The Defense Information Systems Agency is undertaking a top-to-bottom review of the cybersecurity rules that guide its decisions about whether individual commercial cloud computing systems are safe enough for Defense data. DISA officials have concluded that the current process perhaps is too stringent and definitely is too slow.
The “scrub,” as DISA officials are calling it, is a reexamination of a set of cloud security review criteria the agency first put in place last December as part of its role as the Defense Department’s exclusive broker for buying commercial cloud solutions.
The review system, as it stands today, uses the controls within the Federal Risk Authorization Management Program (FedRAMP) — the governmentwide cloud security standards — as a baseline, but then layers on a host of DoD-specific constraints, such as mandates that all information be housed in data centers that are physically located within U.S. territorial boundaries.
The idea that vendors should first comply with FedRAMP standards, and then go a bit further if they want to sell cloud services to DoD has proved to be a bit more cumbersome than officials originally had hoped.
“It takes too long. I’ll just say that,” said Mark Orndorff, DISA’s program executive officer for mission assurance. “In the scrub of the process, our objective is going to be that we leverage FedRAMP much more, and that if we have any additional requirements, we push to get them incorporated into FedRAMP. We’ve been successful at doing that to some extent, but if we do have some other additions, we need to let the cloud providers know that up front, so that they can assess those as part of the FedRAMP process, so that the timeline for industry is the FedRAMP timeline, and nothing else.”
The “above FedRAMP” process DISA has been using during the last several months has certified just five commercial vendors as safe enough to process and host DoD data.
But four of those are limited to handling only the very lowest levels of classification — information that’s already been deemed releasable to the general public. Several other companies still are waiting in line for DISA’s go-ahead.
“We think we’ve made the process too hard, and we may have set the criteria too high,” Orndorff told reporters Wednesday during DISA’s annual forecast to industry at its Fort Meade, Maryland, headquarters. “Going into some major change like this, I think it’s human nature to be on the conservative side until you get your feet wet, but now we’re asking where we can drive in some additional efficiencies and where we can accept a little bit more risk as we go forward with the cloud security model.”
Orndorff said DISA’s criteria for cloud security at what DoD defines as impact levels 1 and 2, which involves data that’s already publicly releasable or that wouldn’t create many problems if it were to be compromised, have already been almost entirely incorporated into the latest version of FedRAMP’s own security controls.
He said DISA and its DoD customers intend to start migrating that type of data from government data centers to commercially hosted ones.
But DoD still has questions about the implications of moving some of the department’s more sensitive but unclassified information, such as data that includes personally identifiable information, into commercial environments.
The pilots attempt to answer how and whether the department should migrate data at impact levels 3, 4 and 5 to commercial clouds, including whether such a move is likely be cheaper than keeping it within a government owned-and-operated environment.
“We also have some questions we need to clarify in terms of how we get situational awareness on what’s happening in the commercial cloud so that we don’t create a blind spot. We want to make sure we’ve thought through what we’ll be able to see from a cyber defense perspective,” Orndorff said. “We have command and control questions. We need to make sure we have the relationships right in case something bad happens, and during these pilots, we’re going to pretend that something bad happens and walk through how we’d deal with that. We also have some good old-fashioned performance objectives and business processes that we need to evaluate.”
Despite years-long demands from Congress that DoD consider commercial cloud options before building its own solutions, the department still is in the opening stages of a cautious approach to migrating data and applications to outside technology providers.
A slice of JRSS
David Bennett, DISA’s chief information officer, said he envisions using commercial cloud in a variety of ways, and he insisted the agency is not saying “no” to any potential options at this stage.
“But there are a couple of things that are still under major consideration, like whether we go off premises in a fully commercial environment, versus what we might want to retain inside the DoD fence line, simply because the security of a certain capability is at such a point that you don’t want to put it at any additional risk,” he said. “So as we’re trying to shape what the cloud picture is going to look like, I fully expect we will put things like publicly releasable information fully out there in the commercial cloud and not worry about it. We’ll update the content, but we won’t worry about management controls or monitoring, necessarily. For the higher levels of information, like [personally identifiable information] or HIPAA information where you have some additional concerns, we would like to be able to put that into a commercial cloud, but we also want to have some awareness of what’s going on with that information.”
To do that, DISA envisions extending a virtual “slice” of the security monitoring capabilities DoD is building within its new Joint Regional Security Stacks (JRSS) in order to bring whatever data the department is hosting in those commercial environments within the JRSS umbrella.
Eventually, Bennett said, it’s possible that DoD also would begin to move certain kinds of even classified-level data into commercial clouds.
“That’s probably the least mature part of where we are right now in terms of making decisions, but some classified applications could go into a commercial cloud, whether that’s on premise or off premise,” he said. “But there will be some applications that we will want to keep on DoD hardware regardless of the commercial alternatives. It’s sort of a multi-pronged attack to leverage technology and capability that’s out there in the commercial sector, and then to combine that with what we already have within DoD to provide you a full suite of options based on what risk you’re willing to assume based on the data that’s hosted within your application.”
Another aspect of DoD’s reassessment of its approach to commercial cloud involves a new 45-day study of the way the department communicates its requirements to industry. Acting DoD Chief Information Officer Terry Halvorsen ordered that assessment.
“We need to provide better English-language guidance to industry about what the requirements are and how vendors can meet them, but also better guidance to the Department of Defense about how they can assess their requirements and align them to our security model,” Orndorff said. “The security model makes perfect sense to people like me who live security all day, but we need to do an English- language translation of that, so that it makes sense to everybody else.”