DoD accelerates security rules for cloud computing

T he Pentagon is already working on changes to federal acquisition rules that would require stepped-up notification procedures when private companies hosting DoD data have their systems penetrated by hackers.

But the department evidently feels a sense of urgency about those rules when it comes to its still-emerging use of cloud computing. On Feb. 8, DoD published a class deviation — a sparsely-used procedure that lets the department implement regulatory changes immediately — telling all of its contracting officers that if they are purchasing anything remotely resembling cloud computing services, they must follow new procedures the DoD CIO laid out last month in its new security requirements guide for cloud computing.

The changes are primarily intended to make sure that outside companies are adequately protecting government data — and, if a breach occurs, that they notify DoD right away.

Last year’s breach of the IT systems at security clearance processor United States Investigative Services, in which data on up to 25,000 DHS workers was stolen, was an “eye-opening experience,” said David Devries, the principal deputy DoD CIO.

“What we found out there was that a lot of the agreements we had in place did not protect either the federal side of the house or the industry partner,” he said. “So our acquisition folks signed out a temporary stop-gap until we can get new procedures put into the Federal Acquisition Regulation. They realize that this is so critical that we’ve got to get this thing put out now.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.