The Pentagon Accelerates Move to Cloud Computing

The Defense Department is accelerating toward wide-scale cloud computing adoption, buoyed by the promises of cost savings and untold increases in mission capabilities.

However, the largest potential consumer of cloud computing services in the U.S. government has also been the most deliberate in ensuring the security of every bit of data that moves to the cloud.

Indeed, security has been a point of friction between industry -- commercial cloud service providers that want access to billions of dollars’ worth of business -- and DOD brass who believe their data necessitates special requirements.

After DOD began exploring cloud in earnest three years ago, a familiar information technology song-and-dance played out: The Pentagon or its IT arm, the Defense Information Systems Agency, would release strategy memorandums or standards, which industry would strive to adhere to -- and then DOD’s strategy would change.

DOD’s most recent changes in cloud strategy and DISA’s latest security requirement update, though, indicate DOD’s cautious approach has laid enough groundwork for industry to get in the game.

The proof is in the participation: The release of the Pentagon’s latest cloud security guidelines generated 800-plus public comments, the vast majority of them from industry players and cloud providers, according to DOD Acting Chief Information Officer Terry Halvorsen.

Not coincidentally, Halvorsen made that announcement Thursday at DOD’s cloud industry day before a standing-room-only audience in Washington, D.C.

Halvorsen noted ongoing commercial cloud pilots with some of DOD's most sensitive, unclassified information and touted DOD’s simplified approach to security standardization.

“If we have public-facing data,” he said, citing an example, “why wouldn’t we put it in a public cloud?”

Not There Yet

Increased dialogue with industry is encouraging, Halvorsen said, but DOD’s cloud policies will continue to evolve, much like the technology itself.

“As we put the cloud document out, the hard part – and I know this from all the interactions with industry – is that you’re all wanting a base,” Halvorsen said. “That’s not going to happen.”

An unchanging baseline made up of certain security standards would fail to keep pace with emerging cyber threats. Some requirements may be grandfathered in “where security is not a concern,” Halvorsen said. Still, standards are destined to continually change.

Other challenges also persist. Halvorsen said data sharing between cloud service providers will need to improve. Issues surrounding of liability of DOD data and the political ramifications if it is breached through the cloud also need to be worked out.

There are technical and procedural guidelines, too, that will continue to evolve. During industry-day panels that followed Halvorsen's remarks, much was made of cloud access points – the means by which commercial cloud providers will connect to DOD networks. However, Amazon Web Services remains the only commercial cloud vendor using a cloud access point.

Questions too remain about cloud’s true return on investment and its potential impact on the workforce.

Cloud will allow for automation that will force DOD to repurpose some of its workforce.

“Today’s guidance is not quite right,” Halvorsen said.

And tomorrow’s guidance will be different, but it seems DOD, after a long journey, finally has a framework in place that puts it on the cusp of testing cloud’s potential.