{ "id": "IN10990", "type": "CRS Insight", "typeId": "INSIGHTS", "number": "IN10990", "active": true, "source": "EveryCRSReport.com", "versions": [ { "source": "EveryCRSReport.com", "id": 588598, "date": "2018-12-12", "retrieved": "2018-12-13T14:02:53.336750", "title": "The DOD\u2019s JEDI Cloud Program", "summary": "In September 2017, Deputy Secretary of Defense (DSD) Patrick Shanahan issued a memorandum calling for the accelerated adoption of a Department of Defense (DOD)-wide cloud computing system. Under the Joint Enterprise Defense Infrastructure (JEDI) Cloud program, DOD seeks to \u201cacquire a...cloud services solution that can support Unclassified, Secret, and Top Secret requirements,\u201d with a focus on commercially available services. Significant industry and congressional attention has been focused on the JEDI Cloud contract.\nWhat is Cloud Computing?\nBroadly speaking, cloud computing refers to the practice of remotely storing and accessing information and software programs through the internet, instead of storing data on a computer's hard drive or accessing it through an organization\u2019s intranet. It relies on cloud infrastructure, a collection of hardware and software that may include components such as servers and a network. This infrastructure can be deployed privately to a select user group, or publicly through commercial services available to the general public. \nWhat is the Current Status of DOD\u2019s Adoption of Cloud Services?\nDOD maintains more than 500 public and private cloud infrastructures that support Unclassified and Secret requirements. DOD has described its current cloud services use as \u201cdecentralized,\u201d creating \u201cadditional layers of complexity for managing data and services at an enterprise level.\u201d In a statement accompanying the release of the JEDI Cloud Request for Proposal (RFP) on July 26, 2018, DOD Chief Information Officer (CIO) Dana Deasy noted that the department requires an enterprise-wide cloud \u201cthat allows for data-driven decision making [and] enables DOD to take advantage of our applications and data resources\u201d to provide worldwide support for DOD operations. \nWhat Policies Apply to DOD Cloud Acquisitions?\nWhile the Federal Acquisition Regulation (FAR) does not specifically provide acquisition guidance for cloud computing services, select sections (such as FAR Part 39, Acquisition of Information Technology) may apply. Other government-wide policies for cloud products and services, such as the Federal Risk and Authorization Management Program (FedRAMP), may also apply.\nDOD policies for acquiring cloud services are prescribed by Defense Federal Acquisition Regulation Supplement Subpart 239.76, which states that DOD must generally acquire cloud services using commercial terms and conditions consistent with federal law and DOD\u2019s needs. A contract to acquire cloud services may generally only be awarded to a provider (e.g., a prime contractor or subcontractor) with provisional Defense Information Security Agency (DISA) authorization to provide such services, consistent with the current version of the DOD Cloud Computing Security Requirements Guide. DOD Instruction 5000.74, Defense Acquisition of Services, specifies that all cloud services must have an Authority to Operate (see also DOD Instruction 8510.01, Risk Management Framework for DOD Information Technology).\nDOD Memorandum Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, issued on December 15, 2014, provides additional guidance for the acquisition of commercial cloud services.\nHow is the JEDI Cloud Contract Structured?\nThrough the JEDI Cloud contract, DOD is conducting a full and open competition, which will result in a single award Indefinite Delivery/Indefinite Quantity (ID/IQ) firm-fixed price contract for commercial items (i.e., cloud infrastructure and computing services). \nWhat is an ID/IQ Contract?\nAn ID/IQ contract allows the U.S. government to obtain an unspecified quantity of supplies or services over an unspecified period of time. An indefinite-quantity contract can also be referred to as a task-order contract. A task-order contract does not procure a firm quantity of services (other than a minimum or maximum quantity) and allows the issuance of orders for the performance of tasks (i.e., task orders) under the contract. \n\nThe period of performance is structured as a 2-year base ordering period, with three additional option periods (two 3-year options and one 2-year option), for a potential total of 10 years.\nAnticipated JEDI Cloud Contract Period of Performance\nPeriod of Performance\nTimeframe\n\nBase ordering period (2 years, guaranteed)\nApril 17, 2019 \u2013 April 16, 2021\n\nOption #1 (3 years, if exercised)\nApril 17, 2021 \u2013 April 16, 2024\n\nOption #2 (3 years, if exercised)\nApril 17, 2024 \u2013 April 16, 2027\n\nOption #3 (2 years, if exercised)\nApril 17, 2027 \u2013 April 16, 2029\n\nSource: JEDI Cloud RFP, \u201cCombined Synopsis/Solicitation for Commercial Items,\u201d updated August 31, 2018.\nDOD wants the JEDI Cloud to provide services comparable to those made available through commercial cloud services and is requiring any successful offeror to provide rapid deployment of new commercially available cloud-related services to JEDI Cloud users. DOD also expects ongoing parity with public commercial prices. \nDOD indicated that the minimum guaranteed award is $1 million. The contract has a maximum ceiling of $10 billion across the potential 10-year period of performance. Under an ID/IQ contract, the government is only required to purchase the minimum amount specified in the contract, and may ultimately choose not to reach the contract ceiling.\nThe RFP closed on October 9, 2018; DOD is currently reviewing received bids.\nHow Has Industry Reacted?\nDOD received more than 1,500 comments in response to multiple draft RFPs; companies including Amazon, Google, IBM, and Microsoft expressed interest in competing. However, DOD\u2019s proposed acquisition strategy also sparked resistance from those who opposed DOD\u2019s intent to award the contract to a single company. This concern led some industry associations to publicly contest a single award, arguing that it would be inconsistent with broader federal cloud computing strategy, and could unfairly restrict future competition for DOD cloud services. For example, the trade group ITAPS (IT Alliance for Public Sector) sent a letter to the House and Senate Armed Services committees stating in part that the: \n...deployment of a single cloud conflicts with established best practices and industry trends in the commercial marketplace, as well as current law and regulation, which calls for the award of multiple task or delivery order contracts...Further, the speed of adoption of innovative commercial solutions, like cloud, is facilitated by the use of these best practices.\nOn October 8, 2018, Google announced that it would not be submitting a bid for the contract, citing possible conflict with its corporate principles, along with DOD\u2019s plans to award the contract to a single vendor, among its reasons for withdrawing.\nOracle America and IBM both filed pre-award bid protests against the JEDI Cloud solicitation; GAO denied Oracle America\u2019s protests on November 14, 2018 and denied IBM\u2019s protests on December 11, 2018. Subsequent to GAO\u2019s dismissal of its protests, Oracle America filed a bid protest lawsuit with the U.S. Court of Federal Claims (Oracle America Inc. v. U.S., case number 1:18-cv-01880).\nHow Has DOD Responded to Industry Concerns?\nDSD Shanahan and other DOD officials have reportedly described JEDI Cloud as a \u201cpathfinder\u201d intended to provide a model for DOD\u2019s future transition of legacy IT systems to the cloud. In its May 2018 report to Congress DOD indicated that the JEDI Cloud contract would include:\n...multiple mechanisms to...maximize DOD\u2019s flexibilities going forward...Option periods...will only be exercised if doing so is the most advantageous method for fulfilling the DOD\u2019s requirements when considering the market conditions at the time of option exercise.\nDOD noted that a multiple-award contract would require competition for each task order issued under the JEDI Cloud ID/IQ, and would therefore be subject to standard timeframes associated with the DOD acquisition process, which could \u201cprevent DOD from rapidly delivering new capabilities and improved effectiveness...that enterprise-level cloud computing can enable.\u201d\nDOD has also said that it \u201cexpects to maintain contracts with numerous cloud providers to access specialized capabilities not available under the JEDI Cloud contract.\u201d\nWhat Actions Has Congress Taken?\nSection 8137 of P.L. 115-245, which provided FY2019 DOD appropriations, prevents the obligation or expenditure of FY2019 funds to \u201cmigrate data and applications to the proposed [JEDI]...cloud computing services\u201d until 90 days after the Secretary of Defense submits to the congressional defense committees: 1) a plan to establish a DOD-wide budget accounting system for funds requested and expended for cloud services, as well as funds requested and expended to migrate to a cloud environment; and 2) a detailed description of DOD\u2019s strategy to implement enterprise-wide cloud computing. \nOn October 22, 2018, two members of the House Appropriations Committee asked the DOD Inspector General (IG) to investigate the development of requirements and the RFP process for the JEDI Cloud program; the DOD IG is reviewing the request.", "type": "CRS Insight", "typeId": "INSIGHTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/IN10990", "sha1": "78ca99058a38d65563a3b122f0cd116add981294", "filename": "files/20181212_IN10990_78ca99058a38d65563a3b122f0cd116add981294.html", "images": {} } ], "topics": [ { "source": "IBCList", "id": 4925, "name": "Readiness, Training, Logistics, & Installations" } ] }, { "source": "EveryCRSReport.com", "id": 587951, "date": "2018-11-05", "retrieved": "2018-11-28T14:47:31.008478", "title": "The DOD\u2019s JEDI Cloud Program", "summary": "In September 2017, Deputy Secretary of Defense (DSD) Patrick Shanahan issued a memorandum calling for the accelerated adoption of a Department of Defense (DOD)-wide cloud computing system. Under the Joint Enterprise Defense Infrastructure (JEDI) Cloud program, DOD seeks to \u201cacquire a...cloud services solution that can support Unclassified, Secret, and Top Secret requirements,\u201d with a focus on commercially available services. Significant industry and congressional attention has been focused on the JEDI Cloud contract.\nWhat is Cloud Computing?\nBroadly speaking, cloud computing refers to the practice of remotely storing and accessing information and software programs through the internet, instead of storing data on a computer's hard drive or accessing it through an organization\u2019s intranet. It relies on cloud infrastructure, a collection of hardware and software that may include components such as servers and a network. This infrastructure can be deployed privately to a select user group, or publicly through commercial services available to the general public. \nWhat is the Current Status of DOD\u2019s Adoption of Cloud Services?\nDOD maintains more than 500 public and private cloud infrastructures that support Unclassified and Secret requirements. DOD has described its current cloud services use as \u201cdecentralized,\u201d creating \u201cadditional layers of complexity for managing data and services at an enterprise level.\u201d In a statement accompanying the release of the JEDI Cloud Request for Proposal (RFP) on July 26, 2018, DOD Chief Information Officer (CIO) Dana Deasy noted that the department requires an enterprise-wide cloud \u201cthat allows for data-driven decision making [and] enables DOD to take advantage of our applications and data resources\u201d to provide worldwide support for DOD operations. \nWhat Policies Apply to DOD Cloud Acquisitions?\nWhile the Federal Acquisition Regulation (FAR) does not specifically provide acquisition guidance for cloud computing services, select sections (such as FAR Part 39, Acquisition of Information Technology) may apply. Other government-wide policies for cloud products and services, such as the Federal Risk and Authorization Management Program (FedRAMP), may also apply.\nDOD policies for acquiring cloud services are prescribed by Defense Federal Acquisition Regulation Supplement Subpart 239.76, which states that DOD must generally acquire cloud services using commercial terms and conditions consistent with federal law and DOD\u2019s needs. A contract to acquire cloud services may generally only be awarded to a provider (e.g., a prime contractor or subcontractor) with provisional Defense Information Security Agency (DISA) authorization to provide such services, consistent with the current version of the DOD Cloud Computing Security Requirements Guide. DOD Instruction 5000.74, Defense Acquisition of Services, specifies that all cloud services must have an Authority to Operate (see also DOD Instruction 8510.01, Risk Management Framework for DOD Information Technology).\nDOD Memorandum Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, issued on December 15, 2014, provides additional guidance for the acquisition of commercial cloud services.\nHow is the JEDI Cloud Contract Structured?\nThrough the JEDI Cloud contract, DOD is conducting a full and open competition, which will result in a single award Indefinite Delivery/Indefinite Quantity (ID/IQ) firm-fixed price contract for commercial items (i.e., cloud infrastructure and computing services). \nWhat is an ID/IQ Contract?\nAn ID/IQ contract allows the U.S. government to obtain an unspecified quantity of supplies or services over an unspecified period of time. An indefinite-quantity contract can also be referred to as a task-order contract. A task-order contract does not procure a firm quantity of services (other than a minimum or maximum quantity) and allows the issuance of orders for the performance of tasks (i.e., task orders) under the contract. \n\nThe period of performance is structured as a 2-year base ordering period, with three additional option periods (two 3-year options and one 2-year option), for a potential total of 10 years.\nAnticipated JEDI Cloud Contract Period of Performance\nPeriod of Performance\nTimeframe\n\nBase ordering period (2 years, guaranteed)\nApril 17, 2019 \u2013 April 16, 2021\n\nOption #1 (3 years, if exercised)\nApril 17, 2021 \u2013 April 16, 2024\n\nOption #2 (3 years, if exercised)\nApril 17, 2024 \u2013 April 16, 2027\n\nOption #3 (2 years, if exercised)\nApril 17, 2027 \u2013 April 16, 2029\n\nSource: JEDI Cloud RFP, \u201cCombined Synopsis/Solicitation for Commercial Items,\u201d updated August 31, 2018.\nDOD wants the JEDI Cloud to provide services comparable to those made available through commercial cloud services and is requiring any successful offeror to provide rapid deployment of new commercially available cloud-related services to JEDI Cloud users. DOD also expects ongoing parity with public commercial prices. \nDOD indicated that the minimum guaranteed award is $1 million. The contract has a maximum ceiling of $10 billion across the potential 10-year period of performance. Under an ID/IQ contract, the government is only required to purchase the minimum amount specified in the contract, and may ultimately choose not to reach the contract ceiling.\nThe RFP closed on October 9, 2018; DOD is currently reviewing received bids.\nHow Has Industry Reacted?\nDOD received more than 1,500 comments in response to multiple draft RFPs; companies including Amazon, Google, IBM, and Microsoft expressed interest in competing. However, DOD\u2019s proposed acquisition strategy also sparked resistance from those who opposed DOD\u2019s intent to award the contract to a single company. This concern led some industry associations to publicly contest a single award, arguing that it would be inconsistent with the broader federal cloud computing strategy, and could unfairly restrict future competition for DOD cloud services. For example, the trade group ITAPS (IT Alliance for Public Sector) sent a letter to the House and Senate Armed Services committees stating in part that the: \n...deployment of a single cloud conflicts with established best practices and industry trends in the commercial marketplace, as well as current law and regulation, which calls for the award of multiple task or delivery order contracts...Further, the speed of adoption of innovative commercial solutions, like cloud, is facilitated by the use of these best practices.\nOracle America and IBM both filed pre-award bid protests against the JEDI Cloud solicitation. GAO denied Oracle America\u2019s protests on November 14, 2018, but has until February 27, 2019 to issue a decision on IBM\u2019s protests. On October 8, 2018, Google announced that it would not be submitting a bid for the contract, citing possible conflict with its corporate principles, along with DOD\u2019s plans to award the contract to a single vendor, among its reasons for withdrawing.\nHow Has DOD Responded to Industry Concerns?\nDSD Shanahan and other DOD officials have reportedly described JEDI Cloud as a \u201cpathfinder\u201d intended to provide a model for DOD\u2019s future transition of legacy IT systems to the cloud. In its May 2018 report to Congress DOD indicated that the JEDI Cloud contract would include:\n...multiple mechanisms to...maximize DOD\u2019s flexibilities going forward...Option periods...will only be exercised if doing so is the most advantageous method for fulfilling the DOD\u2019s requirements when considering the market conditions at the time of option exercise.\nDOD noted that a multiple-award contract would require competition for each task order issued under the JEDI Cloud ID/IQ, and would therefore be subject to standard timeframes associated with the DOD acquisition process, which could \u201cprevent DOD from rapidly delivering new capabilities and improved effectiveness...that enterprise-level cloud computing can enable.\u201d\nDOD has also said that it \u201cexpects to maintain contracts with numerous cloud providers to access specialized capabilities not available under the JEDI Cloud contract.\u201d\nWhat Actions Has Congress Taken?\nSection 8137 of P.L. 115-245, which provided FY2019 DOD appropriations, prevents the obligation or expenditure of FY2019 funds to \u201cmigrate data and applications to the proposed [JEDI]...cloud computing services\u201d until 90 days after the Secretary of Defense submits to the congressional defense committees: 1) a plan to establish a DOD-wide budget accounting system for funds requested and expended for cloud services, as well as funds requested and expended to migrate to a cloud environment; and 2) a detailed description of DOD\u2019s strategy to implement enterprise-wide cloud computing. \nOn October 22, 2018, two members of the House Appropriations Committee asked the DOD Inspector General (IG) to investigate the development of requirements and the RFP process for the JEDI Cloud program; the DOD IG is reviewing the request.", "type": "CRS Insight", "typeId": "INSIGHTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/IN10990", "sha1": "9595bf4dfefad1f99b194e6bf48a55e3e564a9f9", "filename": "files/20181105_IN10990_9595bf4dfefad1f99b194e6bf48a55e3e564a9f9.html", "images": {} } ], "topics": [ { "source": "IBCList", "id": 4925, "name": "Readiness, Training, Logistics, & Installations" } ] } ], "topics": [ "Appropriations", "CRS Insights", "National Defense" ] }