cloud for the intelligence community

CIA unwraps C2E draft RFP

The CIA has issued a draft request for proposals for the massive Commercial Cloud Enterprise contract for commercial cloud services to support the intelligence community and sponsored partners.

C2E is a follow-on to the CIA's current Commercial Cloud Services contract held by Amazon Web Services. It will build on C2S with its integrated, interoperable multicloud ecosystem -- featuring infrastructure-, platform- and software-as-a-service offerings -- so that users can select cloud services based on their project objectives and the individual CSP's strengths. C2E will continue to focus on security, the CIA said, maximizing data sharing across mission systems and extending cloud services to disconnected and low-bandwidth environments. It will also feature network edge operations to support artificial intelligence, machine learning and high-performance computing.

The agency will establish new clouds for each level of the classification process, relying on one commercial-off-the-shelf offering and a corresponding Federal Risk and Authorization Management Program-authorized offering for the unclassified portion, while building more restrictive versions to handle secret and top secret information. The plan calls for broad dissemination of data centers, on land, undersea and in space, both on and off government premises where required.

To ensure consistency in the IC’s security implementation of new cloud services, the CIA as the executive agent is working with IC members to establish a security authorization and assessment model based on a set of common standards and policies.

The CIA is looking for proposals from innovative, experienced, large-scale commercial CSPs. The draft RFP details requirements for security, global reach, innovation and technical parity as well as operational excellence. C2E will also include a Cloud Integrator/Multi-cloud Management acquisition, which will provide support for cloud integration and management of the foundational multicloud services.

The chosen cloud service providers must also ensure that their supply chain security practices are aligned with requirements in the Secure Technology Act and Federal Acquisition Regulations. Those procedures include providing detailed information about all subcontractors and third-party software and hardware providers involved in their offerings, down to the third level, as well as what steps companies have taken to vet their security practices.

"Acquiring services from CSPs, rather than developing those services in-house, has been shown to scale faster to meet IC compute needs and to facilitate the adoption of innovation happening in the commercial marketplace," the draft document stated. The program aims to satisfy "the rigorous performance and security requirements of the IC, thereby allowing IC consumers to focus on mission delivery.

A bidder’s conference will be held Feb. 14 and will be limited to vendors who plan on proposing as prime contractors.

Derek Johnson contributed to this article.

About the Author

Susan Miller is executive editor at GCN.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.

Connect with Susan at [email protected] or @sjaymiller.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.