CIA Considering Cloud Contract Worth ‘Tens of Billions’


The agency is hungry for more commercial cloud.

After six years in a classified commercial cloud built by Amazon Web Services, the CIA wants more commercial cloud capabilities from potentially multiple companies.

The agency is in the early stages of planning a contract for commercial cloud computing services that will be worth “tens of billions” of dollars, according to contracting documents presented to select tech companies by the CIA in late March and obtained by Nextgov.

Dubbed the Commercial Cloud Enterprise, or C2E, the two-phase initiative will “expand and enhance” the commercial cloud capabilities it first contracted for with Amazon Web Services in 2013.

That contract, called C2S and valued at up to $600 million over 10 years, provided commercial cloud capabilities such as data storage, computing and analytics to the CIA and its 16 sister agencies within the intelligence community.

“Since that time, cloud computing has proven transformational for the IC–increasing the speed at which new applications can be developed to support mission and improving the functionality and security of those applications,” the CIA contracting documents state.

Whereas C2S has been managed by a single company, the CIA expects to “acquire foundational cloud services” from multiple vendors in phase one of C2E, which is good news for companies like IBM, Microsoft, Google and others expected to compete for the contract.

The initiative’s second phase also opens up competition with a stated goal to “acquire through multiple vehicles” cloud management capabilities and specialized platform- and software-as-a-service offerings. To be considered for the contract, cloud service providers must have a commercial presence and must meet rigid government requirements to host secret and top secret classified information. AWS is currently the only commercial cloud provider cleared to host all levels of classified data.

AWS established a foothold in the national security space through C2S. Over the years, it has introduced new services and earned plaudits from the CIA’s top tech officials for being more secure than the agency’s own data repositories. Most recently, Andrew Hallman, deputy director for innovation at the CIA, praised the department’s previous cloud efforts and said its future plans will focus on fusing various cloud architectures together.

“We have a major cloud provider and we have had a journey to cloud becoming very successful,” said Hallman, speaking March 28 at an event hosted by Nextgov and Defense One.

“The important thing is to look at what the future of cloud looks like—hybrid cloud architectures, multi-cloud architectures—and that, for us, the very important thing is making really wise decisions about how those architectures work together.”

Meanwhile, cloud computing’s import across government continues to expand, with federal agencies collectively expected to spend $2 billion on the technology in the coming year. AWS has been favored to win the largest cloud contract up for grabs, the Pentagon’s multibillion Joint Enterprise Defense Infrastructure contract.

Currently held up in court, JEDI is the Pentagon’s nascent effort to bring enterprisewide commercial cloud capabilities to the Defense Department and its branches, akin to what C2S did for the intelligence community. Like C2S, JEDI will be awarded to a single commercial cloud service provider, one of the reasons it’s been so controversial, with companies vying in public and private to influence the deal.

The CIA’s C2E contract, however, dwarfs even JEDI in size and scope, though the contract is subject to change because the government is so early in the contracting process. According to a proposed acquisition timeline accompanying the contracting documents, the CIA intends to engage industry regarding contract requirements through next year. The timeline proposes the C2E contract be bid out in May 2020 with an award “no later than July 2021.”