The Defense Information Systems Agency is the lead organization in charge of cloud security for the Defense Department, helping to connect military services with commercial cloud vendors that have cleared security and approval processes. But tThe agency even is consideringlooking at commercial options for its longtime in-house private cloud environment, milCloud.

While milCloud is not quite the same as the commercial cloud options that organizations across DoD are buying—it’s known for its higher security restrictions, for one—it is run by DISA and housed in DISA’s environment. It does leverages some commercial products, but it also competes with them for military business.

So what happens next could be interesting: As the agency prepares for the next iteration of milCloud, it could be a "completely outsourced capability," Alfred Rivera, director of DISA's development and business center, said at an industry event outside Washington, D.C., Jan. 12.

But even as DISA prepares to eventually help roll out a cloud catalog from which DoD buyers will be able to choose services from industry and from DISA, they and all military cloud consumers must closely examine the benefits and balance that against potential drawbacks. In other words, DoD cloud buyers need to be doing thorough cost-benefit analyses.

"I think we've passed the peak of inflated expectations on cloud. The question is: Are we down in the trough of disillusionment, or are we going after the plateau of productivity?" said DISA CTO Dave Mihelcic. "Cloud computing is an important technology—it's a paradigm that we have adopted in DISA and [DoD] to be more agile. But it doesn't solve every problem. It doesn't guarantee huge cost savings, but it is a technology that we are taking advantage of."

The move to the cloud offers a lot of promise for federal agencies, and DoD is among some of the most aggressive in implementing a range of cloud capabilities. How much those moves actually are saving the Pentagon is uncertain, a DoD Inspector General recently concluded, noting that ambiguous definitions of cloud and trouble tracking contract activity mean those critical cost-benefit analyses aren't clear enough.

But Mihelcic pushed back against the idea that DoD needs strict, standardized definitions of cloud in order to see progress.

"I do think perhaps we want to quickly adopt the standard [National Institute of Standards and Technology] definitions for cloud; [but] some of them don't actually always make sense in the DoD context. So I think the answer that you're not going to always precisely have the same definition isn't necessarily a bad answer," Mihelcic said. "In particular, some of the metered billing pieces of it may not always be applicable to some of the things we need in the department. We may want to use cloud-like technologies, but we may want to buy them in a slightly more dedicated fashion to ensure quality of service, for example."