Within the next month, the Pentagon plans to toss out its two-year-old plan to centralize all of the Defense Department’s commercial cloud computing procurements within the Defense Information Systems Agency.
New policies the department expects to issue by the end of October will end DISA’s role as DoD’s exclusive cloud broker and restore Defense components’ own authority to procure whatever commercial cloud services they’d like to buy.
In return, the military services will owe the department — and one another — detailed data on how they’re using that authority.
“I think there’s been some justified criticism about the fact that we have not moved to the cloud fast enough,” Terry Halvorsen, DoD’s acting chief information officer, told reporters Tuesday. “One of the things we’re going to change in order to move faster is to let the military departments do their own acquisitions and not have to funnel all of it through one contracting activity. I think being able to leverage more acquisition capability is going to let us go faster.”
For DISA, one of the top selling points behind the notion of a single broker was that it could someday serve as a quick one-stop-shop for DoD customers who needed cloud services. The agency envisioned an environment in which elements of the department could compare their needs against a range of pricing and capability options — including those offered by DISA itself — all of which had been pre-approved to meet DoD security requirements.
Business case now required for cloud
Halvorsen said the military departments and agencies still will have visibility into the full spectrum of the cloud services that organizations are buying across the department.
While DoD is devolving the procurement authority to its components, it’s also demanding that they provide a continuous stream of contract data about the cloud products they buy from commercial vendors, including pricing and service levels.
“We will share all of that, and we will share the actual contract language,” he said. “One of the key things you have to get right in that language is what the government gets to see in order to ensure security. That will be almost boilerplate language across all of the contracts.”
Before the military services move forward with any commercial cloud procurement, they first will have to complete a formal business case analysis. Among the factors they’ll have to examine is whether the commercial solution they want to buy is cheaper, all-in, than the government-owned “MilCloud” service DISA operates within its own data centers.
MilCloud already exceeds the baseline security standards the federal government is developing through its FedRAMP program. The department believes many of its more sensitive IT services will remain within that government-controlled cybersecurity fence line.
But Halvorsen said DoD components will demonstrate they have plenty of IT programs that don’t need and can’t justify the costs that come along with that level of security, and that commercial clouds can do the job just fine.
“We’re going to be collecting the facts to see if that is in fact the case, that we are saving money, that we are more agile,” he said.
Military services and agencies will draw up business case justifications via a new standardized template DoD is building for virtually all of its commercial IT procurements.
“Round one is done — the Air Force already did that. The Army is leading round two and should be done with that in the Oct. 15 timeframe. At that point, we will have a complete, agreed-upon BCA template that we’ll use for making cloud decisions among other IT and cyber investment decisions,” Halvorsen said.
Interim guidance for commercial cloud
Even though DISA has been dethroned from its position as the departmentwide procurer for cloud, its role in securing the department’s IT systems, including those offered by commercial cloud providers, will not change.
The agency’s role in overseeing the day-to-day operation of DoD’s networks, including commercially-hosted cloud systems, is likely to increase rather than decrease in the coming months.
DISA will retain its security approval responsibilities for commercial cloud systems, an authority it exercised on Monday when it issued interim guidance that now lets Internet addresses that end in .mil send users to commercially-hosted cloud servers, at least for public-facing websites.
“That’s a major enabler,” Halvorsen said. “One of the issues that we face is that as you’re trying to coordinate connections between what have traditionally been architected as .mil sites and ones that aren’t, that helps to solve that problem.”
DISA will also play a heavy role in supervising DoD’s use of commercial cloud when it assumes leadership of a new Joint Task Force the Pentagon expects to create sometime during the next few months.
The overall objective of the forthcoming Joint Task Force-DoD Information Networks (JTF-DoDIN) is to give DISA a larger role in defending DoD’s networks around the world in support of U.S. Cyber Command. DISA already is subsuming many of the enterprise-level network operational responsibilities that have, until now, been conducted by the individual military services, and in many cases, by individual military bases.
The task force’s job is to look deeply into military networks, including those that branch out into commercially-hosted domains which host DoD data, and to identify and share information about threats.
Halvorsen said the department hopes to have some rudimentary aspects of the Joint Task Force up and running by the beginning of November.
At that point, officials will begin to test out some of the working theories the Pentagon has developed about how DoD can exercise more centralized command and control over the thousands of network enclaves it’s trying to consolidate and defend.
“In addition to the command and control pieces, we’re also trying to look at what are the right toolsets that tell us exactly what we want to see on the network,” he said. “You certainly want to have certain data about the types of traffic on the network, you want to have data about the timelines. All of that lets you do a lot of analysis from an operational and operational security level. We have command post exercises going on right now to test all of that, and we have some follow-on exercises coming up in the next couple weeks. Following that, we’ll have some actual operational exercises that will try to tell us whether we can operate these concepts using the actual network equipment and the real tools.”