The Defense Department announced security approvals for nearly two dozen cloud computing products on Monday, showing modest progress in DoD’s slow advance toward commercial cloud adoption and making good on a promise to put more of its trust in the cloud security process used by the rest of the government.
All 23 of the cloud offerings the department approved for use by military departments and defense agencies had already met the “moderate” security baseline under the governmentwide Federal Risk and Authorization Management Program (FedRAMP).
In January, DoD announced via a new security requirements guide that it would accept the FedRAMP standards as sufficiently robust to allow its own vendors to host and process data up to what the department defines as “level 2:” information that’s already been cleared for public release, or that needs only rudimentary security controls.
Under the Pentagon’s new approach to cloud security, the approvals the Defense Information Systems Agency (DISA) issued Monday are an important part of the process for cloud vendors who wish to sell their products to DoD components, but they are only the first step.
They grant “provisional approval” and signify that top-level DoD officials view the security practices used by each company as fundamentally sound. But IT officials from each DoD component which wants to use their services will still need to render a final authorization for any specific use of the cloud products, certifying that they don’t see any undue mission risks in moving DoD data outside the walls of the department’s own systems.
“The granting of these provisional authorizations is an important step in our strategy to drive cost down by moving more of our mission data to the cloud,” Terry Halvorsen, DoD’s chief information officer said in a statement.”
The products DISA certified on Monday gained their initial approval via all three pathways through the FedRAMP process: they were either sponsored and certified by another government agency, sought and won approval from the Joint Authorization Board or were certified by third-party accreditors authorized as part of FedRAMP.
The raft of new additions to DoD’s cloud portfolio is made up almost entirely of services from commercial providers, but the change also gives security approval to the cloud version of OMB MAX, the Office of Management and Budget’s platform for exchanging budget and programmatic data between federal agencies, the Treasury Department’s Workplace.gov platform and the infrastructure-as-a-service offering provided by the Agriculture Department’s National Information Technology Center.