The Defense Department is taking a serious look at overhauling its process for accrediting commercial cloud computing products as secure-enough for military use.
Among the ideas DoD is considering: Changing its security approach in a way that would give much more weight to the security techniques a company uses instead of whether one of their particular cloud offerings checks all of the security boxes in a fairly static government document.
Within the next several weeks, the Pentagon will announce a working group of DoD and industry security experts charged with improving the existing security and accreditation process for commercial cloud, the latest version of which was published in an updated security requirements guide (SRG) last month.
“I think we have reached the point where we can no longer accredit specific hardware or software, we’ve got to accredit the process,” said DoD Chief Information Officer Terry Halvorsen. “Today, if you’re fielding a cloud environment, companies like Microsoft and Amazon and Google make changes to their clouds and improve their security almost nightly. Our current process can’t sustain that. We’ve got to look at security and accreditation on a process basis, and at a certain point, maybe even vendor-by-vendor, where we would say, ‘Hey, your security process for these specific areas is good, we like it, we’re going to keep evaluating you on a yearly basis, but otherwise we’re going to accept your tools as you develop them.’ If we don’t do something like that, that we can’t keep pace, and we can’t be agile.”
Halvorsen emphasized that the department had not yet settled on the system of periodic process reviews he outlined, but said he’d raised the idea with several cloud vendors and had received a “phenomenal” response. It will be one of the options on the table for the forthcoming review of DoD’s cloud security process, which will be led by Richard Hale, the department’s chief information security officer and deputy CIO for cybersecurity.
The department’s current cloud security rules are based on the government’s FedRAMP system, which evaluates an individual cloud offering against government-specified security controls. For DoD, a FedRAMP approval is enough to earn a provisional authorization to handle non-sensitive (“level 2”) data. The department adds its own FedRAMP Plus security controls for levels 4 and 5, and only a handful of vendors have been certified at those levels, which are needed to handle more sensitive functions like unclassified national security systems and records that hold personally identifiable information. In each case, vendors also need an additional security sign-off from the end customers buying their specific products called an Authority to Operate before they can finalize a contract.
The second release of the cloud SRG, publicly issued Mar. 18, was made up mostly of technical and engineering tweaks and did little to change the fundamental cloud approval process. But Halvorsen said taken together, the new SRG should signal to industry that DoD is highly interested in hybrid cloud technologies that would involve a combination of some computing resources inside the military’s security boundaries and some on commercial vendors’ property.
“DoD doesn’t buy one type of cloud,” he said. “Everybody who’s doing smart things in cloud is in a very hybrid state. We are much aligned with the Fortune 50 companies in the sense that there are very few companies who are putting their own intellectual property in commercial clouds. We are looking at what it takes to make inside clouds, how we do some government private clouds, and I think this will clarify that. These changes were made in conjunction with industry partners, and we’re going to continue to do it that way.”