1. The Army will reduce the number of data centers from over 200 to less than 20 by establishing the Army Private Cloud (“APC2”).
2. There will be two contracts: A. Using commercial private cloud computing capacity. B. Acquiring containerized data centers that can meet urgent needs where rapid or temporary cloud computing is needed.
3. APC2 will use pay-for-use Private Cloud capacity instead of acquiring equipment and paying separately for consulting services to operate the environment.
4. The APC2 will employ best of breed, commercially available services using short-term contracts.
5. Contractors will own and operate all facilities, including all hardware and software provisioning.
6. APC2 contractor services will include: Assurance of network connectivity; Application migration; Security assurance; Provision virtual Operating Environments; Capacity planning and forecasting/trending for growth; Configuration and management of customized servers, storage, security and networking devices; Disaster Recovery and Business Continuity planning and execution services; Migration planning, scheduling, coordination and implementation; Support continuity of operations; System administration and monitoring services; Maintain network uptime and network availability guarantee; Manage vulnerability and incident management; Perform access identification and authentication and many others.
7. APC2 contractor will also provide the following: Service Desk / Service Request Management; Incident Management; Problem Management; Change Management; Release Management; and Configuration Management.
8. Maximum recovery objectives are four hours, with average availability at 99.995% (though the method how this will be calculated was not specified – see Strassmann blog on the exponential characteristics of failures in computer networks). In a cyber warfare environment four-hour recovery is not acceptable. The RFP does not address fail-over requirements that would assure 100% uptime under critical conditions.
The Army is handing over to the APC2 contractor, in addition to hardware/software operations, an all-inclusive list of systems management functions. For all practical purposes the role of Army management, to be accountable for the total performance and the security computing services, is not visible. Whether any contractor can deliver everything that is required (a brief summary is in par 7 and 8 above) within a pay-as-you-use pricing structure is questionable.
The role of the contractor to provide the Army with reports and status checklists is inconsistent with the goal of making cyber operations an integral part of the Army's warfare roles. The way the RFP has been written the support of warfare networks is treated more like a back-office activity which has been increasingly outsourced in the past.
Though the dedication to proceed with cloud computing is long overdue and highly commendable, the working out of how the Army can be held ultimately accountable for operations remains unresolved. As a minimum the end-to-end network control of every device as well as the management of the security of the entire network should be Army organic and not be outsourced.