Pentagon Refines Cloud Security Rules
The Defense Information Systems Agency released new cloud security guidelines this week aimed at establishing policies for adoption of commercial cloud services by the U.S. military.
The security requirements are "designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department's data and missions at risk," Mark Orndorff, DISA's risk management executive, said in a statement released January 14.
The defense agency oversees many Pentagon's IT purchases, which are gradually shifting from custom to commercial platforms, although its role as the Defense Department's "cloud broker" is being reduced. One of the agency's biggest challenges is establishing a security framework that directs sensitive information to those with a need to know while allowing the huge Pentagon enterprise to function on a daily basis.
DISA said its cloud computing guidelines are intended to establish DoD security objectives for hosting applications on commercial clouds up to and including data classified as secret, Orndorff said. For now, missions classified higher than secret must still follow existing Pentagon policies.
DISA said the cloud computing guidelines provide security requirements to commercial cloud service providers who wish to be considered for future DoD cloud services contracts.
They also establish a framework for DoD assessment of the security features offered by commercial cloud providers. That assessment would be used to support a decision to grant provisional authority for commercial hosting of DoD applications and missions, DISA added.
The rules also define security policies, requirements and the architecture for implementing commercial cloud services while providing guidance to DoD officials evaluating potential commercial cloud providers.
A growing list of public cloud vendors including Amazon Web Services, Microsoft Azure and Google Platform have gained various levels of authorization to offer cloud services to government agencies under the FedRAMP, Federal Risk and Authorization Management Program.
The cloud computing guidance comes as DISA reorganizes to become more agile in it deployment of information technology. Air Force Lt. Gen. Ronnie Hawkins, DISA's director, acknowledged this week his agency must step up its game as it oversees deployment of secure cloud platforms across Pentagon agencies.
Defense officials indicated in December that DoD's strategy for procuring cloud services would downgrade DISA's role as the department's exclusive broker for procuring and implementing cloud services.
Terry Halverson, the Defense Department's acting chief information officer, told a recent industry gathering: “DISA will have a role in looking to make sure that as we go more commercial that we have met the security requirements.” The CIO said the biggest challenge is “figuring out really what do we have to have from a security standpoint for what levels of data.”
A recent audit by the Pentagon inspector general found that "DoD did not fully execute elements of the DoD Cloud Computing Strategy." Auditors also warned that the failure to execute on its cloud strategy means "DoD may not realize the full benefits of cloud computing."