The Defense Department is testing what cybersecurity in the cloud would look like for certain mission-critical systems.
DoD’s pilots come as the agencies leading the Federal Risk and Authorization Management Program (FedRAMP) are just beginning to explore what the future state of cloud security would look like in two or three years.
Kevin Dulany, DoD’s chief of the risk management oversight division in the chief information officer’s office, said the Defense Information Systems Agency is working with the services to identify a mission-critical application in the cloud to ensure the additional cyber requirements for Level-3 security are appropriate and achievable.
“We are looking at the business case of the additional parameters for controlled unclassified information, because we are very conscientious about where our data resides and how it’s protected,” Dulany said Wednesday after a panel discussion on cloud security at the AFCEA Bethesda, Maryland, Chapter’s Cloud Technology Symposium in Washington. “We are looking at internally doing pilots based on the categorization, based upon the data types, to see what’s the security requirements for those data types, but also is it applicable, is it the right environment to take out to the commercial [cloud], so that’s why we are doing pilots under the auspicious risk executive function.”
The risk executive function is an internal group of executives who determine how much risk DoD can accept for enterprisewide services, such as cloud.
Dulany said the enterprise cloud broker at DISA is running the pilots and will submit the results to the risk executive function for approval.
“We are really trying to establish the process, the foundation, as well as the requirements. Do we have the right requirements based upon the mission, and it is applicable to go into those environments?” he said.
Dozens more controls
Dulany said the pilot has started, but he wasn’t exactly sure how long it would last. He said the goal is to do incremental implementation and monitoring to ensure the security controls are correct.
James Pyon, vice president at CGI Federal, said during the panel discussion that Levels 3 and 4 include more than 20 additional security controls. He said Level 5 includes more than 50 additional controls.
On the civilian side, there isn’t a lot of support for FedRAMP standards that go beyond the low or moderate level.
Maria Roat, the FedRAMP director, said agencies and vendors have asked over the last year whether the Joint Authorization Board, which is made up of DoD, the Homeland Security Department and the General Services Administration, would develop a new baseline for systems that are rated high or Level 5 or 6 in the military.
Roat said agencies have a hard time identifying systems that need to have that level of security. She said the Government Accountability Office found agencies rated 88 percent of their systems as needing low or moderate security, while only 12 percent needed a high level of information assurance. Roat said most of those high systems were from DoD and DHS.
“There’s more interest in that high baseline, in particular. I’ve had discussions with [DHS] National Protections and Programs Directorate, really looking at what are those systems around critical infrastructure that have high requirements, as opposed to other agencies that might have high availability only for that requirement, and with what NIST is doing around the cloud framework, looking at what’s that high baseline for the cloud,” she said. “So there is a lot of discussion going on around the cloud. I don’t have that good number yet of what it should be.”
Ongoing adjustment to requirements
FedRAMP recently updated its current set of low-moderate standards based on revisions by the National Institute of Standards and Technology to its special publication 800-53.
Roat said the FedRAMP office is paying attention to what DoD is doing with its pilots, but the military’s requirements are somewhat different than what civilian agencies need.
“A lot of agencies really have a requirement for high availability. That high, high, high across the board for the baseline, they are really not clamoring for that, if you will,” she said. “Even when you look at the agencies at the low and moderate levels for the authorizations that have been issues, agencies are not even adding controls to that right now.”
Roat said DoD is the only exception to that rule, but almost uniformly civilian agencies are accepting the risk posture of the cloud service providers.
Agencies still are adjusting to the initial low and moderate standards. They faced a June 5 deadline to buy or use only cloud services that meet FedRAMP standards.
While the JAB continues to consider whether to develop cloud security standards for systems rated high, Roat said the program office is beginning to contemplate what FedRAMP will look like in two or three or even five years.
“In really looking a couple years downstream, what’s that landscape going to look like? You could have potentially maybe 45 or 50 cloud providers with a big footprint across the federal government, whether it’s infrastructure or software as a service,” she said. “Maybe two years out, at some point there will be a leveling of the cloud service providers. Some will go into the market space, and some will move out of it. There’s that business aspect of it. I see that coming.”
She said there also will be changes around continuous monitoring that will require them to rethink how often cloud service providers have to recertify they meet FedRAMP standards.
“We are thinking through that, as well as taking feedback from the cloud service providers and really getting industry’s take on what should the program look like two years out and how it’s going to morph, if you will,” Roat said.