DoD reexamining cloud policies to remove bottleneck for sensitive data

For more than two years, the Defense Department has had procedures in place that, at least on paper, allow its sensitive data be housed in commercial cloud computing facilities. But migrations to the cloud have been relatively few and far between for anything besides public, unclassified data.

That’s partially because for impact levels 4 and above, not only do providers have to earn authorizations that go above-and-beyond the governmentwide FedRAMP process, any data they process also has to make its way through a DoD-provided Cloud Access Point (CAP).

The department is taking a fresh look at that latter point, saying its current CAP policies may be creating an unnecessary roadblock to DoD’s cloud ambitions. As of now, there are only two access points in existence – one run by the Defense Information Systems Agency and one by the Navy.

Dr. John Zangardi, the department’s acting chief information officer said he’s asked his office to revisit the policy with an eye toward letting commercial cloud vendors provide a CAP-like capability on their own.

Advertisement

“It’s my job to ensure the most effective IT support to the warfighter and to make best use of resources, so the question to my staff is, ‘How can we do CAP better?” he said last week at the Defense Cyber Operations Summit in Baltimore, Md. “Specifically, can it be provided as a service? It’s a significant question, but if it is resolved, it should open opportunities for services and components to move more quickly to commercial cloud providers.”

DoD’s current policy on access points is laid out in the security requirements guide (SRG) it published in April 2015 and last updated in March of this year. It requires all network traffic that’s making its way between DoD systems and a commercial cloud provider to pass through government-operated monitoring systems — firewalls and other intrusion prevention systems — even when the cloud provider’s system is operating entirely within a DoD facility.

The overall objective will remain the same: giving some reasonable level of assurance that Defense networks can’t be penetrated via their connections to cloud providers, since most commercial cloud facilities are connected to the public Internet in some fashion, Zangardi said. He said the latest SRG will be updated to reflect any changes in DoD’s thinking “when we get that far.”

Cloud access points are among the issues likely to be raised later this week when DoD hosts an industry day to hash out the issues surrounding a final cybersecurity-focused contracting rule the department issued last October after nearly a year of public comment and revisions.

The final, updated version failed to address industry’s concerns, and their representatives have been asking for a face-to-face meeting ever since.

The final version of the update to the Defense Federal Acquisition Regulation Supplement sweeps in what had been two separate interim rules. One portion requires contractors to report any data breaches involving “Defense information” within 72 hours and implement the National Institute of Standards and Technology’s new guidelines for protecting “controlled unclassified information” by the end of 2017.

A second makes plain that vendors must comply with the controls in DoD’s cloud SRG as a condition of their contracts, but goes a few steps further, including demanding that government personnel be allowed to physically enter cloud hosting facilities to conduct audits or inspections.

That’s because – according to a 27-page FAQ the department issued earlier this year – its interpretation of the Federal Information Security Management Act dictates that it treat any IT system that’s operated “on DoD’s behalf” as though it were a government operation.

Both before and after the issuance of the final rule, industry officials have expressed confusion over how the new rule fits in with a host of other provisions the government added to the Federal Acqusition Regulation at about the same time – including one by the National Archives and Records Administration that set governmentwide definitions for what constitutes “controlled unclassified information,” and another new FAR provision that requires all federal contractors to come into compliance with at least some of NIST’s guidelines for protecting CUI.

“Our objective at this meeting is to clarify some foundational questions,” Zangardi said. “What are the clauses? What is Covered Defense Information? How is it identified and marked? How does the rule work in the cloud computing environment? It should be a substantive, productive discussion.”