Tim Rudolph is the Air Force Senior Leader for Integrated Information Capabilities, AF Life Cycle Management Center. He serves in a variety of capacities, including AFLCMC Chief Technology Officer (CTO) as the Authorizing Official for C2 Platform IT, both ground-based and airborne.
In a recent Q&A session, Rudolph offered candid comments on the direction of IT infrastructure acquisition, where he articulated the Air Force’s goal of operating zero data centers and a shift to purchasing IT infrastructure as a service (IaaS), as well as other capabilities as a service. The interview was conducted recently by Kirk Mardis, ViON Corporation’s Director of Air Force Business Development.
How well is the Air Force acquisition community incorporating and adopting more innovate approaches like IaaS to more efficiently and effectively acquire IT capabilities?
The process of buying IaaS, PaaS, and SaaS has made us look in the mirror to see how far we have gone and how fast we are going. Buying IaaS (allowing genuine utility computing, and public/private infrastructure data centers in a pod) all have a great deal of benefit to the Air Force. But the main inhibitors to their adoption have been the traditional business approaches and legacy buying contracts that need to come along for the same journey. The Department [of Defense] seem to make it hard to acquire Cloud and IaaS, which are both more secure and more affordable.
We have seen progress, and we have worked with contract specialists who have offered viable contract structures for purchasing IaaS, but we have to recognize these key issues: With lower budgets, we need to adjust to constricted administrator resources, and move these greater value individuals to increase the number of qualified Cyber operators. We are missing the skill sets to embrace secure automation. We simply will not have the capacity to operate, maintain and retrofit Air Force datacenters the way that major IT companies can do with greater operational efficiency and cost effectiveness. We must take advantage of private companies’ leadership in IT.
My goal for the Air Force is to have a “zero data center” footprint. To achieve that goal, we need to do it affordably and get the required capability, wherever and whenever we need it. Part of the inertia of “box huggers” (people who have no confidence in an IT solution unless it is a nearby closet) is from traditional DoD vendors who continue to push traditional over capacity IT solutions. Another part of the inertia is an acquisition mindset that thinks using capital expenditures to purchase IT should be the same as the purchase of weapons systems. If you want IT, you go to an IT vendor. If you want a fighter jet, you go to a fighter aircraft developer, but the IT acquisition, itself, requires a different attitude. The ability to achieve cost efficiencies is dramatically different. Again, IT is force multiplier and a critical foundation for enabling warfighter capabilities, but it is not a weapons system. IT is not the goal. While we do have major system integrators, developers, and manufacturers that the DoD is comfortable with for weapons’ systems, the dynamic of IT is very different, and we cannot treat IT with a weapons system mentality. Here’s why: For a weapon’s system, after the initial contract development, and early sciences and technology and development planning, it can take 80+ months to get to the field. If we treated IT the same way, we would miss three or four full cycles of IT innovation. For that reason, we need to use skilled commercial vendors that support multiple sectors (e.g., financial) and can do IT very effectively, at scale, much more rapidly. Genuine IaaS and cloud vendors have demonstrated that ability in other sectors for information security, speed of deployment, and innovation.
What more can industry leaders do to help evaluate, test, and (where applicable) implement these approaches?
Industry can do a great deal to advance the cause of IaaS and prove its cost effectiveness. Part of the ability of the Air Force to take advantage of new approaches to IaaS is through education. The cloud or IaaS is perceived as bad from the “need to touch and see it” perspective, and we have to address that. The perception exists even though physical ownership of IT infrastructure is not the best path for cost effectiveness and operational effectiveness; nor is it the most secure. So, there has to be a better understanding of the metrics we use to value IaaS and to determine its total cost of ownership. Industry leaders can make that case, not only with end users but also with the acquirers, the leadership that looks across IT portfolios, and other segments of government, including legal reviewers and policy makers.
What never ceases to amaze me is how there are misinterpretations of IT infrastructure that have no basis in technology, security, or even the laws of physics. If people understood what the real IaaS offering is, what the root requirements are, and how they can match and fit better solutions together (while offering programmatic benefits) that will help accelerate the acceptance of IaaS. Absurd entanglements that limit competition only support non-genuine cloud/IaaS capability, and worse, they require “spillage” blame clauses that are two+ orders of magnitude higher than the blame clauses that government hold itself accountable for in its own data center.
The FedRAMP pipeline approval cycle exceeds 18 months. Expensive connections to a shaky infrastructure (slowly and at high cost) makes no sense. But at the same time, make no mistake, IaaS is going to happen. However, it shouldn’t happen because we drag people kicking and screaming against campaigns of fear, uncertainty and doubt. It should happen because people realize that it’s the right thing to do. Out of all the methods, including base infrastructure, buying pods, trailers, and other form factors as a service on government installations, IaaS is a very powerful “best of both worlds” solution.
The operational community values speed and simplicity of deploying IT capabilities, yet these factors are hard to evaluate when simply evaluating price competition. Would more “best value contracts” help emphasize the relative importance of these factors and result in a more-balanced price and value result?
There are a number of impacts to the operational community when the acquisition community doesn’t act in an agile manner or provision rapidly. We are making incremental progress toward IaaS. This is evident with the DISA milCloud solution, which is a “construct” on top of capacity services. But I see this as a step, a mechanism that gets us to true IaaS in a more interim way. However, from my experience, the certification and accreditation process can complicate the timeline for acquisition. We need the ability to figure out the risk of deploying a solution, and we need to understand the threats and vulnerability that support that risk conclusion. Then we need to mitigate the risk, but that will require that we move away from “check-box mentally” when acquiring IT. It also requires that we look at the real mission and operational needs, and then engage in an agile accreditation and certification process with the available vendor community that can quickly turn to meet our urgent needs, principally supporting the war fighter. If the accreditation and certification process takes forever, it’s no good. Reciprocity, type-accreditation, and more granular multi-Service trusted components, e.g., widgets, are good. A chief concern, of course, is that we want security. With IaaS, I think we can obtain what we want in terms of security in part by looking at commercial operations that have demonstrated their security capabilities as part of their commodity offerings.
No one can deny that the operational community deserves speed and simplicity, and the Air Force must deliver that. But if the IT need isn’t handled as an urgent requirement (e.g., commoditized infrastructure) the factors are stacked against best-value determination or technology superiority outcomes of an offering. We need to get best-value even when the flames of urgency are not raging. The reason is simple. IT enables the warfighter, we can all agree, but it also enables the entire operation of the military, which in the end the warfighter is heavily dependent on.
Where does IT acquisition affect operational efficiency at every level? Well, IT has a short life cycle, and we have to look at the skill set of IT vendors and the Air Force operator skill set. As older human resources age out as Air Force operators, the commercial sector can prove to be more adroit and agile when replacing them, so new operators can provide much higher value. The commercial sector has an innate ability to look at more configurations, because they can access a broad field of commercial solutions.
The reality is that we need to get the best capability to Air Force operators so they can do their jobs, and it’s a disservice to them if we are just rolling out the same old stuff. The challenge, of course, is that the Air Force wants the best, and we want it to be affordable. But in the real world, the best is not always the most affordable. I am hoping that with better buying power, we can leverage some of the commercial capabilities provided externally, observing total cost and total capability, and do it in a rational way.
How can Air Force and industry better work together to give operational commands and acquisition partners clear contracting paths for IaaS options?
How do we get to IaaS contractually? Are the buying vehicles adequate for specifying IaaS?
It is difficult to communicate a new construct like IaaS. That’s true even if the construct is an information-processing node that provides the centralized base compute in a way that can be segmented and managed. That management has to be independent of the way we do it now, because now we have computers under desks and network wires running through ceilings at various bases. The acquisition community needs to know the value of IaaS, and they see the need for it, but the contract structures lag.
We want best value, but actually most acquisition is still driven by bottom-line price. How do we get past this? How can we model true offerings? How do we recognize the tremendous waste (in terms of dollars, energy, and administration) of underutilized segmented infrastructure? We need piloting activity to prove the IaaS metrics. This approach can be translatable from other sectors to the government, but the value proposition needs to be pretty straightforward. Even when dealing with Cloud, where you use it (put the information in it and manage that information, just like an on-premise IaaS provider), but don’t own and control it, you still have to build up confidence on the value proposition with command and acquisition partners. It’s important to have a few big wins, while fulfilling requirements baselines that provide an adequate solution set to provide that big win. This is difficult for users, acquirers, and providers. I recognize what a challenge it is.
Do you think the IT acquisition community is comfortable writing IaaS requirements and competing IaaS procurements? Can industry do more to assist/educate Acquisitions for a better working relationship post-award?
Scenarios and methodologies from industry help tremendously and we can’t shut off industry feedback too early in an acquisition. We need to learn.
We want to test drive IaaS cost models, if we can. The best approach – while honoring the value of competition – is to have vendors understand IaaS requirements as described in “apples to apples” language when IaaS is compared to traditional IT infrastructure. In a number of acquisitions, the good ideas of commercial industry are often boxed out in the acquisition formulation process. The acquisition community turns back to old language, and we don’t think of creative ways to provide solutions – with competition and fairness. The fact is, we don’t know what we don’t know, and during the acquisition process, we need to maintain a dialog to the last possible moment with multiple vendors, particularly given the rate of change in IT area. Perhaps this challenge calls on us to use templated language or meaningless constraints, or to provide cost methodologies, so that we present a fair representation for each kind of vendor offering. It also means that getting over the IaaS learning curve calls on us to team with IaaS solution providers pre-RFP and post-award to maximize the value of the selected vendor(s).
Is there value in developing both GOCO and COCO options when developing acquisition strategies? Does this extra level of analysis create more of a burden than potential value?
When discussing Government Owner, Contractor Operated (GOCO), vs. Contractor Owners, Contractor Operated (COCO), there are places where either model makes sense. But perceived confidence is important. To large extent, both GOCO and COCO are interim steps to the future. That said, there are merits to physical control sometimes, but the zero data center footprint is the goal, and both GOCO or COCO will be intermediate steps.
For both GOCO or COCO, you can repackage either model as a service, but that would be an odd distinction, a fallacy of distinction, because they are both data center constructs. There are advantages to both, but we need to move to a commercial service model wherever appropriate, with zero data centers as the objective goal.
Should the Air Force and industry continue joint education initiatives on the pros and cons of IaaS acquisition? What innovative ideas and initiatives would help drive deeper understanding, trust, and partnerships in improving how the AF deploys IT capabilities?
As we go through our education process, we look for real metrics and real benefits, and it’s my experience that this education has been vendor-neutral; it has shown the value proposition of IaaS that the government can follow. One major potential opportunity I see, as with the approach of Mr [Frank] Kendall, Undersecretary of Defense for Acquisition, Technology and Logistics, is to provide better buying power to the government by removing barriers to commercial technology adoption. There is an appetite in Pentagon as a whole for this, and recognition that there are barriers that we need to remove. Now, we need to make the barriers more apparent, and get away from contract awards that take multiple years. We need to adopt an acquisition model that doesn’t box small innovative providers out of the market (regardless of our positive engagement) and exceed all small business goals, because that’s not what we should be doing.
Vendors claim that IT can be paid for on demand as an operating expense and not as a capital expense. Is this distinction meaningful for government procurement officers, or is the distinction lost on them?
“Changing the color of money,” as the expression goes [moving from capital expense to operating expense] is a great benefit to the government. It’s also a benefit to how programs and solutions are bundled, especially when considering the lifecycle of the solution and asking if it can be paid for year-to-year as an O&M. If you purchase equipment, even if it sits in the warehouse until the warranty runs out, it is clearly a defined product. That said, IaaS is and can be considered a product, and should be able to be acquired that way, as appropriate, even if it is a living capability as opposed to static capability. IaaS provides flexibility because it offers the benefit of externally managed capacity. At the same time, it does fit with in the operations and maintenance definition.