Skip to main content

Pentagon’s Cloud Project: Clearer Skies Ahead?

(pdf)

The Joint Enterprise Defense Infrastructure (JEDI) project seemed to clear another test recently when a federal court ruled against a pre-award bid protest that the contract was biased. Yet almost concurrently, Senator Marco Rubio (R-FL) urged White House National Security Advisor John Bolton to delay the project, citing several concerns that were similar to those in bid protest suit. What is the taxpayer’s interest in this saga?

NTU has followed the JEDI contract process owing to its potential to approach defense needs in a nimbler, more cost-efficient way. JEDI is a cloud-based network designed to integrate data and allow access to it at multiple levels and across multiple platforms, so as to provide greater and more flexible warfighting capabilities. As Brandon Arnold put it last year:

The federal government has a notorious and unacceptable history of bureaucratic red tape and wasteful spending that should not be allowed to continue. It’s time to move forward with a transparent, open, prudently monitored, and competitive JEDI process -- and take a significant step toward a modernized government IT structure.

Competition is a vital element in any government contracting process, but the notion persists that there has been none in the JEDI contract, and the fix was in for one bidder—Amazon—all along. But what do actual circumstances suggest? That the picture is more complex.

The JEDI contract is different from a traditional procurement structure for a piece of military hardware such as a fighter aircraft or a ship, where components are to be assembled into a final product for a scheduled delivery date at a per-unit price. JEDI is known as an Indefinite Delivery/Indefinite Quantity (ID/IQ) arrangement, offering major flexibility in how, how many, and when cloud-based data services are to be ordered. If components of JEDI fail, they will do so quickly and visibly, allowing for adjustments to occur with a rapidity that conventional contracts for weapons and other systems simply can’t do. Without ID/IQ, each task order would have to be competitively bid, making those quick transitions impossible. 

In addition, unlike a fighter jet or a ship, JEDI is not being designed and “built” from scratch for the Pentagon. The entire point is to utilize commercial off-the-shelf technologies as a jumping off point for the development of the Pentagon’s latest cloud. These technologies have therefore already been subject to a competition before they have even reached the government’s bidding process: the competition of the private sector marketplace. 

NTU is all too familiar with DoD’s penchant for writing contract specifications to favor just one bidder. One example was the inanely-protracted search to replace the Air Force’s Twin Huey helicopter, which took years to establish a competitive process that included commercial off-the-shelf airframes instead of an overengineered military craft. Contrary to some criticisms, JEDI’s contract actually integrates this experience by assuming that systems already annealed in the commercial marketplace should be the starting point for DoD’s requirements for a robust, resilient system.

And while the popular press often refers to the JEDI contract as a $10 billion award, this is the maximum amount that would be spent. The guaranteed minimum could be as little as $1 million. There are no “cost plus” or other features that allow overruns. Furthermore, JEDI has numerous opportunities for DoD to terminate the initiative. The only contract length the government is obliged to guarantee the awardee is two years – about one-third the time it takes to build and commission a destroyer. DoD could then exercise options to extend at three different points over the eight years that follow. 

Any government contract carries taxpayer risk with it, but JEDI’s risk is by design less than the misery that conventional structures for systems such as the F-35 and the Littoral Combat Ship have inflicted upon taxpayers.

Others claim that JEDI would put too many of the Pentagon’s cloud assets in one place, leaving them vulnerable to cyberattack or an internal failure that could cripple critical operations. Generally, concerns over concentration are valid, though here some additional perspective is necessary. As the Pentagon has pointed out, upon its completion JEDI will supply about one-fifth of the entire Pentagon cloud operation. That 20 percent will certainly have an outsized influence on a number of cutting-edge defense information and other sensitive applications, but DoD fully intends to contract with a variety of participants for other cloud needs. Another major undertaking is the Defense Enterprise Office Solutions contract, which may involve cloud or non-cloud bidders but will also be sole-sourced, precisely to allow for better communication among systems. Those who don’t reach final consideration in any of these processes can and likely will file protests, which are certainly within their rights. Such a grievance procedure can sometimes create a healthy layer of “discovery” that can improve both the item being procured and the way the procurement was constructed. But in this case, the procedure has run its course.

Complaints that JEDI contract specifications were written to favor one (now two) bidders expose a contradiction: they assert that a sole source is dangerous to security while also asserting that the security standards in the contract are too high for most bidders to meet. 

Furthermore, having too much diversification also creates security problems of its own. One reason DoD’s information technology enterprise has heretofore proven so difficult to manage is the number of systems that must be integrated and somehow made to communicate with each other. The Congressional Research Service has noted that the Defense Department maintains more than 500 clouds – a balkanization that creates more than 500 “back doors” for security problems, and, mathematically, thousands of interoperability issues.

Daniel Goure’ of the Lexington Institute aptly explained this problem in a recent piece for Real Clear Defense, and in so doing demonstrated why the JEDI contract had to be structured the way it was:

In the absence of an overall cloud migration strategy at the time and desirous of taking advantage of the rapid advances being made in the field of cloud computing, the decentralized approach made sense. But it also resulted in many problems for users and limitations on how cloud computing could be employed as a warfighting tool. According to a May 2018 report by the Pentagon’s Chief Management Officer, this decentralized approach ‘created numerous seams, incongruent baselines and additional layers of complexity for managing data and services at an enterprise level. Scattering DOD's data across a multitude of clouds further inhibits the ability to access and analyze critical data.’ In addition, there was no common approach to or set of top-level standards for securing these various clouds.

Thus, finding a perfect balance between integration with nimbleness, diversification with special needs, will always be challenging, and JEDI will not be able to achieve that perfection. What it should be able to do is bring the Pentagon closerto such a goal. 

Writing for our newsletter Dollars & Sense in 1982, then-NTU Chairman James Dale Davidson aptly described the need for a change in the DoD’s thinking about procurement:

Not only does the Pentagon bid up prices of items which only it can buy – like tanks – but it also pays too much for everyday items – like screws – which anyone could buy for less. Since the military does not need to compete in providing our defense, it has no reason to worry about cost-effectiveness. 

Thirty-seven years later, this same fundamental problem remains in search of a solution. JEDI is neither a tank nor a screw, yet it offers the opportunity to harness private sector experience for a vital public sector function in the necessarily bold way Davidson was suggesting. Its contract reflects an attempt to find this way. 

Whether Bolton will act as Rubio suggests is an open question. Last year, a Statement of Administration Policyin response to another Congressional directive for further study of the JEDI project indicated the White House was leery of being “overly prescriptive.” Yet, on July 18, President Trump told reporters that he would indeed ask his staff to “look very closely to see what’s going on.”

Other Members of Congress who are closer to the national security policymaking hub have strongly dissented from another delay in the process. The very same day Trump made his remarks, House Armed Services Committee Ranking Member Mac Thornberry (R-TX) and three other influential Committee Republicans penned a letter to the White House emphatically stating “it is essential for our national security to move forward as quickly as possible with the award and implementation of this contract.” In an attempt to provide as much context as possible for the President, the lawmakers specifically pointed out that: 

Our committee has conducted oversight of this contract from the beginning. While it is understandable that some of the companies competing for the contract are disappointed at not being selected as one of the finalists, further unnecessary delays will only damage our security and increase the costs of the contract.

Amid these events, NTU will continue to contend that the Pentagon should remain flexible and open in its procurement approaches; the JEDI model will not work on behalf of taxpayers’ interests everywhere, and in many cases, multi-year, multi-source traditional contracts should remain the standard. And while critics’ concerns about the JEDI contracting process must not be dismissed, the burden of proof should now be on them to demonstrate that those traditional procedures will lead to the different cloud computing result everyone acknowledges the Pentagon needs.