DISA releases ‘best practices’ guide for commercial cloud buyers

The Defense Information Systems Agency is taking an interesting approach as it transitions from its former role as the sole broker for the DoD commercial cloud market and into something more like a cloud sherpa for the rest of the military.

A few days ago, DISA released what it termed a “best practices guide” for DoD cloud mission owners. Its appearance on the agency’s information assurance website is notable in that it’s a serious departure from the prescriptive security-related documents usually published there,  a fact reinforced by the big red letters and bold fonts in the first few pages of the guide emphasizing that its content is NOT to be interpreted as official DoD policy, mentions of particular vendors are not endorsements of their services, etc.

The document is partially a Cloud 101 introduction for potential DoD buyers who haven’t seriously contemplated commercial cloud  and partially a compilation of the lessons learned by other DoD IT officials who’ve actually migrated some of their systems to commercial cloud services.

Most of the technical details are well beyond the scope of the Reporter’s Notebook, but by way of high-level examples, DISA describes strategies to allocate .mil IP addresses to IT systems operating in commercial cloud environments, various plusses-and-minuses of using Infrastructure as a Service offerings to provide offsite backup services and potential pitfalls in estimating how much bandwidth an agency might have to pay for once they move their services to the cloud.

Advertisement

Maybe most importantly, the 23-page document also describes the security hurdles Defense agencies and vendors will need to clear on their way to the cloud –  in fairly plain language – in order to comply with DoD cybersecurity standards.

With respect to cloud computing, DISA remains in charge of creating those standards through its still-evolving security requirements guides and security technical implementation guides, just as it does for most forms of IT used in the Defense Department. But the authority to procure cloud services was given back to military departments and agencies in December of last year.

The fact that the agency published the guide in unclassified form is an obvious plus in the sense that cloud vendors now have some more insight into how the department views the utility of commercial cloud computing and how it’s been employed thus far. To whatever extent DISA’s new guide is helpful to DoD folks out there who are pursuing the DoD CIO’s admonition to make more use of “secure enough” commercial cloud,  I’d be interested in hearing your views.

But it’s at least noteworthy that DISA took the time to put together what appears to my layman’s eyes to be a pretty practical guide, including how to navigate its own security standards, which, while simpler than they used to be, probably still look a bit byzantine and intimidating for an IT mission owner who already has a perfectly-functional system operating on government-owned-and-operated infrastructure, no matter how inefficiently.


This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition ofJared’s Notebook.