JWCC cloud contract providers will have to adhere to FedRAMP-like cybersecurity regime

The test will ensure cloud providers that work under the new JWCC contract follow strict cybersecurity controls.
Pentagon, Department of Defense, DOD
(DOD / Lisa Ferdinando)

Cloud providers selected for the Joint Warfighter Cloud Capability contract will have to pass a cybersecurity test similar to the Federal Risk and Authorization Management Program (FedRAMP) regime, according to the Department of Defense’s chief information security officer.

Speaking on Tuesday at a CyberWeek session presented by CyberScoop, David McKeown said the cybersecurity inspection for companies participating in the new enterprise-wide contract would be conducted by the Defense Information Systems Agency (DISA).

“It’s basically the same just not going to be a FedRAMP certification,” McKeown said. “The DOD has always had some controls that are a little bit over and above what FedRAMP offers.”

The JWCC is replaces the now-cancelled Joint Enterprise Defense Infrastructure (JEDI) contract for an enterprise-wide cloud service. JEDI was scrapped after years of litigation caused delays in is execution, and a critical gap in DOD’s tech capability portfolio. JWCC will be a multi-vendor, multi-cloud offering that will pull resources from the cloud hyperscale companies like Amazon Web Services, Microsoft and others.


The DOD anticipates issuing direct awards under the JWCC around April 2022, officials have said.

Beyond building out more more cloud offerings for the DOD, McKewon highlighted other security initiatives in the department. He said a top priority is implementing zero trust principles across the DOD enterprise. The effort is being led by a zero trust “portfolio management office,” which is currently hiring a senior civilian to lead.

“We view zero trust as a game changer for us,” McKeown said. “We have had very good perimeter defenses for decades now … but the advanced persistent threats from nation states have grown.”

Contractors working with the DOD currently must adhere to the Defense Federal Acquisition Supplement, which requires that they “rapidly report” cyber incidents, and defines “rapidly report” as within 72 hours of discovery.

Latest Podcasts