The Defense Department’s new guidance for how the military services and agencies should acquire commercial cloud computing services diminishes the role of the Defense Information Systems Agency. But the policy doesn’t remove the enterprisewide service provider entirely.
If a DoD component wants to move to a commercial cloud provider, the service or agency first must develop a business case, which must consider DISA as an option, and receive approval from its chief information officer. The business case also must be sent to the DoD CIO, but not approved by the office.
“DoD components may acquire cloud services directly. It is no longer a requirement to use DISA for the acquisition of cloud computing services,” wrote Terry Halvorsen, acting DoD CIO in a Dec. 15 memo. “Each component remains responsible for determining what data and missions are hosted by external cloud service providers.”
This is a major change from DoD’s 2012 policy that called for DISA to be a cloud broker for the rest of the department. Under the former policy, military services and agencies would’ve had to go through DISA to buy commercial cloud services.
That policy didn’t sit well with the services and Halvorsen, rising to be acting DoD CIO in May after spending four years as the Navy’s CIO, decided DoD needed a change.
“I think there’s been some justified criticism about the fact that we have not moved to the cloud fast enough,” Halvorsen told reporters in September. “One of the things we’re going to change in order to move faster is to let the military departments do their own acquisitions and not have to funnel all of it through one contracting activity. I think being able to leverage more acquisition capability is going to let us go faster.”
While the change to DISA’s role was not unexpected, the memo also mandates some other significant changes, starting with cybersecurity.
“For more sensitive DoD unclassified data or missions, DoD has developed cloud security requirements and guidance that go beyond FedRAMP. A draft of this DoD Cloud Computing Security Requirements Guide is currently out for DoD public comment, with official release scheduled for Jan. 7, 2015,” the memo stated. “The guide is intended to give cloud providers a stable security requirement, and to help DoD cloud customers move more rapidly and securely into the cloud. The Guide defines several classes of Sensitive Data, with increasing security requirements for each.”
This provision follows the recommendations from a 45-day study the CIO’s office conduced. In the report, the authors highlighted the need for a new cloud security model that differentiates between national security and non-national security systems, while at the same time introduces the concept of mission-critical systems. The cloud security model still breaks down the impact levels into six categories, but DoD now will reduce the requirements under Levels 1-2. The goal in doing that is to align the military much more closely with the rest of the government, including the security controls under the Federal Risk Authorization and Management Program (FedRAMP).
The new policy also sets up new requirements for vendors who want to host sensitive DoD data.
Halvorsen wrote that the commercial provider must meet specific security requirements and receive a provision authorization from DISA.
“The Provisional Authorization (PA) will describe the types of information and mission that can be hosted by a particular cloud service,” the memo stated. “Commercial cloud services used for sensitive data must be connected to customers through a Cloud Access Point (CAP) provided by DISA or through a CAP provided by another DoD Component. All CAPs must be approved by DoD CIO. The current Navy CAP is an example of an approved provisional cloud access point. In the future, in order to standardize cyber defenses, our goal is that all DoD access to commercial cloud services be via a DISA provided CAP. This CAP will protect all DoD missions from incidents that affect a particular cloud service provider, and will provide perimeter defenses and sensing for applications hosted in the commercial cloud service.”
“In January 2015, the deputy CIO for cybersecurity will host the first regular meeting with DoD and industry, at which time the organizations with key cloud responsibilities in DoD will describe DoD requirements, processes, and plans, and seek feedback from our government, private and public partners in the cloud environment,” Halvorsen wrote.