Advanced Computing in the Age of AI | Wednesday, June 19, 2024

DOD Certifies AWS Cloud for ‘Sensitive’ Data 

Amazon Web Services got the green light this week from the federal government to begin rolling out cloud services designed to handle "sensitive" workloads.

AWS has announced that the Defense Information Systems Agency (DISA), the Defense Department's enterprise cloud service broker, has authorized it to handle government information at higher security levels. With the approval, AWS becomes the first commercial cloud service to earn the DOD provisional authority. The incremental step follows earlier provisional authority granted in March after AWS demonstrated the ability to adhere to hundreds of military security controls.

The latest authorization means AWS can assist the Pentagon and its contractors in deploying applications on its commercial cloud for "controlled" information along with unclassified data for "official use only."

The approval also clears the way for DOD to offer commercial cloud services for sensitive but unclassified data that accounts for the majority of data on military networks.

The expanded security authority covers regulatory and compliance requirements for the AWS GovCloud (US) region designed to allow government agencies to move sensitive workloads into the cloud. Those requirements include complying with U.S. export control rules and security standards established by the Federal Risk and Authorization Management Program, or FedRAMP.

DISA's Cloud Security Model divvies up cloud workloads by the required security level. The new provisional authority granted to AWS, known as Levels 3-5, means DOD customers could begin development and integration activities for sensitive but unclassified information on the AWS government cloud. The approval allows customers to use the AWS cloud for all but classified, or Level 6, workloads, according to Chad Woolf, director of AWS risk and compliance.

AWS also said authorization allows partners and DOD customers to begin implementing a range of government security requirements to protect sensitive data. These include AWS Direct Connect routing to the DOD network and Common Access Card integration.

Combined with a recently deployed private cloud for the Central Intelligence Agency, AWS is rapidly becoming the leading supplier of cloud services to the federal government. While the DOD approval covers unclassified data, the CIA private cloud – described as a public cloud-computing infrastructure hosted on CIA premises – will provide 17 U.S. intelligence agencies with computing, storage, and analytical capabilities.

While the CIA reportedly launched its private cloud earlier this month, the Pentagon's cloud transition has been complicated by the sheer number of users with varying levels of security access. DISA has been trying to build out a cloud infrastructure based a portfolio of services launched in March called milCloud. The initiative, a component of the DOD Enterprise Cloud Environment, seeks to leverage commercial technologies to offer a suite of capabilities for deploying DOD applications.

The milCloud effort is also a component of a huge Pentagon IT effort called the Joint Information Environment, which requires all three military services to agree on, among other things, common IT platforms. While the military's top brass have all endorsed the initiative, inter-service rivalries have in the past frequently undermined joint procurement programs.

Post-war budget realities and the fact that the Pentagon has been playing catch-up with the commercial IT sector could force the services to go along with the planned joint IT framework. Cloud providers like AWS are likely to play a growing role in providing the infrastructure.

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).