Big Win for Amazon: First Provider Authorized to Handle Sensitive DOD Workloads in Cloud

agsandrew/Shutterstock.com

Achieves provisional authority to operate under DOD’s cloud security model at impact levels 3-5.

Amazon Web Services has become the first commercial cloud provider authorized to handle the Defense Department’s most sensitive unclassified data.

Today’s announcement that AWS has achieved a provisional authority to operate under DOD’s cloud security model at impact levels 3-5 is a major win for the company, as it allows DOD customers to provision commercial cloud services for the largest chunks of their data.

In technical speak, the provisional ATO granted by the Defense Information Systems Agency means DOD customers can use AWS’ GovCloud – an isolated region entirely for U.S. government customers – through a private connection routed to DOD’s network. DOD customers can now secure AWS cloud services through a variety of contract vehicles.

In layman's terms, AWS is the first company with the ability to take any and all of DOD’s unclassified data to the cloud.

“In a nutshell, we’re very excited to announce we’ve received the DOD provisional ATO through impact levels 3-5 – we’re the first commercial cloud provider to achieve this,” Teresa Carlson, vice president for AWS’ worldwide public sector, told Nextgov. “I think it highlights our continued commitment to being a leader in cloud computing. This opens up a whole new world of opportunities for DOD to do what other groups have been doing.”

Indeed, AWS recently launched a private cloud for the Central Intelligence Agency to service the intelligence community, and other cloud providers have been busy picking up new business in the civilian government where billions of dollars are up for grabs.

AWS was one of the first cloud providers to meet the Federal Risk and Authorization Management Program, the government’s baseline security standards for cloud computing. The company was also one of three firms to meet DISA’s cloud security requirements at impact levels 1-2, which govern the agency’s least sensitive data. DISA’s cloud security model includes many additional requirements on top of what is required by FedRAMP.  

Yet, civilian agencies that do not grapple with as many data sensitivity issues as DOD, have been pulling off sometimes large-scale cloud efforts while DOD lagged behind in its efforts.

Its cloud security model could still change, but in a recent speech, DOD Acting Chief Information Officer Terry Halvorsen said the department plans by September to announce five cloud pilots for its sensitive data. The focus, he said, would be on government-only clouds developed by the private sector. Regardless of how DISA proceeds, it appears AWS is primed to address its needs.

“There were many additional controls we had to meet, and it’s tough, but DISA needs it to be tough,” said Carlson, hinting that AWS’ next step is meeting requirements at impact level 6, which govern classified DOD data.

“Our goal is to meet every standard the federal government has for their data,” she added. “Obviously, that means the ability to work at all levels.” 

(Image via agsandrew/Shutterstock.com)