The Defense Department has greenlighted three dozen commercial cloud offerings since it first overhauled its commercial cloud security processes in January – including two vendor products at the more sensitive classification criteria known as Impact Level 4 in which companies are authorized to handle mission-critical data.
Roger Greenwell, the Defense Information Systems Agency’s cybersecurity director updated the tally of provisional authorizations, as they’re called under DoD’s new cloud security process, in an interview last Friday on Federal News Radio’s On DoD. He added that the agency expects to authorize at least one vendor to deal with data up to Level 5 – the top classification level outside of the secret realm – “very soon.”
A provisional authorization does not, in and of itself, give any company the go-ahead to operate cloud services for the Pentagon. Vendors still need to obtain a formal “authority to operate” certification from whichever DoD component is actually buying their services, but they’re free to bid on Defense cloud contracts with no more than a provisional authorization.
And Greenwell denied that the DoD cloud security regime is adding much additional red tape to the FedRAMP process the government has already established to vet cloud vendors’ security practices, a persistent industry concern. Once a company gets a FedRAMP authorization at the moderate impact level and has gone through FedRAMP’s third-party assessment process, their request for a DoD Level 2 provisional authorization is basically a done deal, he said.
“As soon as FedRAMP processes it, we go ahead and work to place it onto the provisional authorization list. It usually happens within a few days,” Greenwell said. “Our team here actually works very closely with the FedRAMP office, because DoD is one of the members of the Joint Authorization Board. So we keep a sharp eye, daily, on when things are coming through.”
But anything above Level 2 – the functional equivalent of FedRAMP’s moderate baseline – needs to be put through additional DISA assessment paces which the agency collectively terms “FedRAMP-Plus.” Still, Greenwell says firms who have already met FedRAMP standards will have a leg-up in gaining approval at the higher security levels.
“Because what we try to do is use the exact same outside assessors who support the FedRAMP process in doing our FedRAMP-Plus process, because they already have a good knowledge of the product and it allows us to work through it a lot more quickly,” he said.
The FedRAMP program office, of course, is also working on a “high” security baseline that could one day obviate DoD’s need to impose its own requirements on cloud providers who wish to handle sensitive but unclassified data, but Greenwell said since FedRAMP high is still in draft form, it’s hard to predict how much reciprocity DoD will grant to vendors who go through that assessment gauntlet.
“Our largest goal right now is try to figure out how many of those specific controls will be applicable against our FedRAMP plus baseline,” he said. “We’ve evaluated a lot of the comments, and FedRAMP is working with about four different vendors to see what it would take to authorize them against that baseline. In DoD, we need to look at the delta between our requirements and what’s being pushed as part of FedRAMP. We want to minimize the number of differences, but we don’t see that FedRAMP high would ever necessarily replace the DoD provisional authorization process, because we do have some special connectivity requirements and personnel security requirements around systems administration with those higher levels, but we want to take advantage of any efficiencies that the new baseline could provide in our authorization process.”
This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.