DOD Awards $9B Contract to Top 3 Cloud Providers and OracleChallenges Related to Cloud Security, Governance and Orchestration Persist
Four major cloud providers - Amazon Web Services, Google, Microsoft and Oracle - will all participate in a $9 billion U.S. Department of Defense remote computing contract, the Pentagon announced today. The decision to usher four American cloud computing vendors into its Joint Warfighting Cloud Capability contract marks a departure from an earlier winner-take-all approach that for years bogged down the military's transition into commercial cloud after losers excluded from the contract protested its fairness.
See Also: Wiz for CSPM
In a news release, the Department of Defense said it "aims to bring enterprisewide cloud computing capabilities to … all domains and classification levels," from the "strategic level to the tactical edge."
Addressing a lawsuit brought by AWS that challenged the Pentagon's award of the JWCC contract to Microsoft in 2021, the DOD contract note says no funds are being obligated at this time. "Funds will be obligated on individual orders as they are issued," the statement says.
The hybrid contract is based on "firm-fixed-price and time-and-materials, indefinite-delivery/indefinite-quantity" terms and names other vendors for providing services to the Navy, Air Force, Army, DARPA and the Defense Logistics Agency.
Wrangling over the large contract began in 2019, when the department awarded the $10 billion Joint Enterprise Defense Infrastructure contract to Microsoft. Amazon sued, alleging that the JEDI award was tainted by conflicts of interest, including alleged improper involvement by former President Donald Trump. Oracle had previously objected to the JEDI contract, so in July 2021, the DOD announced it was canceling the contract and said it had plans to replace it with the JWCC contract in 2022. Similarly, Microsoft last year filed a protest with the Government Accountability Office against a $10 billion cloud contract with the National Security Agency.
In a media briefing, John Sherman, who was then acting CIO of the department, said Defense would be contacting "other cloud service providers not named in the documents" - alluding to Google, Oracle and IBM.
Forrester Principal Analyst Devin Dickerson said a multi-cloud strategy at DOD makes sense and follows a growing trend of government contracts being awarded to multiple cloud providers - a noticeable departure from the single-cloud provider lens of JEDI.
"The shift to multi-cloud is a sign of two developments: higher trust in public cloud security and services capabilities and maturing CSP technology and services to meet rigorous multi-cloud strategies," Dickerson says. "That doesn't mean individual programs within the DOD have to go multi-cloud. But the DOD as an enterprise will end up in a multi-cloud world based on this award."
The inclusion of Oracle and Google in the JWCC came as a surprise to industry observers since the General Services Administration said last year that only Amazon and Microsoft appeared capable of meeting the Pentagon's requirements. Oracle's cloud business is much smaller than the others; it generated just $900 million in cloud infrastructure revenue in the quarter ended Aug. 31.
"Capturing JWCC is a huge boon for OCI, which drastically trails AWS, Azure, and GCP by a large margin in revenue and market share," Dickerson says. "However, Oracle has a major on-premises presence in government. Adoption of Oracle's cloud services means potential avenues for growth in government applications for hybrid and public cloud workloads.
Amazon Web Services delivered $20.5 billion in sales in the company's fiscal third quarter. Synergy Research Group in October found that AWS controlled 34% of the $57.5 billion cloud infrastructure services market, while Microsoft and Google captured 21% and 11% market share, respectively. Oracle didn't even crack the top five; Alibaba and IBM took the final two slots.
Wall Street has reacted favorably to the JWCC award, sending Amazon, Microsoft and Oracle's stock up slightly shortly after the market opened Thursday, while the stock of Google parent Alphabet is trading a little lower. The four companies have said very little in public comments about the JWCC award since it was announced late Wednesday.
Microsoft said in a blog, "We believe the multi-cloud approach for JWCC is the right one for the DOD's enterprise infrastructure. Multi-cloud is already an established best practice in the commercial industry because it enables organizations to maximize flexibility, enhance resiliency and access the best technologies across providers."
But the relative silence likely stems from uncertainty over how large a slice of the $9 billion pie each of the four technology giants will ultimately be served. The nature of indefinite delivery, indefinite quantity contracts means decisions around which company to work with will be made on an order-by-order basis.
"The vendors will remain in competition throughout the life cycle of the contract," Dickerson says. "As individual task orders get added, the vendors will need to show that their capabilities and pricing are best suited to meet those mission needs. It’s only when those individual task orders are awarded that funds will be obligated so the real competition is only just beginning."
Although the JWCC is slated to provide military personnel around the globe with access to unclassified, secret and top-secret data, the Pentagon hasn't yet said much about what it's looking for from a security perspective. "Fortified security" is one of the nine capabilities the Pentagon says the JWCC will allow the Defense Department to get alongside assets such as "advanced data analytics" and "tactical edge devices."
Defense in November announced that its security strategy will be based on zero trust principles, but the heavy commitment to cloud poses fundamental security questions - from potential configuration errors to nation-state actors targeting these cloud providers, says Chase Cunningham, a former Forrester analyst known as the "Doctor of Zero Trust," who leads security at Ericom Software. A former chief of cryptologic technologies at the U.S. National Security Agency, Cunningham says the military is already operating in a multi-cloud environment to supplement DOD data centers.
"It's kind of like the untold story that no one would really admit is that the upper layers were running the stuff and then underneath it, it was this hodgepodge of anything you could get to work to move electrons to serve the mission," Cunningham says. “It's been multi-cloud since multi-cloud was even a conversation, and for a long time, it was like multi-cloud smoking meth with money thrown at it, and it just kept getting bigger, faster and crazier over time."
With pieces of the U.S. Defense Department IT infrastructure potentially spread across four cloud platforms, the contract raises questions about how DOD will manage infrastructure efficiently and how it will ensure orchestration across clouds and visibility into governance and costs.
One benefit will be speed, says Dickerson. Speed is a major problem with government contracts and modernization efforts.
"Six years is a long time in technology," Dickerson says. "DOD programs sometimes move slow, but this award will actually make it far easier and potentially faster for individual programs to take advantage of the cloud. Allowing programs to leverage the JWCC contract vehicle to make their cloud acquisitions not only ensures the availability of cloud services across their required security domains and classification levels but could shave months or years off acquisition timelines."