The Defense Department will be asking companies for proposals to host commercial cloud centers on Pentagon property in the near future.
The move comes as DoD is trying to figure out the best option to deliver cloud services to its components.
“We now are going to start pushing really hard to bring in some of these commercial cloud services and once those are available we are going to be putting pressure on the [department] components to start taking advantage of those,” said Rob Vietmyer, DoD’s associate director for cloud computing during a Dec. 11 Armed Forces Communications and Electronics Association event in Vienna, Virginia. “The environment we are in right now is way too costly.”
DoD has been revamping the way it procures cloud services over the past few years. Previously, DoD tried to create its own cloud service, but found it to be costly and the acquisition process too slow to keep up with the technology.
The department turned to commercial cloud services in hopes they could host DoD’s data and keep systems state-of-the-art.
DoD Chief Information Officer Terry Halvorsen gave the military services and department components the ability to procure their own cloud services independent of the department last year.
Since then DoD has released a security guide, which aligns DoD cloud security requirements with the Federal Risk and Authorization Management Program (FedRAMP), the standard for federal government cybersecurity for cloud services.
Companies can also hold more sensitive data by meeting more stringent requirements set up in the security guide. So far 36 companies have met the DoD FedRAMP requirements and two have higher level clearances.
Vietmyer said DoD has five systems that are operations in the cloud and another 20 that are currently transitioning to using the cloud. He added that 15 more are planning on a transition.
Vietmyer offered some advice to companies planning on getting approval to host DoD data. He said companies should hire two independent assessors: one to help prepare for the assessment and another to actually do the assessment.
The Army has already begun the process of moving cloud service centers onto its bases.
The service hosts DoD data in a privately owned and operated data center on the grounds of Redstone Arsenal, Alaska, as part of a broader effort to consolidate Army data centers in the southeastern U.S.
The Army chose Redstone for the pilot because it already has several government-owned data centers in the immediate region, many of which are operated separately by various Army components
“Clearly the DoD CIO is making it a priority to move to private clouds that are hosted in the public space because of the belief that it will significantly reduce the cost,” Doug Wiltsie, the Army’s program executive officer for enterprise information systems said in September.
Vietmyer said he thinks the future of cloud for DoD lies in four different areas and not just one cloud solution.
He said DoD will continue to use its own cloud, it will host private centers on Pentagon property and it will use off-premises cloud services to host both “low-impact” and “moderate-impact” data. Impact levels refer to the way DoD classifies the security of cloud providers.
Vietmyer also said DoD has noticed a trend called “cloud washing” from some businesses.
“You want to make sure when you are saying cloud that you are getting the types of characteristics we really expect… Folks take their existing marketing literature and they hear that cloud is hot so [they] sprinkle cloud all over it…but it doesn’t meet [our] core characteristics,” Vietmyer said.
He added that the DoD components were also guilty of using a type of cloud washing as a means to get around the department’s cloud policy.
For instance, a component would hire a cloud service that offered a finite amount of storage, when DoD requires that storage be elastic from providers.