Pentagon CIO John Sherman said the new Joint Warfighting Cloud Capability contract will be part of a “choose your own adventure” strategy for zero trust adoption in the Defense Department.
The Defense Department’s chief information officer said Wednesday that its enterprise cloud contract already has "several dozen task orders in the pipeline” from military services, joint staff, Fourth Estate components and the Defense Information Systems Agency.
DOD CIO John Sherman said the department was "working directly with the cloud service providers" to get new capabilities online through its multi-vendor Joint Warfighting Cloud Capability contract that launched last year.
"What JWCC brings to the fight is an enterprise cloud capability we've not had, and we need for many mission outcomes," said Sherman at the TechNet Cyber event hosted by the nonprofit AFCEA, describing the pivot to the Pentagon's multi-cloud, multi-vendor approach
The CIO added that JWCC would not only serve to help undergird the DOD’s work on initiatives like Joint All-Domain Command and Control and its digital modernization strategy, but would also not supersede work the military services are doing on their own cloud networks.
“We are not in competition in any way, shape or form with what the other services are doing. This is complementary to what they are doing,” he said, noting that while DISA accounts for maybe two-thirds of current task orders, other defense components are reaching out as well.
The Defense Department transitioned to the JWCC following the failed, $10 billion Joint Enterprise Defense Infrastructure cloud contract award that was ultimately canceled following a lengthy court battle between the Pentagon, Amazon Web Services and original awardee Microsoft.
With JWCC, the DOD moved away from JEDI’s single vendor contract structure to a multi-vendor vehicle split between AWS, Google, Microsoft and Oracle in order to continue with its enterprise-wide push to the cloud.
Sherman also noted despite the controversy that dogged the JEDI procurement, that the strategy “was the right move at the right time,” comparing it to the Intelligence Community’s shift from a single cloud vendor to a multi-vendor approach with its Commercial Cloud Enterprise, or C2E, contract that he oversaw as Associate Director of National Intelligence and Chief Information Officer.
“I don’t want to take anything away from the valiant JEDI efforts,” he said. “The reason we pivoted to the multi-cloud, multi-vendor approach, it was the right time to do it.”
The CIO's comments come after DISA released a request for information in March seeking help from industry on prototyping a new centralized hub for Defense Department customers to manage a variety of commercial cloud assets.
Sherman has made achieving zero trust and building the JWCC into an effective contract vehicle critical components of his tenure at the Defense Department. Last year, he delayed the launch of the contract vehicle by several months and told lawmakers in written testimony that he "personally told the team that while we need to move with a sense of urgency, we also need to get this right and to take the time to perform all the key tasks in the procurement."
But in addition to capitalizing on enterprise cloud capabilities, the CIO said he plans to achieve implementation of an enterprise-wide zero trust architecture by 2027.
"Zero trust is not going to be unobtanium in the department," Wilson said. "We cannot fail on this, and this is going to be, and remains, one of my top priorities as chief information officer."
The DOD stood up a program management office last year to help spearhead zero trust initiatives and implement the department's zero trust strategy. The office is led by Randy Resnick, who previously served as the zero trust strategic lead for the National Security Agency.
Sherman said the goal is that defense agencies would be able to pursue their zero trust architectures through three “choose your own adventure” options, one where they can overlay zero trust capabilities on their current infrastructure, one where they can adopt zero trust tools through JWCC and one where they can leverage a private cloud option.
The CIO also pointed to classified information, including intelligence about Russia's invasion of Ukraine, leaked by a 21-year-old Air National Guardsman as a case where zero trust principles may have prevented what the Pentagon described as a deliberate criminal act.
“I’ve seen in the tech media, the press and elsewhere different opining and stories about, ‘Would zero trust have stopped this,’” he said. “I’ll tell you from my seat, I think it would have made it a heck of a lot more likely that we would have caught this and been able to prevent it.”
Sherman said that in addition to the DOD’s zero trust focus on preventing breaches from adversaries like Russia, China, North Korea, Iran and others, the Pentagon has to become sharper on identifying insider threats as well through capabilities like robust user activity monitoring at the top secret and secret levels.
“But it’s not just the software. It’s not just the alerts and triggers," he said. “You have to have insider threat cells, human beings, at different echelons of commands that set the triggers that monitor it. Because what goes on at Otis [Air National Guard] Base is going to be different than what goes on at Fort Hood.”