Defense Department chief information officer Terry Halvorsen made some waves earlier this year when he said he’d like to see commercial companies construct and operate data centers on DoD property. The military would provide physical and cyber security, the firms would bring the cost and scalability benefits of cloud technology.
Now, the Army is poised to try out a version of that idea. Lt. Gen. Robert Ferrell, the Army’s CIO, told an AFCEA D. C. breakfast on Friday that an upcoming pilot program will host DoD data in a privately-owned and operated data center on the grounds of Redstone Arsenal, Ala. as part of a broader effort to consolidate Army data centers in the southeastern U.S.
“It’s new territory, but we believe it’s the direction we need to go,” Ferrell said. “It’s moving away from the idea of owning and operating and looking at things as a service.”
The Army chose Redstone for the pilot because it already has several government-owned data centers in the immediate region, many of which are operated separately by various Army components for their own specific purposes at what Ferrell estimates is only a 40 percent utilization rate – something Ferrell is trying to tackle as part of the Army’s contribution to the longstanding Federal Data Center Consolidation Initiative.
The Defense Department has greenlighted three dozen commercial cloud offerings since it first overhauled its commercial cloud security processes in January – including two vendor products at the more sensitive classification criteria known as Impact Level 4 in which companies are authorized to handle mission-critical data.
Roger Greenwell, the Defense Information Systems Agency’s cybersecurity director updated the tally of provisional authorizations, as they’re called under DoD’s new cloud security process, in an interview last Friday on Federal News Radio’s On DoD. He added that the agency expects to authorize at least one vendor to deal with data up to Level 5 – the top classification level outside of the secret realm – “very soon.”
A provisional authorization does not, in and of itself, give any company the go-ahead to operate cloud services for the Pentagon. Vendors still need to obtain a formal “authority to operate” certification from whichever DoD component is actually buying their services, but they’re free to bid on Defense cloud contracts with no more than a provisional authorization.
If you’re among the millions of Americans who were affected by the OPM data breach and are upset about the government’s slow and less-than-forthcoming approach to disseminating information about what actually happened, you should keep your ear on any public speeches by James Clapper, the director of national intelligence, who seems to have a habit of going off-message.
Just to be clear, I say that with appreciation, not disdain.
A couple months back, he attributed the intrusion to the Chinese government – the first U.S. official to do so in a public setting until then or since then (though, upon further questioning by a moderator, he downgraded that attribution to say that Beijing was just the ‘leading suspect.’)
Then there was this bit of news on Thursday:
“We don’t actually know what was actually exfiltrated [from OPM],” Clapper said at a conference co-hosted by Georgetown University and the National Geospatial Intelligence Agency. “What you’re hearing about is the absolute worst-case scenario, because we cannot and don’t have enough granularity on the forensics to determine what was taken. What has been portrayed, which I think was prudent and honest, is the worst case.”