This week has been particularly eventful for those of us tracking Defense Department initiatives, and I wanted to break down the key developments that are reshaping how we do business with the Department of Defense.
JWCC’s Future Takes Shape
First, let’s discuss the current status of the Joint Warfighting Cloud Capability (JWCC) contract. Rob Vietmeyer, DoD’s chief software officer, dropped some interesting insights at Federal News Network’s Cloud Exchange 2025. While DoD isn’t ready to unveil the full successor to JWCC, they’re thinking beyond the current four hyperscale providers.
Here’s what caught my attention: DoD wants more direct access to third-party vendors in cloud marketplaces. Currently, if you want to leverage innovative solutions from smaller vendors through JWCC, it’s “suboptimal,” as Vietmeyer put it. That’s bureaucrat-speak for “it’s a pain in the rear.”
The department is also exploring ways to bring small businesses on board for cloud migration, legacy system refactoring, and workload optimization. This isn’t just about buying cloud services anymore – it’s about building an ecosystem that can help DoD modernize at scale.
OCONUS Cloud Challenges
Now, here’s where it gets interesting for those of us supporting warfighters at the tactical edge. Vietmeyer acknowledged that while JWCC was designed with OCONUS (outside the continental United States) capabilities in mind, there is still significant work to be done. The reality is that delivering cloud capabilities to forward-deployed forces requires both DoD and vendor investment. We’re talking about power, bandwidth, and hosting in austere environments. Having worked with several Combatant Commands on similar challenges, I can tell you that this isn’t trivial and often requires deploying a “short stack” like Amazon Snowball or Microsoft Azure in a U.S. forward-deployed location. Remember, if a JWCC solution is in Europe and not on a U.S. installation, it is still subject to EU GDPR, UK GDPR, or the Swiss FDPA regulations. The good news. All four JWCC vendors can handle classified data, but extending those capabilities to the tactical edge is still in the “early phases.”
CMMC Finally Gains Momentum
Switching gears to cybersecurity: CMMC is moving forward despite the regulatory freeze drama. Stacy Bostjanick from DoD’s CIO office confirmed that the DFARS rule is heading to OMB’s Office of Information and Regulatory Affairs for final processing. We’re aiming for a late summer publication date, pending all goes well.
Here’s the kicker: DoD’s pilot with cloud service providers and managed service providers is showing real promise for reducing CMMC compliance costs. One unnamed company went from zero to 110 controls in just two months, spending about $1,300 per seat plus $32,000 for the assessment. That’s a fraction of what many feared CMMC would cost.
By leveraging cloud service providers (CSPs) and managed service providers (MSPs), companies can inherit 80–90% of the required controls. This shared responsibility model is exactly what the defense industrial base needs, especially for the 80,000 companies that’ll need CMMC Level 2 certification.
GSA’s VAR Controversy Heats Up
Meanwhile, over at GSA, things are getting spicy with their review of value-added resellers. GSA sent letters to 10 major VARs – including CDW Corporation – demanding detailed breakdowns of OEM costs, markups, and fees. FAS Commissioner Josh Gruenbaum claims that VARs charge markups of 5–7%, which amount to a “tax on the American people.”
Industry pushback has been swift and fierce. Multiple sources tell me VARs typically operate on 1–2% margins, not the inflated numbers GSA is citing. As one executive pointed out, VARs don’t mark up prices – they receive discounts from OEMs based on the value they provide.
This matters because VARs handle critical functions that OEMs aren’t equipped to manage, including security clearances, on-site installation, integration services, and navigating federal compliance requirements. If GSA pushes too hard here, we could see OEMs withdraw from the federal market rather than build expensive direct-sales infrastructure.
Software Modernization Gets Real
On the software front, Defense Secretary Pete Hegseth’s push for software-defined warfare is gaining traction. Vietmeyer emphasized that the DoD needs to stop counting “software factories” and start measuring the actual impact on missions.
Currently, DoD has 50 software factories, but Vietmeyer argues that’s the wrong metric. The real question is: how many systems are using modern development practices? The answer, unfortunately, is “relatively small.”
This aligns with what SAIC’s Bob Ritchie shared about avoiding “watermelon metrics” – green on the outside but not delivering mission value. The focus needs to shift from checking boxes to delivering capabilities that match the warfighter’s needs.
FY2026 Budget Implications
Examining the FY2026 budget documents, we observe continued investment in cloud infrastructure and cybersecurity. The emphasis on Defense Health Program transformation and support for Taiwan signals ongoing modernization priorities despite fiscal constraints.
What This Means for Industry
For those of us in the defense industrial base, these developments signal both opportunities and challenges:
- Cloud Evolution: The next JWCC iteration will likely offer more opportunities for non-hyperscale providers, but you’ll need to position yourself strategically in cloud marketplaces.
- CMMC Acceleration: With costs coming down through shared services, there’s no excuse for delaying CMMC compliance. Start working with a CSP or MSP now.
- VAR Model Under Pressure: If you’re a VAR or work with one, prepare for increased scrutiny. Document the value you provide beyond simply fulfilling products.
- Software-First Mindset: Traditional hardware-centric approaches are no longer sufficient. Embrace DevSecOps and continuous delivery or risk being left behind.
Looking Ahead
This week’s developments show that the DoD is serious about modernization, but it is trying to balance innovation with fiscal responsibility. The challenge for the industry is adapting to these changes while maintaining the capabilities and services that the DoD needs.
As we move forward, success will require understanding not just the technology but the mission outcomes DoD is trying to achieve. Whether it’s extending the cloud to the tactical edge, streamlining cybersecurity compliance, or rethinking acquisition models, the common thread is delivering real value to warfighters.
The next few months will be critical as these initiatives move from planning to implementation. Stay tuned – this transformation is just getting started.