REQUIRED CAPABILITIES

PROBLEM STATEMENT: Preserving national defense requires immediate action. Therefore,

the Secretary of Defense has initiated a series of enterprise initiatives that are designed to bring
greater urgency, focus, and unity of effort within the Department to address China as our number
one pacing challenge. These initiatives will give our Warfighters the operational advantage to
prevail in peace and to win in conflict.

Key, unclassified initiatives include Joint All-Domain Command and Control (JADC2), the
Artificial Intelligence (AI) and Data Acceleration (ADA), and Data Decrees.

● JADC2 is the warfighting capability to sense, make sense, and act at all levels and phases
of war, across all domains, and with partners, to deliver information advantage across all
warfighting domains (air, land, maritime, cyber and space) faster than our adversaries
can.
● ADA is an initiative to rapidly advance data and AI dependent concepts, like JADC2, to
generate foundational capabilities through a series of implementation experiments or
exercises, each one purposefully building understanding through successive and
incremental learning.
● Data Decrees cover the creation, publication, protection, management, and use of data to
improve performance and create a decision advantage at all echelons.

Capitalizing on and achieving the objectives of these initiatives is predicated on the existence of
a global multi-vendor cloud capability, with attributes that enable access to crucial warfighting
data by those who need it anywhere in the world and secures data exchange at all classification
levels. This multi-vendor cloud solution must be a direct contract with each CSP, as the CSP
must demonstrate control over infrastructure changes to allow direct implementation of changes
that meet Department of Defense requirements. The solution must also include a number of
crucial attributes, including:

● Capabilities at all three classification domains

● Parity of services across all classification domains
● Integrated Cross Domain Solutions (CDS)
● Global availability inclusive of tactical edge environments
● Enhanced cybersecurity controls

OVERARCHING REQUIRED CAPABILITIES

To maintain our military advantage, the Department of Defense (DoD) requires an extensible and
secure global multi-vendor cloud capability that addresses warfighting challenges at the speed of

1
relevance. These foundational technologies are needed for the DoD to capitalize on current
cloud offerings, commercial innovation, and AI and Machine Learning (ML) capabilities, at
scale.

The Joint Warfighting Cloud Capability (JWCC) will provide DoD-approved first-party cloud
offerings, at all classification levels, from the homefront to the tactical edge, including denied,
degraded, intermittent, or limited (DDIL) environments and closed loop networks. The following
is a high level summation of DoD’s requirements. Additional details will be provided during
market research and will be included in the solicitation.

Proposed solutions shall be ready for use by the DoD in accordance with the following
schedule:

● Unclassified cloud offerings and advise/assist services, at contract award.

● Classified cloud offerings capable of supporting Secret workloads within 60 days of
contract award.
● Classified cloud offerings capable of supporting all classified services (including Top
Secret, Sensitive Compartmented Information (SCI), and Special Access Program
(SAP)), within 180 days of contract award.

Proposed solutions must address the following JWCC objectives:

1) Available and Resilient Services: The solution must provide highly available,
resilient cloud services that are reliable, durable, and can continue to operate despite
catastrophic failure of portions of the infrastructure. The infrastructure must be capable of
supporting globally dispersed users at all classification levels, including closed-loop
networks and DDIL environments.

In order to provide the resiliency and availability required by JWCC users, there must be
no fewer than three physical data center locations, at each classification level,
geographically dispersed by at least 150 miles and within the Customs Territory of the
United States, as defined in FAR 2.101. Unclassified and classified (both Secret and Top
Secret) data centers may be co-located so long as the classified data center meets facility
clearance requirements.

2) Globally Accessible: The solution must provide cloud services that are securely
accessible worldwide, at all classification levels. The cloud services must provide assured
access and enable interoperability between virtual enclaves containing applications and
data.

2
The CSP must have points of presence on all continents, with the exception of Antarctica,
and provide at least 40 Gigabits per second to peer with the Government at the provided
global network locations. If the DoD adds new locations, the CSP must peer with the
DoD at those locations within 12 months of notification. Infrastructure and networks
supporting the classified services must be physically separate from the infrastructure and
networks supporting unclassified services.

3) Centralized Management and Distributed Control: The solution must enable the
DoD to exert necessary oversight and management of cloud services. This includes: the
ability to apply security policies; monitor network security compliance and service usage;
promulgate standardized service configurations; and, automate and distribute, the account
provisioning process.

In order to exercise centralized management, the solution must have a mechanism for
activating and/or deactivating any cloud service offering for JWCC workspaces. There
must be a mechanism to provision cloud services based on standardized, templated
configurations and security policies, as well as a “user friendly” mechanism to
deprovision any and/or all services. The solution must also provide object and resource
access control management, including data and resource tagging for billing tracking,
access control, and technical policy management.

To facilitate the automation of central management and distributed control there must be
an actively maintained, versioned, and documented Application Programing Interface
(API) providing the ability to perform any operation supported by the CSP portal/user
interface.

4) Ease of Use: The solution must offer efficient self-service of cloud services enabling
rapid development and deployment of new applications and advanced capabilities.
Additionally, the solution must support the portability of data and applications both out of
and into their solution.

5) Commercial Parity: The CSP must submit any new services available to the
commercial market to DoD for authorization and use within 30 days of the public release.
This also includes parity with commercial pricing for the cloud service offerings.
Commercial parity includes generational replacement and upgrades of hardware and
software as well as specialized hardware offerings to support advanced capabilities.

6) Elastic Computing, Storage, and Network Infrastructure: The solution must enable
provisioning of compute, storage, and network infrastructure that is constantly updated --
including processing architectures, servers, storage options, and platform software -- at
scale to meet consumption, rapid development and deployment in support of mission

3
needs. Additionally, the CSP must own, or provide proof of complete control over, and
unmitigated access to, the proposed unclassified and classified environment.

7) Fortified Security: The solution must provide security capabilities that enable
enhanced cyber defenses for strong identity access management and security from the
application layer through the data layer. Fortified Security capability requirements
include continuous monitoring and auditing, automated threat identification, resilience
and elasticity, encryption at rest and in transit, secure data transfer capabilities, and an
operating environment that meets or exceeds DoD information security requirements.
The following provides more detail on the aspects of the Fortified Security solution:

A. Identity and Access Management. The solution must provide specific capabilities
for authentication, authorization, and identity and access management as follows.

The solution must securely verify user identity using modern authentication
protocols, including multi-factor authentication (MFA) and public key
infrastructure (PKI) at each classification level and must support federated
identity.

B. Automated Information Security and Access Control Tools. The solution must
provide automated information security and access control tools to support:
patching and vulnerability management; supply chain risk management;
automated breach incident identification; threat detection and response; and
granular control over marketplace offerings.

C. Continuous Monitoring and Logging. The solution must provide logs that are
human and machine readable, standard, and easy-to-interpret for the monitoring
of: provisioning of services; configuration changes; service access and errors; and
any relevant audit trail events. Logs must be available in National Institute of
Standards and Technology’s (NIST’s) Open Security Controls Assessment
Language (OSCAL) and JavaScript Object Notation (JSON) format. All actions
in the system, whether by a human or a machine, must be loggable to a read-only,
non-overwritable destination that is within the cloud offering but external to all
JWCC workspaces.

D. Automated Threat Identification and Response. The solution must provide

automated breach identification and notification capabilities. In addition, the
solution must include self-service tools to access data and analytics generated by
threat detection systems. Finally, the solution must provide notifications and
findings of threats to system owners.

4
 E. Secure Data Transfer Capability. The solution must provide a secure data transfer
capability using a cross domain solution that is consistent with the 2018 Raise the
Bar Cross Domain Solution Design and Implementation Requirements. The
solution must provide secure and highly deterministic one-way data transfer
capability between the CSP’s logical enclaves and environments within its own
cloud offerings and to external destinations, including multi-environment peering
gateways and across all classification levels.

F. Encryption. The solution must support logical separation with cryptographic

certainty of processing between tenants. It must provide the ability to encrypt data
at rest and in transit. Additionally, the solution must support user provided
encryption keys supplied by a user controlled, externally located, hardware
security module (HSM).

8) Advanced Data Analytics: The CSP must provide advanced data analytics services
that securely enable data-driven and timely decision making at the tactical level (within a
single data domain) and strategic level (across data domains). Advanced data analytics
capabilities must support batch and streaming analytics; predictive analytics; machine
learning; and AI. Advanced data analytics must be available at all classifications and
impact levels, from the homefront out to the tactical edge, including disparate and
disconnected environments operating on multiple datasets. These capabilities must, at a
minimum, be able to import and export streaming and batch data in common data
formats.

9) Tactical Edge Devices: The JWCC must include tactical edge compute and storage
capabilities able to support across the range of military operations while balancing
portability with capability. Tactical edge devices need to operate seamlessly across
network connectivity levels including DDIL environments.