A new Defense Department Inspector General’s report found problems with the Pentagon’s cloud policy that may have monetary and cybersecurity risks.
DoD does not maintain a comprehensive list of cloud computing service contracts because the department’s chief information officer failed to establish a standard, department-wide definition for cloud computing. In addition, the DoD CIO did not develop an integrated repository that could provide detailed information used to identify cloud computing service contracts, the report stated.
As a result, DoD has no way of determining if it is actually saving money by migrating to the cloud and may not be able to effectively identify and monitor cloud computing security risks, the report stated.
“DoD’s ability to track cloud computing cost savings, and benefits is greatly limited if DoD is not aware what cloud computing service contracts exist within DoD … [and] unless DoD Components accurately classify their information systems as using cloud computing services, DoD CIO will not be aware what security risks are specific to those services,” the report stated.
The DoD IG found inconsistencies between a list of cloud computing service contracts kept by the CIO and the ones kept by the military departments for fiscal 2011-14.
For example, the Army identified nine contracts for its cloud computing services in that period, while the DoD CIO only identified three. Likewise, the Navy identified zero contracts when the CIO had two potential contracts.
Part of that problem may have been because of the DoD’s lack of a repository for cloud computing service contract information.
The DoD CIO uses four different IT reporting systems to gather information on DoD cloud computing. However, the systems are not integrated and do not provide the level of detail desired by the CIO, the report stated.
The DoD CIO is taking steps to remedy the situation by looking for ways to link the systems.
While the DoD IG report stated the DoD CIO does not have a standard definition for cloud computing, the CIO does refer its components to the National Institute of Standards and Technology definition. That definition describes cloud computing as having on-demand self-service, broad network access and rapid elasticity, among other characteristics.
The DoD IG recommended that the CIO issue guidance to establishing a department-wide definition or clarify NIST’s definition. The DoD CIO’s office responded, saying its DoD Cloud Computing Security Requirements Guide (SRG) “established a standard definition of cloud as well as requirements and processes for assessing cloud computing security risks.”
The DoD IG disagreed with the assessment.
The IG also recommended the DoD CIO establish an integrated repository of cloud computing contracts. The CIO’s office responded stating it implemented enhancements to its systems to better collect contract details.
The DoD CIO was contacted for further comments on the report but stated it had nothing to add.
The Pentagon is using at least eight different companies to provide cloud services. Google provides the cloud for the Defense Education Agency’s Learning Management System and Amazon provides services for the Defense Information Systems Agency’s Information Assurance Support Environment.
In recent years, the military has made an effort to host less of its material on its own drives and contract more private companies to provide cloud services.
The goal is to spend less money providing for hardware and constantly upgrading drives. Private companies can procure the best available technology faster than DoD, which needs congressional appropriations.
The DoD CIO last year gave the military services and department components the ability to procure their own cloud services independent of the department.
Since then DoD has released its Cloud SRG, which aligns DoD cloud security requirements with the Federal Risk and Authorization Management Program (FedRAMP), the standard for federal government cybersecurity for cloud services.
The department assigns more security requirements to companies that want to handle data that requires higher levels of assurance. The DoD as cleared 36 companies to provide cloud services for documents at the lowest sensitivity level.