.
Now, users may find themselves having to transit multiple clouds with critical applications and data bases provided by different contractors. Not all the potential contenders can be expected to have achieved Impact Level 6 security. This would suggest that some data and applications would have to be segregated from the other clouds operated under JWCC. This creates the very seams and complications that the Pentagon hoped to avoid with JEDI.
An enterprise-wide military cloud (what might be termed a “war cloud”) is critical to DoD’s ability to create JADC2. JADC2 is supposed to transform the American way of war. It is intended to allow the Joint Force (and eventually coalition partners) to share intelligence, surveillance, and reconnaissance data, transmitting it securely across many communications networks rapidly, to enable faster decision making. JADC2 will require an enterprise-wide cloud environment. Hopefully, JWCC will be able to provide such a capability.
Dr. Daniel Goure is Senior Vice President with the Lexington Institute, a nonprofit public-policy research organization headquartered in Arlington, Virginia. He is involved in a wide range of issues as part of the institute’s national security program.