recommended reading

Public or Private Cloud? The Decision Comes Down to Risk, DISA CIO Says


For federal agencies, deciding whether information, data or applications belong in a public or private government cloud or a hybrid combination of the two is no easy feat.

Myriad factors play into these decisions – projected cost savings, information sensitivity and availability, to name a few – but according to U.S. Defense Information Systems Agency Chief Information Officer David Bennett, the single most important element continues to be risk.

DISA recently rolled out a government-operated cloud computing services portfolio called milCloud that was designed to attract Defense Department customers who seek the cloud’s promise of cost reductions combined with increased control, flexibility and mission security necessary for classified and controlled unclassified information.

“You have to understand risk and the data you’re dealing with,” said Bennett, speaking at a Nextgov event Tuesday. “As you look at those things, you have to ask questions like, ‘What controls do I have in place?’ We want to leverage commercial opportunities and reap the benefits of doing that, but we also want to verify and make certain what’s out there and that we’re able to understand and monitor that.”

Defense customers now have an increasing number of commercial cloud service solutions to choose from, at least for their least-sensitive data. Thus far, Autonomic Resources Cloud Platform (ARC-P), CGI Federal's IaaS solution and Amazon Web Services' Government Community Cloud and East/West US Public Cloud have achieved provisional authorization from DISA to handle information at Impact Level 1 and 2, which comprise DoD’s unclassified public and unclassified private information.

Commercial CSPs will begin to be assessed against Impact Levels 3-5, which cover higher-risk unclassified data, in the second quarter of 2014. While draft standards for Impact Level 6 – designated for Defense’s classified data – have not been formally released, it’s clear that CSPs are quickly sailing into the department’s otherwise uncharted cloud territory.  

Bennett stopped short of endorsing DISA’s internal cloud platform over public cloud providers.

“I’m not making a pitch one way or another – I’m not trying to drive you one way or another,” Bennett said, responding to a question from a DoD cybersecurity executive.

“On the government side, there’s been a lot of focus and effort being placed on a highly-secure, well-understood, well-monitored environment,” Bennett said.

The commercial side, Bennett said, probably wasn’t at the “same level of thought and experience from a DoD perspective” in some facets, like how to support a forward-deployed mission in a remote area.

“Going to the commercial cloud is new for us, and we as application owners have to make conscious decisions” of what applications are better suited for public or government cloud, Bennett said. “I don’t think there is any right answer, you have to look at a variety of factors.”

(Image via jules2000/

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.