Digital background depicting innovative technologies, data protection Internet technologies. Cloud computing digital concept (Getty images)
WASHINGTON — Just over a year ago the Defense Department awarded four tech giants — Google, Amazon Web Services, Microsoft and Oracle — a contract worth up to a collective $9 billion to provide cloud services for the Pentagon and each military branch, if the branch’s so choose to use it.
The program, called the Joint Warfighter Cloud Capability (JWCC), is a second try after the Pentagon’s infamously contentious and ultimately failed $10 billion Joint Enterprise Defense Initiative, or JEDI, project.
The idea of JWCC, similar to JEDI before it, is to offer cloud computing “from headquarters to the tactical edge” across classification levels, per the DoD’s December 2022 announcement.
Thirteen months later, according to a review of public announcements, as well as DoD memos and new details provided to Breaking Defense by defense officials, it appears headquarters is making progress in its use of JWCC — to the tune of $260 million in task orders so far — while the services closer to the “tactical edge” are unevenly dipping their toes into the tech offering. Army, Navy and Marine programs, for instance, are starting to use JWCC for some secret-level “requirements” and wargaming-related work, Breaking Defense has learned.
In the meantime, the Pentagon is already making plans for JWCC 2.0, a so far vague notion, in public at least, of the next iteration of the services on offer.
“Nothing in the department meets this requirement at the current time … and it will be imperative for capabilities like Joint All Domain Command and Control, or JADC2, as well as the AI and Data Accelerator, or ADA, initiative and other key warfighting activities for the combatant commands and indeed all across the enterprise,” Pentagon CIO John Sherman said of JWCC in March 2022.
Army, Navy, Marines Poking Around JWCC
While the military services aren’t mandated to use JWCC, last August Sherman issued guidance laying out conditions for how the entire department and military services should leverage the cloud tech. Lily Zeleke, deputy CIO for information enterprise, said then that the intent was to leverage JWCC “to the greatest extent possible.”
Frank Reyes, cloud solutions leader at Maximus, told Breaking Defense that this early in JWCC’s life, there may not be “enough data points” across the services “to say what is and isn’t working.”
But there has been movement, and the Army and Navy so far seem to have embraced it the most, according to internal memos about JWCC implementation provided to Breaking Defense.
The Army’s Enterprise Cloud Management Agency (ECMA), the service’s primary cloud shop, is currently piloting two efforts through JWCC to inform what the office needs, service spokesperson Madison Bonzo told Breaking Defense.
Additionally, the Army’s CIO issued a memorandum across the service on Sept. 14 with updates to cloud procurement guidance for the service, stating that it will leverage JWCC as it “strategically” rolls off the Cloud Account Management Optimization (CAMO) production contract, Bonzo said Nov. 27. According to an Army press release, CAMO “is the Army’s enterprise cloud service provider (CSP) reseller, as well as its cloud tracking and analytics capability.”
Specifically, the Army is designated to use JWCC for “all new non-intelligence Secret (IL6) requirements,” though it still directs anyone interested in getting cloud services to use ECMA, according to the memorandum, which was obtained by Breaking Defense.
The service will continue to use CAMO for all IL5 and below requirements, the memorandum says, and the ECMA will negotiate cloud service offerings “off of CAMO and JWCC as appropriate.”
Meanwhile, on June 20, the Navy’s program executive office for digital and enterprise services (PEO Digital) formally established its own Neptune Cloud Management Office, responsible for the acquisition and delivery of the service’s cloud services.
John Mithun, director of the Neptune Cloud Management Office and portfolio manager for platform application services in PEO Digital, told Breaking Defense on Dec. 12 that JWCC “is available for all offerings for any new cloud computing capabilities and services at the Secret (Impact Level 6) or Top Secret, including all tactical edge and Outside the Continental United States (OCONUS) cloud computing capabilities and services.”
PEO Digital also released a memorandum on Aug. 31 relating to JWCC, saying the contract vehicle was authorized for new orders of Amazon Web Services infrastructure as a service IL6 “and higher where continued usage of an existing contract vehicle is not available; and orders of cloud-native edge hardware solutions not available via DON enterprise agreement,” Mithun said.
Additionally, the Navy’s Naval Information Warfare Center Pacific’s “COSMOS cloud computing program has leveraged JWCC for IL6,” Mithun added. The “Wargaming Division of the Marine Corps Warfighting Laboratory/Futures Directorate will be the first adopter of JWCC IL6” and Amazon Web Services IL6 will be procured for Marine Corps Cyber Operations, he said.
Beyond the Army and Navy, however, other services have approached JWCC’s potential more slowly.
Space Force spokesperson Maj. Tanya Downsworth told Breaking Defense on Dec. 1 that the service “is still in the early stages of implementation and does not have data to provide at this time.”
The Air Force has not provided information to Breaking Defense. Last May, then-Air Force CIO Lauren Knausenberger said that shifting Platform One, the service’s software development platform, into JWCC would be a “perfect” move and at the time Air Force was figuring out how to do so.
“Actually the appetite’s pretty high and I think that would actually be a really good thing because Platform One was envisioned to be a platform that any development team could show up to and have a comprehensive and complementary set of products and services that were well orchestrated to drive mission value across whatever that mission was,” Knausenberger said May 4. “And I think actually a move to JWCC would be perfect.”
Prior to JWCC, each of the military services “were kind of deploying the cloud at different maturity levels … and it was really hard to get behind what are the common standards, governance and compliance … how does the department operate and navigate and be interoperable in the cloud?” Maximus’s Reyes said.
“I think having a contract vehicle that centralizes a lot of the attention onto this … I think that in itself has provided a lot of value in it,” he added.
Reyes’ comments echo those of other analysts who told Breaking Defense that JWCC has given DoD the ability to adopt the best cloud services for a particular job while not being tied to a specific vendor.
And while it may be too early to see impacts on the individual military services, Mark Wiggins, director of defense, intelligence community and systems integrators at Fortinet Federal, said that “JWCC has made a significant impact within the department, specifically regarding standards-based cloud operations and the rationalization process to ensure DOD’s mission critical applications and data can be stored and accessed by those responsible for planning and execution.”
JWCC 2.0 And Security
As the services begin to wade into what JWCC can offer, a new iteration is already on the horizon. Sherman announced JWCC 2.0 last month at JWCC’s one-year mark.
Though he didn’t elaborate on what exactly the future would look like with JWCC or its timeline, Sherman said then that DoD was “firmly committed to multi-cloud, multi-vendor, and this is what we’re going to be doing going forward.”
Pentagon Spokesman Tim Gorman told Breaking Defense on Jan. 29 that the department was still assessing what JWCC 2.0 would be.
“The DoD is reviewing future services and capability needs as well as updates to its policies and procedures as it continues to advance cloud adoption Department-wide,” Gorman said in a statement. “JWCC 2.0 will reflect this maturing understanding and evolution of the Department’s requirements with ongoing modernization efforts.”
Reyes said that JWCC 2.0 is likely not the final version of the effort, which will be iterative as the needs of the military services and department evolve.
“You can’t assume that you know what you need for everything and everything, and it’s going to work perfectly [on] day one,” he said. “So I applaud the department for realizing … we’re gonna iterate on this, because we’re here to listen to the services and the various department agencies and take that feedback on how we can make it better.”
Though details of JWCC 2.0 are still being fleshed out, Justin Wilkins, director of engineering at Varonis, said he’s curious how DoD will address zero trust requirements moving forward since each cloud service provider “is a little bit different.” He suggested that DoD implement a security standard across all the different “cloud enclaves.”
“Different configurations, different cloud environments, different services,” he said. “And so I think having some sort of guidelines, whether it’s applying the zero trust principles in cloud service providers to make sure that they have a roadmap for implementing these controls, or even doing things like sticking to having guidelines for how these cloud services should be used in provision similar to what they have for, you know, applications, etc. I think that’s also pretty important.”
The Pentagon wants to implement a baseline level of zero trust across its enterprise by 2027. Last year, Randy Resnick, director of the zero trust portfolio management office within the office of the CIO, said red team hackers from the National Security Agency and potentially from the military services would launch a months-long series of attacks on zero-trust security systems on clouds run by the four JWCC vendors.
“We saw that there were four CSPs, or cloud service providers, that were delivering services in the future under the JWCC contract,” Resnick said on Jan. 19. “and so we said to ourselves, ‘Why don’t we approach those four contractors — independent of JWCC — but to bring up the subject of zero trust with them, show them what our definition of zero trust is … and ask them whether or not they believe they can do zero trust to the target level within their cloud infrastructures.”
As for JWCC’s current security, Gurpreet Bhatia, DoD’s principal director for cybersecurity, told Breaking Defense that the department “performs monthly continuous monitoring and validation of annual assessments to ensure that the security of the offering is maintained.”
“Additionally, implementing these services requires compliance with the Cloud Computing Security Requirements Guide (CCSRG) to ensure services are implemented securely,” he said.
Outside of cybersecurity, it’s possible the future of JWCC could include additional vendors outside the major players already named, Wilkins said.
“I think that’s probably the long term evolution to give even more competition [and] facilitate the ability to award contracts to any cloud provider or any cloud services, regardless of whether they’re under contract or not,” he said.
JWCC is also being used by the department as part of its JADC2 effort, rebranded last year as “Combined” JADC2, or CJADC2, to connect and share data through all domains by “supplying those critical applications to support the transport and cloud compute needed to provide enhanced targeting and mission information for the location of enemy targets.”
Wiggins added that as DoD “continues to evolve” its CJADC2 concept, one consideration for department leaders would be to “implement a multi-layer cybersecurity protocol to provide users with the ability to move within the cloud environment and leverage cross domain solutions with JWCC 2.0.”
“When combined with [artificial intelligence] to sift through large datasets and automation to help deliver the information, this will allow various security levels to access higher or lower data based on their credentials, enabling quicker decision making in instances of a go or no-go command situation,” he said.
