What Do DISA’s New Cloud Security Requirements Mean for Classified Information?

Maksim Kabakou/Shutterstock.com

The Defense Information Systems Agency released updated cloud security requirements this week, simplifying the “impact levels” that classify information sensitivity.

The Defense Information Systems Agency released updated cloud security requirements this week, consolidating six previous “impact levels” of information sensitivity into four in an effort to simplify the process for cloud providers and the Defense Department alike.

That follows recent moves by DISA to speed up the pace at which DOD customers can explore opportunities in the cloud. A rewritten cloud strategy released last month by DOD Acting Chief Information Officer Terry Halvorsen eliminated DISA’s previous role as a cloud service broker, while retaining its role in ensuring information security in the cloud.

In addition to creating security requirements, DISA will still play an active role in the development of cloud access points – the physical connections where information will be exchanged between DOD networks and the cloud.

The gist of the impact-level consolidation is that nonsensitive unclassified information – the kind available under the Freedom of Information Act, or data hosted on websites – can be stored in commercial clouds that meet baseline standards set by the Federal Risk and Authorization Management Program, or FedRAMP.

More sensitive information at what used to be impact levels 3 and 4 – now consolidated into a single level – can exist on- or off-premises “in any cloud deployment model that restricts the physical location of the information.”

Cloud providers, however, “must provide evidence of strong virtual separation controls and monitoring, and the ability to meet ‘search and seizure’ requests without the release of DOD information and data.”

National security systems information – the fifth impact level – demand information be processed and stored “in a dedicated infrastructure, on-premises or off-premises,” which would include federal government community clouds.

Information classified as “secret” -- the sixth level -- “must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information,” according to the guidance. The guidance also calls for a facility clearance, which could pose a challenge for cloud providers with limited experience contracting with DOD.

Based on those guidelines, it’s unlikely that even federal community cloud regions will host classified information in the near future -- but it’s not out of the question.

Still, there are fewer than 10 cloud pilots ongoing within DOD, and they are dominated by one vendor, Amazon Web Services.

In those pilots, which go up to the fourth impact level, AWS is hosting sensitive DOD workloads in its GovCloud region, but standards it adheres to now aren’t likely to be the same even a year from now.

DISA Chief Technology Officer David Mihelcic, speaking Thursday at a cloud computing summit in Washington, D.C., said DISA’s latest security requirements are part of an “evolving strategy” that will continue to change.

Mihelcic also said the shift to the cloud isn’t just about cost savings.

Not incidentally, the DOD inspector general is interested in just how much money cloud computing is saving the department.

Legacy applications may save moderate to low amounts of money moving to the cloud – although the ease at which applications move to the cloud varies significantly – but Mihelcic said perhaps the most significant savings will come from an increase in capabilities, likely through next-generation applications specifically designed for new cloud environments.

Mihelcic cited Netflix as an example of an organization that seamlessly translates between a development to an operations environment. That kind of transition isn’t possible yet within DOD, but it’s a rose-colored possibility.

(Image via Maksim Kabakou/Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.