Cloud Computing and the 2012 National Defense Appropriations Act (NDAA)

DoD applications cover a tremendous breadth of mission-essential (ME) and mission-support (MS) functions in support of the warfighter. Logistics, transportation, financial, mobilization, etc. all provide critical capabilities. The loss of those capabilities, or compromise of their information is far more serious than a Microsoft 365, Google or Amazon outage. Performance and security metrics are very demanding. For a number of years DISA has been progressing towards its own version of the cloud; first by acquiring infrastructure (processing, storage) as a service (IaaS) for its data center operations, and then by offering its customers both IaaS and software-as-a service (SaaS). All within rigid security frameworks.

Rather than simply accept press interpretation of the NDAA I decided to carefully read its language and provide a simpler interpretation. The logic is built around control of funds. Some of the text has been paraphrased for brevity.

“(a) LIMITATIONS ON OBLIGATION OF FUNDS.— 

(1) LIMITATIONS.— 

(A) BEFORE PERFORMANCE PLAN — Before May 1, 2012 a department, agency, or component of the Department of Defense may not obligate funds for a data server farm or data center unless approved by the Chief Information Officer (CIO)

(B) UNDER PERFORMANCE PLAN — A department, agency, or component of the Department of Defense must prepare and submit a performance plan by May 1, 2012

(2) REQUIREMENTS FOR APPROVALS.— 

(A) BEFORE PERFORMANCE PLAN — Don’t obligate new funds until you have determined that you cannot reprogram existing resources to meet the requirement.

 (B) UNDER PERFORMANCE PLAN — Don’t obligate funds until you (1) determine that existing resources will meet the requirement and 2) the obligation is in accord with the performance plan.

(3) REPORTS — Report compliance to the departmental CIO each quarter

(b) PERFORMANCE PLAN FOR REDUCTION OF RESOURCES REQUIRED FOR DATA SERVERS AND CENTERS — 

(1) By Jan 15, 2012 component plans must address:

(i) Reduce floor space

(ii) Reduce utilities (power and water).

(iii) Promote multi-organizational use.

(iv) Reduce capital investment. 

(v) Reduce number of applications. 

(vi) Reduce number of personnel and cost of labor.

These are all sensible goals!

 (B) SPECIFICATION OF REQUIRED ELEMENTS.— The departmental CIO will specify the performance standards and measures and implementation elements to be included in the component plans, including specific goals and schedules. 

(2) (A) By April 1, 2012 the departmental CIO plans must submit to the congressional defense committees a performance plan for a reduction in the resources required for data centers and information systems technologies department-wide.

(B) ELEMENTS.—The performance plan required under this paragraph shall include the following: 

(i) A department-wide performance plan for achieving the matters specified in paragraph (1)(A), including performance standards and measures for data centers and information systems technologies, goals and schedules for achieving such matters, and an estimate of cost savings anticipated through implementation of the plan. 

(ii) A department-wide strategy for each of the following: 

(I) Desktop, laptop, and mobile device virtualization 

(II) Transitioning to cloud computing 

(III) Migration of defense data and government- provided services from department-owned and operated data centers to cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security. 

(IV) Utilization of private sector-managed security services for data centers and cloud computing services. 

(V) A finite set of metrics to accurately and transparently report on data center infrastructure (space, power and cooling): age, cost, capacity, usage, energy efficiency and utilization, accompanied with the aggregate data for each data center site in use by the department in excess of 100 kilowatts of information technology power demand. 

(VI) Transitioning to just-in-time delivery of department-owned data center infrastructure (space, power and cooling) through use of modular data center technology and integrated data center infrastructure management software.” 

Paragraph (2)(B)(ii)(III & IV) above appears to be the crux of concern. The language departs from directing CIOs to develop metrics and strive to achieve those metrics, to directing specific acquisition approaches.

I have always followed the philosophy that technology is an enabler, consolidation is a business strategy and cloud is a service delivery strategy.There are many versions of this strategy – from government-owned clouds to commercially-owned clouds. While metrics deal with the basic parameters of good business case analysis (given that effective data center consolidation is a business strategy), the NDAA language dictates that CIOs must select only one service delivery strategy – commercial cloud services provided by the private sector, rather than allowing CIOs to examine all cloud delivery strategies.

The wording bluntly states a bias in one direction “to cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security". This bias (obviously influenced by the lobbyists discussed above) contradicts the basic economic goals of the rest of the act.

The Global Information Grid (GIG) is a weapons system in its own right, and defense data centers play a critical role in maintaining and enhancing the capabilities of our fighting forces. From the taxpayer and warfighter perspective, the choice between government-owned and commercially-owned clouds should strictly be a product of CIO-initiated business case analysis evaluating each against the metrics of 1) capability, 2) cost, and 3) security. DISA has already pursued strategies that reduce cost and enhance commercial opportunities. Give CIOs the opportunity to do their jobs – don’t dictate the results!