The Pentagon Issues Order 66 to Terminate JEDI
On July 6, 2021, the Department of Defense (DOD) announced that it was terminating the $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud project, which would have provided enterprise-wide commercial cloud capabilities for DOD’s classified and unclassified networks. Originally awarded to Microsoft in 2019, the JEDI program has been plagued by legal challenges. In resetting its approach to enterprise cloud capability, DOD announced a new cloud initiative: the Joint Warfighter Cloud Capability (JWCC).
Q1: What was JEDI?
A1: Envisioned as a solution for DOD’s enterprise-wide commercial cloud requirements, the original JEDI solicitation was issued in July 2018. The contract was particularly high profile because of its potential $10 billion price tag and DOD’s intention to award the contract to a single vendor. In October 2019, the Pentagon announced that it had awarded JEDI to Microsoft, which would provide classified and unclassified cloud computing services via its Azure cloud business.
Q2: Why was JEDI so controversial?
A2: The JEDI contract triggered protests across the technology industry. Amazon Web Services (AWS)—which had long provided cloud infrastructure to the national security community through the CIA’s Commercial Cloud Services (C2S) contract— challenged Microsoft’s technical ability to deliver on JEDI’s requirements. AWS also claimed that the award had been improperly influenced by the Trump administration, citing disparaging remarks that President Trump had made about then Amazon CEO Jeff Bezos.
Oracle, which—alongside IBM and Google—has been seeking greater access to the lucrative government cloud services market, also issued a series of legal objections to JEDI. Oracle has specifically claimed in court filings that AWS exerted improper influence over DOD’s development of JEDI’s requirements and the award process, even though AWS ultimately was not awarded the JEDI contract.
Envisioning further delays in finalizing the JEDI award, particularly in the wake of an April court ruling that opened the door to further evaluation of potential political influence over the award, the Pentagon announced on July 6, 2021, that it was terminating JEDI.
Q3: Why does DOD need a commercial cloud service provider anyway?
A3: DOD, like many government entities, has long relied on aging, outdated information technology (IT) systems. In many cases, these systems are not interoperable, are extremely expensive to maintain and recapitalize, and fail to meet basic requirements for analyzing DOD’s exponentially growing data holdings.
To fulfill its strategy to achieve warfighting and decision advantage over its adversaries, DOD has emphasized the importance of integrating artificial intelligence (AI) and machine learning (ML) capabilities across all aspects of its mission, from human resources to weapons systems and warzones. Achieving this capability for an enterprise as large as DOD requires access to infrastructure that is, theoretically, infinitely scalable. In practice, this means the Pentagon’s requirement is for a data center that can secure and store as much data as it can collect, anywhere it collects it, and that can provide computing power capable of processing and analyzing all of this data.
In providing these two basic capabilities—storage and computing power—commercial clouds offer several advantages. Most importantly, commercial clouds have nearly infinite access to storage and computing power, and these are available on a pay-as-you-go basis. This means that instead of building and maintaining its own data center, DOD can essentially rent the infrastructure it needs on demand.
In addition to the traditional notions of data storage and computing, commercial vendors are also expanding the range of services they offer under their cloud businesses. This includes capabilities such as internet of things (IoT) or other “edge” devices that can store, process, and analyze data in embedded, austere, and contested environments. And because of the competitive nature of the cloud computing market, vendors such as Microsoft and AWS are highly incentivized to continuously upgrade and modernize their cloud environment’s hardware, software, services, and security.
Q4: Is the cloud cheaper?
A4: Not necessarily, but continuous upgrades to commercial cloud infrastructure offer users immediate access to higher-performing capabilities. This model can reduce capital expenditures for organizations that have traditionally maintained their own infrastructure; however, those savings can be more than offset depending on how intensive their cloud requirements are.
Q5: Is the commercial cloud secure?
A5: Yes—or at least as secure as any infrastructure can be in a time of increasingly brazen and sophisticated cyber threats. The size of these cloud service providers—AWS and Microsoft control over half of the world’s cloud market—certainly make them extremely large and attractive cyber targets.
One of the main arguments in favor of commercial cloud security is the magnitude of these companies’ investments in research, development, and talent to protect their infrastructure. These shared security or shared responsibility models reserve certain core responsibilities for the vendor while leaving other service-specific security responsibilities to the consumer. In theory, this approach off-loads some responsibilities from customers—such as physical security of data centers—allowing their limited security resources to be dedicated to other purposes. The poor security of private servers—those not operating in cloud environments—was highlighted by the FBI’s recent use of a court order to remotely remove the HAFNIUM zero-day vulnerability from privately maintained Microsoft Exchange servers that had not been patched.
Multi-vendor cloud approaches also can provide important redundancy and resiliency in the event of a major disruption to a particular cloud provider. This is an important benefit from a planning perspective, but cross-cloud failover—moving from Azure to AWS, for example—requires the original software to have been built to work in either environment.
Q6: How does cloud computing benefit the warfighter?
A6: In May 2021, Deputy Secretary of Defense Kathleen Hicks issued a memorandum entitled “Creating Data Advantage.” This directive, alongside the 2020 DOD Data Strategy, articulates how data is a strategic asset that should be integrated into all aspects of DOD’s mission, from supporting better senior decisionmaking to enabling the DOD’s vision for Joint All Domain Command and Control (JADC2). Although focused on modernizing how the Pentagon manages its data holdings across the entire enterprise (no small feat), this work is intended to pave the way for more effective integration of emerging technologies such as AI and ML into all aspects of DOD’s mission, from administration to logistics to conflict.
That next step—transforming data into strategic advantage through advanced data analytic capabilities—is taking place in the Joint Artificial Intelligence Center (JAIC)—DOD’s flagship program for AI innovation, established in 2018—as well as in the new AI and Data Acceleration (ADA) Initiative and across the military services and components. These efforts are already heavily reliant on the commercial cloud to develop and deploy current capabilities, and their need for these services will only grow if DOD delivers on its data strategy.
Storing data at scale, manipulating it, sharing it, and overlaying sensemaking analytics is the essential function of commercial cloud services as they are utilized today. This includes traditional data center–based cloud analytics, as well as capabilities that can bring cloud functionality to the tactical edge in air, space, sea, and land. This type of integrated information environment is at the core of the Joint Warfighting Concept (JWC)—DOD’s ongoing effort to develop a strategy that will secure a U.S. military “information advantage” in future conflicts.
Q7: How will the Joint Warfighter Cloud Capability differ from JEDI?
A7: The JWCC was announced as a multi-cloud, multi-vendor contract, whereas JEDI was a single-cloud, single-vendor award. In its recent announcement, the Pentagon clarified that although AWS and Microsoft are currently the only two cloud service providers capable of delivering on JWCC’s requirements, other providers (e.g., Oracle, Google, and IBM) will be evaluated for potential eligibility at a later date.
While this change does sidestep controversy and litigation across the technology industry, it also more broadly—and more importantly—reflects an understanding that the cloud computing landscape has evolved substantially since 2018. Not only has the commercial cloud market undergone significant transformation, but so has DOD’s broader digital strategy. The JAIC did not exist when the JEDI solicitation was issued. Other military components, most notably the Air Force’s Cloud ONE program, recognized the benefits of leveraging multiple cloud environments in their efforts to modernize the military’s digital infrastructure. The Pentagon’s recent pivot to a multi-cloud award also carries echoes of the U.S. Intelligence Community’s (IC) cloud strategy, which recently began migrating from the single-vendor, AWS-awarded C2S program to the multi-cloud Commercial Cloud Enterprise (C2E) contract.
Typically, a multi-cloud approach carries the benefit of avoiding the pitfalls often associated with “vendor lock,” in which software or other capabilities are designed to only operate in a single, proprietary environment. Efforts such as Cloud ONE—which the JAIC began to use in 2020 as a stand-in for the litigation-mired JEDI—and its associated development pipeline program, Platform ONE, have focused on a “build once, deploy anywhere” approach to development.
This flexible approach to cloud services and development can enable organizations to quickly deploy systems in multiple environments, including across different commercial cloud providers or embedded in weapons, collection, and vehicle systems. It will also allow DOD to leverage competitive advantages in certain services across multiple cloud providers—from a cost or capability perspective—while also providing options to quickly shift a system to a new environment in the event of a service disruption. This open architecture philosophy undercuts one of DOD’s JEDI-era arguments that a single-vendor, single-cloud award was essential to ensuring interoperability across systems.
Q8: I’m confused, what is Order 66?
A8: The Pentagon’s announcement was met with a predictable flood of Star Wars references on social media, many of which compared the Pentagon’s terminating of the JEDI program with the infamous Order 66 from the film Revenge of the Sith. For those not familiar, Order 66 was a directive to kill all of the galaxy’s Jedi Knights, thus bringing an end to the Jedi Order. This is what happens when the Pentagon gets cute with program names.
Jake Harrington is an intelligence fellow in the International Security Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2021 by the Center for Strategic and International Studies. All rights reserved.