Congress looks to clamp down on DOD cloud plans

The House defense appropriations bill includes new reporting requirements on the JEDI project and the Defense Enterprise Office Solutions cloud efforts.

House appropriators are looking for more information on two multibillion cloud acquisitions in the works at the Department of Defense.

In the FY2019 Defense Appropriations bill, posted June 6 by the Appropriations Committee in advance of markup, lawmakers want clarity on the Joint Enterprise Defense Infrastructure acquisition being conducted by a special Pentagon cloud steering group and the Defense Enterprise Office Solutions effort at the Defense Information Systems Agency.

Together, the contracts could amount to more than $18 billion over a decade, covering warfighting technology on one side and back-office systems on the other.

The $674.6 billion appropriations bill would put a freeze on the use of appropriated funds to pay for the migration of data or applications to JEDI or DEOS solutions until Congress gets both a budget accounting system to provide a window into cloud spending and a detailed plan for implementation of DOD-wide cloud solutions.

The bill text specifies that this plan should include "goals and acquisition strategies for all proposed enterprise-wide cloud computing service procurements; the strategy to sustain competition and innovation throughout the period of performance of each contract, including defining opportunities for multiple cloud service providers and insertion of new technologies; and an assessment of potential threats and security vulnerabilities of the proposed cloud computing strategy, and plans to mitigate such risks."

The language comes as some vendors and trade groups continue to express concerns about DOD's approach to cloud acquisition, particularly JEDI, which is expected to result in a single award. Some of the specifications in draft requests for proposals specify secret and top secret classification requirements that so far only a few vendors have managed to meet. In the most recent update, the JEDI team noted that when the request for proposals is released, it "will be clarified to caution offerors that any assumptions that take exception to the terms and conditions of the RFP may result in the proposal being deemed unacceptable."

The JEDI solicitation was expected to open to industry in May, according to the DOD's self-imposed deadline, but that timeline has slipped.

The House version of the National Defense Authorization Act also puts the JEDI program on a short leash, with report language seeking detail on JEDI and its relationship to other DOD cloud efforts, including DISA's milCloud 2.0.

The Senate NDAA, which is awaiting amendments and a vote, also takes aim at DOD's cloud efforts, requiring the DOD deputy secretary to sign off on the development or modernization of any system "without an assessment that such system is already, or can and would be, cloud hosted." The Senate bill also specifies that the DOD follow the Federal Acquisition Regulation in its cloud acquisition efforts, specifically calling out the section "regarding procedures relating to the preference for multiple awards."