A high volume of companies are applying for the Defense Information Systems Agency’s top cloud services security level.
DISA is seeing cloud service providers petitioning for level 5 impact status because of the sheer volume of sensitive data the Defense Department needs to have stored in the cloud, said Jack Wilmer, DISA’s infrastructure and development executive.
“What we have seen is the volume of data that DoD has, the absolute majority of it, has some aspect of [personally identifiable information] or mission criticality to it. I think that is what is drawing a lot of the companies toward providing a level 5 offering, to be able to host that type of capability,” Wilmer told Federal News Radio. “That’s definitely an area where we are still increasing focus.”
Wilmer did not know the exact number of companies applying for level five clearance, but both Amazon Web Services and Microsoft have received level 5 impact levels.
By September, DISA had given 36 companies the go-ahead to operate cloud services for the Pentagon at impact level two since it overhauled its commercial cloud security process. Most of those companies met FedRAMP equivalent requirements for a level 2 clearance. Anything above level 2 needs to be put through additional DISA assessment paces which the agency collectively terms “FedRAMP-Plus.”
Wilmer’s comments come as DISA released a request for information earlier this year for what it’s been calling MilCloud 2.0 and what it now refers to as On-Site Managed Services (OMS). Very few decisions have been made about how the infrastructure-as-a-service project will be structured, other than that DISA wants to offer its DoD customers the ability to pay for only the storage and processing power they actually use.
“We’re looking to give our Defense customers the ability to order and pay ‘by the drink’ and not get charged for things they don’t consume,” Scott Stewart, the chief of DISA’s IT contracting division, told vendors Feb. 22 at an industry day previewing the upcoming procurement in Laurel, Maryland. “Today, we just over-provision and pay for things we don’t need. Some customers want more than we’re providing, some want less, so what we’re looking for is a true utility-based solution.”
DISA hasn’t yet announced a timeline for when it might release a request for proposals, but once it makes a contract award it plans for a contractor to build and operate a private cloud within two DISA-owned data centers: one as a primary site and the other as a backup for continuity of operations. The government would provide power, cooling and network connections, but the rest would be up to the vendor.
“The first big thing we’ve done is set up a cloud portfolio within DISA. A number of different cloud-related initiatives were performed at different offices, so we’ve consolidated all this,” Wilmer said. “What we did with [MilCloud] 1.0 is we kind of took the best of breed commercial technologies that were available and really focused on how to drive automation into our data centers. With 2.0 the focus is the same. We did a really good job with that, we got a lot of automation in, and now we want to find out how we can do it more cost effectively.”