The new guidance overrides two previous memorandums that charged DISA with assessing the security of commercial cloud service offerings.
New Defense Department guidance issued Wednesday by Acting Chief Information Officer Terry Halvorsen allows DOD components to acquire commercial cloud services without the Defense Information Systems Agency acting as a broker.
The new policy overrides two previous memorandums that charged DISA with assessing the security of commercial cloud service offerings and cataloging them – a process that caused a bottleneck between potential DOD customers and providers.
In plain language, the new guidance explains that components remain “responsible for determining what data and missions are hosted” by cloud service providers. Each use of cloud services will also require an enterprise IT business case analysis, with each analysis required to consider DISA-provided cloud services such as DISA's milCloud offering.
The new memo meshes with DOD’s updated cloud strategy. While it diminishes DISA’s role to a degree, any cloud service provider wishing to host sensitive information must provide DISA with evidence that it meets cloud security requirements beyond the civilian government’s standardized security requirements laid out in the Federal Risk and Authorization Management Program.
Those additional requirements were released Dec. 7 in draft form awaiting public comment, with an official release scheduled for Jan. 7, 2015. Titled “DOD Cloud Computing Security Requirements Guide,” the draft guide defines various levels of sensitive data, with data of higher sensitivity demanding increased security requirements.
DOD’s cloud strategy and requirements have changed many times since the department began exploring opportunities in cloud computing back in 2012. This latest guidance is likely to face future iterations.
In the document, Halvorsen states: “The DOD Cloud Computing Security Requirements Guide will be an evolving document informed by public and private input. It is intended to be a collaborative document between the government and private sector that recognizes the rapid technology and business changes in the cloud services environment.”
As part of the collaborative process, DOD will hold a series of in-person and virtual meetings with DOD and industry partners beginning Dec. 18.