What Do DISA’s New Cloud Security Requirements Mean for Classified Information?

The Defense Information Systems Agency released updated cloud security requirements this week, consolidating six previous “impact levels” of information sensitivity into four in an effort to simplify the process for cloud providers and the Defense Department alike.

That follows recent moves by DISA to speed up the pace at which DOD customers can explore opportunities in the cloud. A rewritten cloud strategy released last month by DOD Acting Chief Information Officer Terry Halvorsen eliminated DISA’s previous role as a cloud service broker, while retaining its role in ensuring information security in the cloud.

In addition to creating security requirements, DISA will still play an active role in the development of cloud access points – the physical connections where information will be exchanged between DOD networks and the cloud.

The gist of the impact-level consolidation is that nonsensitive unclassified information – the kind available under the Freedom of Information Act, or data hosted on websites – can be stored in commercial clouds that meet baseline standards set by the Federal Risk and Authorization Management Program, or FedRAMP.

More sensitive information at what used to be impact levels 3 and 4 – now consolidated into a single level – can exist on- or off-premises “in any cloud deployment model that restricts the physical location of the information.”

Cloud providers, however, “must provide evidence of strong virtual separation controls and monitoring, and the ability to meet ‘search and seizure’ requests without the release of DOD information and data.”

National security systems information – the fifth impact level – demand information be processed and stored “in a dedicated infrastructure, on-premises or off-premises,” which would include federal government community clouds.

Information classified as “secret” -- the sixth level -- “must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information,” according to the guidance. The guidance also calls for a facility clearance, which could pose a challenge for cloud providers with limited experience contracting with DOD.

Based on those guidelines, it’s unlikely that even federal community cloud regions will host classified information in the near future -- but it’s not out of the question.

Still, there are fewer than 10 cloud pilots ongoing within DOD, and they are dominated by one vendor, Amazon Web Services.

In those pilots, which go up to the fourth impact level, AWS is hosting sensitive DOD workloads in its GovCloud region, but standards it adheres to now aren’t likely to be the same even a year from now.

DISA Chief Technology Officer David Mihelcic, speaking Thursday at a cloud computing summit in Washington, D.C., said DISA’s latest security requirements are part of an “evolving strategy” that will continue to change.

Mihelcic also said the shift to the cloud isn’t just about cost savings.

Not incidentally, the DOD inspector general is interested in just how much money cloud computing is saving the department.

Legacy applications may save moderate to low amounts of money moving to the cloud – although the ease at which applications move to the cloud varies significantly – but Mihelcic said perhaps the most significant savings will come from an increase in capabilities, likely through next-generation applications specifically designed for new cloud environments.

Mihelcic cited Netflix as an example of an organization that seamlessly translates between a development to an operations environment. That kind of transition isn’t possible yet within DOD, but it’s a rose-colored possibility.

(Image via Maksim Kabakou/Shutterstock.com)