DoD Navigates Cloud Evolution, CMMC Progress, and Acquisition Reform in Pivotal Week

This week has been par­tic­u­lar­ly event­ful for those of us track­ing Defense Depart­ment ini­tia­tives, and I want­ed to break down the key devel­op­ments that are reshap­ing how we do busi­ness with the Depart­ment of Defense.

JWC­C’s Future Takes Shape

First, let’s dis­cuss the cur­rent sta­tus of the Joint Warfight­ing Cloud Capa­bil­i­ty (JWCC) con­tract. Rob Viet­mey­er, DoD’s chief soft­ware offi­cer, dropped some inter­est­ing insights at Fed­er­al News Net­work’s Cloud Exchange 2025. While DoD isn’t ready to unveil the full suc­ces­sor to JWCC, they’re think­ing beyond the cur­rent four hyper­scale providers.

Here’s what caught my atten­tion: DoD wants more direct access to third-par­ty ven­dors in cloud mar­ket­places. Cur­rent­ly, if you want to lever­age inno­v­a­tive solu­tions from small­er ven­dors through JWCC, it’s “sub­op­ti­mal,” as Viet­mey­er put it. That’s bureau­crat-speak for “it’s a pain in the rear.”

The depart­ment is also explor­ing ways to bring small busi­ness­es on board for cloud migra­tion, lega­cy sys­tem refac­tor­ing, and work­load opti­miza­tion. This isn’t just about buy­ing cloud ser­vices any­more – it’s about build­ing an ecosys­tem that can help DoD mod­ern­ize at scale.

OCONUS Cloud Challenges

Now, here’s where it gets inter­est­ing for those of us sup­port­ing warfight­ers at the tac­ti­cal edge. Viet­mey­er acknowl­edged that while JWCC was designed with OCONUS (out­side the con­ti­nen­tal Unit­ed States) capa­bil­i­ties in mind, there is still sig­nif­i­cant work to be done. The real­i­ty is that deliv­er­ing cloud capa­bil­i­ties to for­ward-deployed forces requires both DoD and ven­dor invest­ment. We’re talk­ing about pow­er, band­width, and host­ing in aus­tere envi­ron­ments. Hav­ing worked with sev­er­al Com­bat­ant Com­mands on sim­i­lar chal­lenges, I can tell you that this isn’t triv­ial and often requires deploy­ing a “short stack” like Ama­zon Snow­ball or Microsoft Azure in a U.S. for­ward-deployed loca­tion. Remem­ber, if a JWCC solu­tion is in Europe and not on a U.S. instal­la­tion, it is still sub­ject to EU GDPR, UK GDPR, or the Swiss FDPA reg­u­la­tions. The good news. All four JWCC ven­dors can han­dle clas­si­fied data, but extend­ing those capa­bil­i­ties to the tac­ti­cal edge is still in the “ear­ly phases.”

CMMC Final­ly Gains Momentum

Switch­ing gears to cyber­se­cu­ri­ty: CMMC is mov­ing for­ward despite the reg­u­la­to­ry freeze dra­ma. Sta­cy Bost­jan­ick from DoD’s CIO office con­firmed that the DFARS rule is head­ing to OMB’s Office of Infor­ma­tion and Reg­u­la­to­ry Affairs for final pro­cess­ing. We’re aim­ing for a late sum­mer pub­li­ca­tion date, pend­ing all goes well.

Here’s the kick­er: DoD’s pilot with cloud ser­vice providers and man­aged ser­vice providers is show­ing real promise for reduc­ing CMMC com­pli­ance costs. One unnamed com­pa­ny went from zero to 110 con­trols in just two months, spend­ing about $1,300 per seat plus $32,000 for the assess­ment. That’s a frac­tion of what many feared CMMC would cost.

By lever­ag­ing cloud ser­vice providers (CSPs) and man­aged ser­vice providers (MSPs), com­pa­nies can inher­it 80–90% of the required con­trols. This shared respon­si­bil­i­ty mod­el is exact­ly what the defense indus­tri­al base needs, espe­cial­ly for the 80,000 com­pa­nies that’ll need CMMC Lev­el 2 certification.

GSA’s VAR Con­tro­ver­sy Heats Up

Mean­while, over at GSA, things are get­ting spicy with their review of val­ue-added resellers. GSA sent let­ters to 10 major VARs – includ­ing CDW Cor­po­ra­tion – demand­ing detailed break­downs of OEM costs, markups, and fees. FAS Com­mis­sion­er Josh Gru­en­baum claims that VARs charge markups of 5–7%, which amount to a “tax on the Amer­i­can people.”

Indus­try push­back has been swift and fierce. Mul­ti­ple sources tell me VARs typ­i­cal­ly oper­ate on 1–2% mar­gins, not the inflat­ed num­bers GSA is cit­ing. As one exec­u­tive point­ed out, VARs don’t mark up prices – they receive dis­counts from OEMs based on the val­ue they provide.

This mat­ters because VARs han­dle crit­i­cal func­tions that OEMs aren’t equipped to man­age, includ­ing secu­ri­ty clear­ances, on-site instal­la­tion, inte­gra­tion ser­vices, and nav­i­gat­ing fed­er­al com­pli­ance require­ments. If GSA push­es too hard here, we could see OEMs with­draw from the fed­er­al mar­ket rather than build expen­sive direct-sales infrastructure.

Soft­ware Mod­ern­iza­tion Gets Real

On the soft­ware front, Defense Sec­re­tary Pete Hegseth’s push for soft­ware-defined war­fare is gain­ing trac­tion. Viet­mey­er empha­sized that the DoD needs to stop count­ing “soft­ware fac­to­ries” and start mea­sur­ing the actu­al impact on missions.

Cur­rent­ly, DoD has 50 soft­ware fac­to­ries, but Viet­mey­er argues that’s the wrong met­ric. The real ques­tion is: how many sys­tems are using mod­ern devel­op­ment prac­tices? The answer, unfor­tu­nate­ly, is “rel­a­tive­ly small.”

This aligns with what SAIC’s Bob Ritchie shared about avoid­ing “water­mel­on met­rics” – green on the out­side but not deliv­er­ing mis­sion val­ue. The focus needs to shift from check­ing box­es to deliv­er­ing capa­bil­i­ties that match the warfight­er’s needs.

FY2026 Bud­get Implications

Exam­in­ing the FY2026 bud­get doc­u­ments, we observe con­tin­ued invest­ment in cloud infra­struc­ture and cyber­se­cu­ri­ty. The empha­sis on Defense Health Pro­gram trans­for­ma­tion and sup­port for Tai­wan sig­nals ongo­ing mod­ern­iza­tion pri­or­i­ties despite fis­cal constraints.

What This Means for Industry

For those of us in the defense indus­tri­al base, these devel­op­ments sig­nal both oppor­tu­ni­ties and challenges:

  1. Cloud Evo­lu­tion: The next JWCC iter­a­tion will like­ly offer more oppor­tu­ni­ties for non-hyper­scale providers, but you’ll need to posi­tion your­self strate­gi­cal­ly in cloud marketplaces.
  2. CMMC Accel­er­a­tion: With costs com­ing down through shared ser­vices, there’s no excuse for delay­ing CMMC com­pli­ance. Start work­ing with a CSP or MSP now.
  3. VAR Mod­el Under Pres­sure: If you’re a VAR or work with one, pre­pare for increased scruti­ny. Doc­u­ment the val­ue you pro­vide beyond sim­ply ful­fill­ing products.
  4. Soft­ware-First Mind­set: Tra­di­tion­al hard­ware-cen­tric approach­es are no longer suf­fi­cient. Embrace DevSec­Ops and con­tin­u­ous deliv­ery or risk being left behind.

Look­ing Ahead

This week’s devel­op­ments show that the DoD is seri­ous about mod­ern­iza­tion, but it is try­ing to bal­ance inno­va­tion with fis­cal respon­si­bil­i­ty. The chal­lenge for the indus­try is adapt­ing to these changes while main­tain­ing the capa­bil­i­ties and ser­vices that the DoD needs.

As we move for­ward, suc­cess will require under­stand­ing not just the tech­nol­o­gy but the mis­sion out­comes DoD is try­ing to achieve. Whether it’s extend­ing the cloud to the tac­ti­cal edge, stream­lin­ing cyber­se­cu­ri­ty com­pli­ance, or rethink­ing acqui­si­tion mod­els, the com­mon thread is deliv­er­ing real val­ue to warfighters.

The next few months will be crit­i­cal as these ini­tia­tives move from plan­ning to imple­men­ta­tion. Stay tuned – this trans­for­ma­tion is just get­ting started.

June 19, 2025

Posted in DOD.

Comments are closed.