The Defense Department, by the admission of its own top technology officials, has been too slow to take advantage of cloud computing — mostly because it’s been hampered by its own stringent security approval processes.
A revamp of those procedures, issued this week by the Defense Information Systems Agency, aims to slightly loosen the reigns and give component-level chief information officers more discretion to decide whether commercial cloud is a good match for the level of risk they’re willing to take with their data.
The cloud security requirements guide takes effect immediately, replacing DISA’s earlier cloud security model and collapsing six separate data risk levels into four.
Until last month, DISA was DoD’s sole gatekeeper for cloud computing services — serving as the only authorized broker for all of the military. Now that the military services and agencies are allowed to buy cloud services on their own, DISA says its chief aim is to help those components make more informed choices.
“We’re going to say, ‘Let’s allow more than we’ve allowed in the past so that we can accept some risk there, but we’re also going to define it so that people know what the opportunities for compromise are,” said Mark Orndorff, DISA’s risk management executive. “At the same time, we’re improving the security of our endpoints and our cyber analytics, and to detect insider threats. We want to focus our efforts on the things that could be the most serious impacts in a military situation that has a cyber adversary, focus on that, and then accept risk in other areas.”
For data that’s already been cleared for public release or only needs minor access control protections, the security guide declares that the existing standards DoD helped to develop and that the rest of the government has agreed to under the FedRAMP program are good enough: Any commercial hosting provider that’s run the FedRAMP gauntlet can host and process DoD data at that level without jumping through additional DoD-specific hoops.
The guide also makes provisions for commercial cloud providers to gain permission to handle information up to the secret classification level — but secret data and information that are made up of lower levels of classification the department still wants to protect more closely, such as data that includes personally- identifiable information or export controlled information — will need a secondary seal of approval under guidelines collectively referred to as “FedRAMP-Plus.”
At those security levels, companies will first need to prove they meet the security controls FedRAMP outlines at the “moderate” level of information protection, and then pass a second, independent examination by DISA’s Cloud Assessment Team based on the new security guidelines.
If they pass, DISA will add the company’s product to its cloud security catalog and also issue a provisional authorization that outlines the risks DISA thinks DoD components would be taking if they were to trust their data to the cloud provider.
And while the guidelines begin to shift DoD from hard-and-fast rules about cloud security to a process that lets Defense CIOs make their own risk-informed decisions, there are still several straightforward restrictions on how Defense data can be handled in cloud environments.
For example, “after careful consideration,” Defense components are allowed to sign up for services that might host some of their data outside of the United States as long as they’re not involved with national security systems. But for more sensitive information, DoD agencies will need assurances that their data will never leave U.S. shores, documentation of the physical locations of all the data centers that will hold the information.
And at least for now, even if a company gets the go-ahead to host more sensitive data in its cloud, it will have to make sure it is physically separated from any other machines their data centers that might also house data from their other clients.
“We can use the virtual separation technologies that the vendors have up to a certain sensitivity level,” Orndorff said. “But for national security systems, we’re still going to keep that in a physically isolated environment at least for right now. We’ll come back and review that and see if we were incorrect in that analysis.
At lower security levels, where several vendors including Amazon, CGI and Autonomic Resources have already won DoD cloud approval — even under the older, more cumbersome process — Orndorff says the department feels confident that virtualization technology has advanced far enough to protect DoD data from spillage, even if it’s hosted on the same physical machines as dozens of other commercial clients.
“The way we mitigate that risk is we’re going to be working with the vendors to assess the strength of the virtual separation, what monitoring we need to have both on the provider’s side and our side to look for signs that the boundary has been broken, and how we monitor for indicators of a compromise,” he said.
The new cloud security guide is just the first version — DISA envisions updates at least once every quarter.
Dave Mihelcic, the agency’s chief technology officer, said future versions and further advances in technology are likely to make DoD more and more accepting of commercial cloud environments.
“I think there’s a great opportunity to leverage evolving technology like data at rest encryption and technologies that validate the security of the entire environment and detect advanced persistent threats,” he said. “We’ve got to leverage all of these technologies, and it’s a challenge that I think DoD is up for, because there’s potentially huge savings if we move to this commercial cloud environment.”