recommended reading

Cloud Moves for IBM Target Civilian Government, Defense

Melissa Bouyounan/Shutterstock.com

IBM has announced two new cloud data centers for federal customers featuring the Softlayer infrastructure and ecosystem it purchased last year.

One of the data centers will go online this month in Dallas and the other will open in the fall in Ashburn, Va. Both are designed specifically to comply with the government’s security requirements and risk-based assessments. According to IBM, both will meet Federal Information Security Management Act requirements and comply with the Federal Risk and Authorization Management Program, known as FedRAMP, the government’s standardized approach to security assessment, authorizations and continuous monitoring.

The data centers are part of a $1.2 billion investment to expand IBM’s global cloud operations, and the company plans to double Softlayer cloud capacity before the end of 2014. IBM’s $2 billion acquisition of Softlayer a year ago has been a big hit with new customers, helping the company achieve a 50 percent growth rate in cloud sales and record earnings in 2013.

“This is the next logical phase for us,” said Andrew Maner, U.S. federal leader for IBM’s Global Business Services division. “You can’t be a one-trick pony. Buying Softlayer was nice, but the best part is bringing Softlayer skills and capabilities to market. We already have a FedRAMP-compliant offering, but we wanted to up the game, and that’s the purchase of Softlayer and now having federal-only specific facilities coming online.”

New cloud data center targets Defense workloads

In what may be an industry first, IBM has also announced a cloud data center built specifically to target high-sensitivity workloads within the Defense Department. Dubbed IBM Cloud Managed Services for Government, what’s particularly interesting about this data center is its location: the Allegany Ballistics Laboratory in West Virginia, a highly secure, government-owned facility. As a tenant there, IBM wants to leverage the facility’s physical security – “It comes with gates, guns and guards,” Maner said – and its existing nonsecure Internet protocol router network, or NIPRNet, connection.

The NIPRNet is managed by the Defense Information Systems Agency and used to exchange sensitive but unclassified information between users.

While civilian agencies have been making use of commercial cloud service providers for several years, Defense’s move has been much slower in large part due to its enhanced security concerns. The current process, designed by DISA, for CSPs to make cloud services available to Defense customers involves assessing their solutions against requirements outlined in six “impact levels.” Impact levels are assigned to data by DISA depending on confidentiality and type, integrity and availability in categorizations of low-, moderate-, or high-risk under Federal Information Process Standard Publication 199.

Impact levels 1 and 2 deal with low-risk unclassified public information and unclassified private information, but the lion’s share of opportunity for CSPs in the Defense space is the data assigned to impact levels 3-5 – the higher-risk unclassified data. Meeting FedRAMP’s package of requirements can be thought of as a sort of a baseline or barrier to entry for a CSP to get into the DOD space, but each impact level adds additional requirements a cloud solution must meet before it can handle data at that respective level.

The data at impact levels 3-5 is what IBM is targeting with this new cloud data center, and according to the company, it has begun the certification process to obtain a provisional authority to operate from DISA to become part of the DISA Enterprise Cloud Service Broker network.

“This data center will be prepared to do a certain kind of workload that we defense, national security and intelligence clients might need more of,” Maner said.

Thus far, no cloud provider has achieved a provisional ATO from DISA at impact levels 3-5. Only four, Autonomic Resources Cloud Platform (ARC-P), CGI Federal's IaaS solution and Amazon Web Services' Government Community Cloud and East/West US Public Cloud, have managed to attain a provisional ATO at impact levels 1 and 2.

(Image via Melissa Bouyounan / Shutterstock.com)

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.