DOD clarifies security requirements to compete for $8B back-office cloud

There's good news for potential DEOS cloud vendors who don't yet meet the military's level 6 security requirements.
U.S. Air Force cyber security technicians with the 355th Communications Squadron review work orders at Davis-Monthan Air Force Base Ariz., Sept. 26, 2018. (U.S. Air Force photo by Airman Frankie D. Moore)

Eventually, the contractor that will lead the Pentagon’s single-award, $8 billion back-office cloud acquisition will need to be able to store and process Secret-level information. But it’s OK if the vendor hasn’t yet achieved that capability at the time of the award, the Pentagon clarified this week.

The two-phase vision for the Defense Enterprise Office Solution is to provide communication, collaboration and other back-office tools via a hybrid-cloud model to DOD users, first within U.S. territories and then outside. The entire solution will need to have DOD impact level 6 capabilities, meaning it has met security requirements to handle Secret information.

But the need for those Secret-level capabilities is a bit down the line. And during the buildout of DEOS phase one — which deals with unclassified networks in the continental U.S. — the chosen cloud vendor needs to meet only impact level 5 security requirements, for storing and processing controlled unclassified information for national security systems.

“At this time we anticipate that the final RFQ will reflect that an offeror will not be required to possess IL6 at the time of the award in order to be eligible for the award,” says the Q&A, posted as an amendment to the DEOS draft solicitation.


“Candidates must have a certified Impact Level 5 (IL5) offering for infrastructure, platform, or software as a service approved requirement to successfully compete,” it says. “Market research indicates that there are sufficient vendors with DoD Cloud Computing (CC) Security Requirements Guide (SRG) Impact Level 5 (IL5) to facilitate competition and ensure timely delivery of the first phase of delivery – services for non-classified networks in the continental United States.”

For now, the draft solicitation doesn’t explain how a cloud provider that is level 5-compliant will show that it’s on track for level 6 compliance down the road.

As the Q&A explains, there’s a crowd — albeit a small one — of vendors who meet level 5 requirements: Amazon Web Services, IBM, Microsoft and Oracle. But from that group, only AWS has achieved level 6. Microsoft has said it could do so sometime in 2019.

This model is the same the DOD will take with its Joint Entperise Defense Infrastructure (JEDI) cloud, first requiring level 5 compliance and then level 6 down the line. That enterprisewide, commercial cloud, however, will be the anchor of DOD’s move to adopt next-generation cloud capabilities, it revealed last week in its cloud strategy.

Latest Podcasts