Is There Really a Level Playing Field Between MilCloud and Commercial Cloud Providers?

The Defense Department’s updated cloud computing strategy indicates a clear acceleration of interest in adopting commercial cloud computing capabilities within the Pentagon.

But how does milCloud, the Defense Information Systems Agency’s internal cloud-based offering, fit into the Pentagon’s cloud computing strategy?

In January, DOD Acting Chief Information Officer Terry Halvorsen said milCloud was “not getting a free pass,” and it appears milCloud has been forced to adhere to security requirements similar to those outlined in DISA’s new security requirements guideline.

Adoption of milCloud, however, has been slow despite its latest configuration for the SIPRNet, which means it can host classified data. It’s also more expensive than DOD officials would like it to be.

“The milCloud authorization to operate goes against the same broad set of requirements – [National Institute for Standards and Technology S.P. 800-53] – that the security requirements guideline is drawn from,” said Pete Dinsmore, DISA's risk technology executive.

Dinsmore was one of several DISA officials to speak to reporters during a Feb. 9 conference call. Dinsmore added that milCloud’s ATO is based on “general sets of requirements” under 800-53, though “some specifics are different” because milCloud is hosted internally and not on an external facility, as commercial cloud providers would be.

Now, that’s an important statement.

Because milCloud was deployed more than a year ago in two Defense Enterprise Computing Centers – in Montgomery, Alabama and in Oklahoma City – industry insiders have claimed the decks were stacked against commercial cloud providers that wanted DOD’s business.

The Federal Risk and Authorization Management Program – an evolving set of risk-based standards based off the aforementioned NIST special publication – was considered the barrier to entry for commercial cloud providers entering DOD space. In short, if you wanted to host DOD data, you’d have to go through FedRAMP first.

To host DOD’s more sensitive data requires adhering to additional risk-based requirements, so the more sensitive the data, the more rigorous the assessments would be.

Industry executives feel their commercial cloud offerings have faced more scrutiny than milCloud, with many openly wondering why milCloud never went through FedRAMP or was assessed against the same security requirements.

Defense officials, however, have countered that milCloud met the DOD Information Assurance Certification and Accreditation Process – or DIACAP – which has since been phased out and replaced by NIST’s risk-based approach to security.

As it turns out, both sides have ground to stand on.

A careful reading of Dinsmore’s description of the milCloud ATO indicates milCloud has not been assessed against the same exact security requirements that commercial cloud providers must pass. Whether that’s by design, it’s enough for industry to stop and say, “Hey, is this really a fair playing field?”

It will be interesting to see how these kinds of dialogues play out as DOD’s cloud computing strategy continues to evolve.

Regardless of the perceived public perception of milCloud or commercial cloud providers, DOD’s biggest strategy change in cloud computing is putting the onus on mission owners, not DISA, to seek out the best cloud offering they can, replete with business cases, risk tolerance and price comparisons.

It’s likely DOD mission owners, then, will have the final say in this debate.

(Image via Gonzalo Aragon/Shutterstock.com)