An update to the Defense Department’s cloud computing strategy aims to decentralize the process for purchasing commercial cloud solutions away from the Defense Information Systems Agency and toward individual agencies, according to a draft document of the retooled cloud strategy obtained by Nextgov.
The 46-page draft document has not been released publicly and is subject to change, according to a DOD spokeswoman. DOD acting Chief Information Officer Terry Halvorsen alluded to its pending release in a recent speech.
The new strategy, “DOD Cloud Way Forward,” describes a “cradle-to-grave process” that service providers and customers can follow to get DOD computing to the cloud.
Perhaps the biggest shift spelled out in the document will be DISA’s more limited role.
Under DOD’s current cloud strategy, DISA has acted as a cloud broker for the whole agency, handling both security assessments of potential cloud offerings and contracting duties. The new strategy would enable individual agencies to pursue approved cloud services through their own contract offices.
While several cloud pilots are ongoing within DOD, DISA’s all-encompassing role became a bottleneck between cloud service providers and DOD customers.
DISA will, however, still play a significant role in ensuring security, according to the draft strategy and recent remarks from Halvorsen.
“DISA will have a role in looking to make sure that as we go more commercial, we have met the security requirements,” Halvorsen said in a Nov. 6 speech. “We’ve spent a lot of time over the past 90 days really figuring out what do we have to have from a security standpoint for what levels of data.”
Cloud Security Levels Get a Rewrite
The draft document makes several important proposed revisions to its cloud security model, including modified security levels that distinguish between national security systems and DOD computing systems that are not national security systems.
The proposed change reduces the number of security controls required for non-national security systems – an important distinction given that much of DOD’s workload is not within national security systems. It would also “change the specific categorization levels (Low, Moderate, High) for the cloud security impact levels (1-6),” according to the draft document.
The system of impact levels are the result of DISA’s attempt to categorize data depending on a broad, three-tier risk scale -- low, moderate or high -- based on the type, confidentiality, integrity and availability of the data.
DOD policymakers want to change impact levels in a few different ways, according to the draft document.
For example, impact levels 1 and 2 would be more aligned with Federal Risk and Authorization Management Program’s “moderate” designation. That means cloud service providers that go through the civilian government’s standardized cloud security assessment can get their skin in the game for DOD’s public-facing, lowest-risk data.
Currently, cloud providers have to adhere to additional requirements on top of FedRAMP’s baseline standards.
Impact levels 3 and 4 would also be modified to accommodate non-national security systems’ controlled unclassified information -- another example of DOD shifting away from treating all its systems as national security systems.
In addition, one proposed change is to allow non-DOD federal government tenants access to cloud services vetted at impact levels 3-6.
The document alludes to legal challenges inherent in DOD storing controlled unclassified data in a public cloud. Opening impact levels 3-6 to other federal agencies could circumvent that legal issue, the document stated.
Other potential changes include amending the security control baselines for impact levels 5 and 6 from “High-High to Moderate-Moderate.” That comes after feedback from the 45-day report suggested the “High-High” baseline for impact levels 5 and 6 “exceeds the requirements of the vast majority of fielded DOD systems.”
Specific DOD customers would, however, have the option to negotiate additional security controls directly with cloud service providers.
An Evolving Effort, But Questions Remain
DOD’s move to cloud computing has been much slower than that of its counterparts across the rest of government.
IDC Government Insights concluded in a September report the federal government spent more than $3 billion on cloud computing in fiscal 2014, but the Pentagon’s cloud spend accounts for only a fraction of that total.
A revamped cloud security model may help expedite DOD’s cloud migration, but assuming few changes to the draft document before its public release, some questions still remain.
The draft document does not thoroughly delineate how DOD will handle creating cloud access points between a cloud service providers and the NIPRNet, the nonclassified IP router network, used by DOD to exchange sensitive but unclassified information.
Workloads at impact levels 3 and up will require a connection to the NIPRNet, but there’s been little guidance from DOD to industry on that front, according to multiple industry sources.
If the draft holds, another interesting point sure to raise eyebrows is that workloads at impact levels 3-5 cannot be hosted in a public cloud environment.
The draft guidance states that virtually separating tenants “is allowed if all tenants are federal government cloud customers. Otherwise, the DOD will require the cloud infrastructure to be physically separated from non-DOD/federal government tenants.”
In other words, the draft language indicates only cloud providers with government-only enclaves will be able to host data at impact levels 3 and above. Data at impact level 6, which includes classified information, can only be hosted in an environment physically separated from anything other than other DOD entities hosting impact level 6 information.
The DOD spokeswoman declined to discuss the draft with Nextgov.