DISA in Compliance with Cloud Security Standards

Blue Island/Shutterstock.com

Three vendors in use; seven under assessment.

The Defense Information Systems Agency currently offers its military customers certified cloud computing services from three vendors and has another seven under assessment for compliance with governmentwide security standards, top agency officials told Nextgov.

FedRAMP reviews aim to speed the adoption of cloud deployments across government by allowing cloud services to be vetted once – at a particular security level – and then deployed by a multitude of agencies. Agencies must comply with FedRAMP as a matter of federal policy.

But as noted in a recent review from the Council of Inspectors General on Integrity and Efficiency, neither the FedRAMP program office nor the Joint Authorization Board -- made up of the chief information officers of General Services Administration and the departments of Defense and Homeland Security -- can force agencies to comply with FedRAMP.

The report identified 348 federal commercial cloud contracts with a value of $12 billion as of fiscal 2014. But it did not identify specific agencies that failed to meet certification requirements.

Mark S. Orndorff, the mission assurance executive for the Defense Information Systems Agency, said three commercial cloud services are currently available to DOD users: Autonomic Resources, CGI Federal and Amazon Web Services.

Assessments of FedRAMP-compliant offerings from providers such as Hewlett-Packard, Lockheed Martin, AT&T, Akamai, Microsoft, Oracle and a cloud solution offered by the Agriculture Department are underway, he said.  

DISA continues to work closely with the FedRAMP program office and cloud providers to add to the list of approved cloud providers, Orndorff added.

Commercial cloud services for military users must go through additional security controls to receive a provisional authorization to operate, Orndorff said. He called the additional controls a “superset of FedRAMP.”

Roger Greenwell, DISA’s director of field security operations, said the agency’s risk management framework is built on the same controls as the governmentwide standards.

“As such, we leverage authorization and continuous monitoring information from FedRAMP in our processes, and are committed to continual to continual improvement in all aspects of secure use of cloud services," he added. 

DISA said its enterprise email service, which kicked off in January 2011, predated FedRAMP security standards, but it meets Defense standards, he said.

DISA now provides email to more than 1.6 million users, including U.S. Southern Command, U.S. European Command, U.S. Africa Command and more than 20 other DOD entities. The system is scalable to 4.5 million users.

Orndorff also said DISA operates a branded milCloud as an infrastructure-as-a-service option, available on both classified and unclassified networks, that leverages desktop virtualization software from VMware called the Vcloud suite and HP Cloud Service Automation.

DISA recently asked vendors to come up with suggestions by Nov. 3 for two hardware models to provide it with additional cloud computing services -- a containerized system that can be plugged into a DISA data center or hardware placed on leased rack or floor space inside a data center.

(Image via Blue Island/Shutterstock.com)