On June 25, 2010, the Army issued a request for proposals for the migration of information technologies into a cloud environment. A statement of work defines this as the “Army’s Private Cloud.” The contract reportedly could total $249 million over five years, or an average of $50 million per year. When one compares the proposed spending with the Army’s fiscal year 2009 information technology budget of $7.8 billion, the project accounts for only 0.6 percent of the Army’s budget. That is a modest start for moving in the direction in which commercial firms already are progressing at an accelerated pace.
The central technology of the Army’s Private Cloud, known as APC2, is virtualization. Commercial firms will have acquired this approach within the next five years and will be advancing further. Meanwhile the Army will be working on what can be construed, at best, as a pilot program that uses only features associated with early stages of cloud operations. Nevertheless, the APC2 program has several worthwhile goals.
First, the Army will reduce the number of data centers from over 200 to less than 20. Such reductions are readily available using mature virtualization techniques. Servers that originally were set up in support of individual applications would be pooled for large gains in capacity utilization. The payback from such efforts offers a remarkable return on investment of more than 50 percent. The break-even point is less than a year. Whether the Army needs to spend five years to achieve consolidation should be examined in view of the president’s memorandum of September 14, 2010, which requires rapid reductions in information technology costs.
Although the Army Program Executive Officer Enterprise Information Systems (PEO EIS) will promote the adoption of the cloud technologies, it is not clear how this can be accomplished. Migration to cloud computing calls for the education of an entire generation of Army information technology personnel. APC2 represents a reorientation of the ways in which the Army acquires and operates networks. Migration toward cloud computing is largely accepted now as the future direction of information technology by the Marine Corps, which has already achieved major savings from server consolidation and streamlining of applications and should be used as an example. The adoption of cloud computing will not be achieved primarily through the PEOs, who are largely acquisition executives, but through education of Army military and civilian executives, starting with general officers and with senior executive service personnel.
The awarding of contracts to use commercial computing capacity and to acquire containerized data centers is a good idea. However, the price tag for acquiring these data centers is out of range of the planned spending levels. Modular data centers fully configured to military specifications for power, air conditioning, security and failover capability almost certainly are unaffordable.
APC2 will use pay-for-use private cloud capacity instead of acquiring equipment and paying separately for consulting services. Commercially operated private clouds may have adequate security to run low-risk business applications. Unfortunately, all communications would depend on the Internet, which is vulnerable. From the standpoint of cyberwarfare, it is unlikely that commercial private clouds can meet the demanding security requirements for military applications. Therefore, APC2—based on commercial services—cannot be seen by the Army as a prototype for pursuing its ultimate cloud goals.
APC2 will employ best-of-breed, commercially available services using short-term contracts. Best-of-breed clouds are a good requirement except that almost every large cloud provider wants to have an almost permanent hold on a customer. Whatever applications will be placed on a private cloud will have to be moved into a Defense Department enterprise environment under the ultimate control of U.S. Cyber Command. Without such coordination, APC2 choices will be limited.
Contractors will own and operate all facilities, including all hardware and software provisioning. Their responsibilities include assurance of network connectivity; application migration; security assurance; provision of virtual operating environments; capacity planning and forecasting/trending for growth; and configuration and management of customized servers, storage, security and networking devices. Contractors also hold responsibility for disaster recovery and business continuity planning and execution of services; migration planning, scheduling, coordination and implementation; support for continuity of operations; system administration and monitoring services; network uptime and network availability guarantee; vulnerability and incident management; and access identification and authentication. They also must oversee the following areas: service desk and service request management; incident management; problem management; change management; release management and configuration management.
Lastly, Attachment 11 to the APC2 statement of work notes that the maximum recovery objectives will be four hours. Perhaps that is tolerable because APC2 would handle only low-priority applications. However, from a cyber operations standpoint, such delays are not tolerable. Only highly redundant multiple data centers will be able to meet 99.9999 percent failover capabilities. Whether any commercial contractor will be able to achieve that within the budget limitations is not clear.
The Army is handing over to an APC2 contractor, in addition to hardware and software operations, an all-inclusive list of systems management functions. The operational roles of the Army’s information technology personnel are not visible. It is not clear how the Army can remain fully accountable for the delivery of computing performance and for the conformity with demanding cybersecurity requirements. Whether any contractor can deliver everything that is required within an affordable pay-as-you-use pricing structure is questionable.
Though the commitment to proceed with cloud computing is long overdue and highly commendable, working out how the Army can migrate to cloud computing remains unresolved.
The role of the contractor to provide the Army with mostly reports and status checklists, without direct operational oversight, is inconsistent with the goal of making cyber operations an integral part of information warfare—which is to make it organic to Defense Department components. The way in which the request for proposals is written assumes that cloud computing can be handled as a back-office acquisition that can be outsourced. That may not be the way in which the Defense Department can proceed.