DOD Wants Physical Separation for Classified Data in the Cloud … For Now

The Defense Department’s evolving cloud strategy and recently updated security requirements govern how commercial cloud service providers can -- and in some cases, have already begun to -- host some the Pentagon’s most sensitive data.   

But the Pentagon isn’t ready yet for classified information to be stored off-premise in the cloud.

In the immortal words of Olivia Newton-John, DOD wants to get physical with classified data that ends up in the cloud, meaning it wants “physical separation” between systems with classified workloads and that of other systems.

Federal community clouds, also known as “GovCloud” regions -- like those operated by Amazon Web Services -- adhere to the government’s stringent cloud security requirements and serve multiple agencies. However, they’re unable to host classified data under current requirements.

In the short term, “My perspective is that [classified data will likely not be hosted] in the ‘GovCloud’ region,” said Jack Wilmer, infrastructure development executive at the Defense Information Systems Agency. “I think that there will likely be a physical separation requirement between a DOD classified information system and other information systems that may be used in other parts of government. ”

Wilmer was one of several top DOD officials who spoke during a Wednesday CDW-G viewcast, which was produced by Custom Strategies within the Government Executive Media Group.

“However, I do think if you extend that to look at private cloud and where that can go, it’s a fundamentally different discussion,” Wilmer added.

GovCloud regions and any commercial cloud services offerings must meet the risk-based cloud security requirements in the Federal Risk and Authorization Management Act to host data for civilian agencies. DOD increases the rigor of these requirements as data becomes increasingly more sensitive.

DOD’s updated cloud strategy allows national security systems information -- the most sensitive unclassified data DOD possesses -- to be processed and stored “in a dedicated infrastructure, on-premises or off-premises,” including federal government community clouds.

But the most likely bet for commercial cloud providers to host DOD’s classified data appears to be if DOD opts to bring a commercial private cloud into its environment. The intelligence community recently took a similar approach to great effect, awarding a $600 million contract to AWS to build a commercial cloud environment for use by all 17 IC agencies.

“We have the example of the intelligence community – they’ve moved into a commercial private cloud in their environment, so we know that can be done,” said Robert Vietmeyer, lead for cloud computing and big data in the DOD’s Office of the Chief Information Officer.

“What we’re trying to do on the defense side is rather than saying, ‘everything has to be private, inside, dedicated to us,’ we’re trying to find, ‘where can we reach out?’” Vietmeyer said. “With the right encryption, we could potentially push classified intelligence for storage. In the near term, what we’re looking at as we push into the classified space is more like the intelligence community model with a dedicated DOD infrastructure, not necessarily on our floor space, potentially. It could be commercially hosted, where that makes sense, but run separately where DOD is the single tenant in that environment.”

Should DOD take this path, it would presumably bid out and award either a single, large contract or a series of them to cloud service providers up to the task of meeting its evolving requirements. Such a large-scale move is unlikely to happen too soon, though. Ongoing cloud pilots within DOD are providing important data that will help the department assess its current cloud strategy and potentially alter it.

(Image via Andrii Stepaniuk / Shutterstock.com)