Here’s What the Rewrite of DOD’s Cloud Strategy Will Look Like

Photo of the United States Department of Defense homepage on a monitor screen through a magnifying glass.

Photo of the United States Department of Defense homepage on a monitor screen through a magnifying glass. Gil C / Shutterstock.com

An update to the Defense Department’s cloud computing strategy aims to decentralize the process for purchasing commercial cloud solutions

An update to the Defense Department’s cloud computing strategy aims to decentralize the process for purchasing commercial cloud solutions away from the Defense Information Systems Agency and toward individual agencies, according to a draft document of the retooled cloud strategy obtained by Nextgov.

The 46-page draft document has not been released publicly and is subject to change, according to a DOD spokeswoman. DOD acting Chief Information Officer Terry Halvorsen alluded to its pending release in a recent speech.

The new strategy, “DOD Cloud Way Forward,” describes a “cradle-to-grave process” that service providers and customers can follow to get DOD computing to the cloud.

Perhaps the biggest shift spelled out in the document will be DISA’s more limited role.

Under DOD’s current cloud strategy, DISA has acted as a cloud broker for the whole agency, handling both security assessments of potential cloud offerings and contracting duties. The new strategy would enable individual agencies to pursue approved cloud services through their own contract offices.

While several cloud pilots are ongoing within DOD, DISA’s all-encompassing role became a bottleneck between cloud service providers and DOD customers.

DISA will, however, still play a significant role in ensuring security, according to the draft strategy and recent remarks from Halvorsen.

“DISA will have a role in looking to make sure that as we go more commercial, we have met the security requirements,” Halvorsen said in a Nov. 6 speech. “We’ve spent a lot of time over the past 90 days really figuring out what do we have to have from a security standpoint for what levels of data.”

Cloud Security Levels Get a Rewrite

The draft document makes several important proposed revisions to its cloud security model, including modified security levels that distinguish between national security systems and DOD computing systems that are not national security systems.

The proposed change reduces the number of security controls required for non-national security systems – an important distinction given that much of DOD’s workload is not within national security systems. It would also “change the specific categorization levels (Low, Moderate, High) for the cloud security impact levels (1-6),” according to the draft document.

The system of impact levels are the result of DISA’s attempt to categorize data depending on a broad, three-tier risk scale -- low, moderate or high -- based on the type, confidentiality, integrity and availability of the data.

DOD policymakers want to change impact levels in a few different ways, according to the draft document.

For example, impact levels 1 and 2 would be more aligned with Federal Risk and Authorization Management Program’s “moderate” designation. That means cloud service providers that go through the civilian government’s standardized cloud security assessment can get their skin in the game for DOD’s public-facing, lowest-risk data.

Currently, cloud providers have to adhere to additional requirements on top of FedRAMP’s baseline standards.

Impact levels 3 and 4 would also be modified to accommodate non-national security systems’ controlled unclassified information -- another example of DOD shifting away from treating all its systems as national security systems.

In addition, one proposed change is to allow non-DOD federal government tenants access to cloud services vetted at impact levels 3-6.

The document alludes to legal challenges inherent in DOD storing controlled unclassified data in a public cloud. Opening impact levels 3-6 to other federal agencies could circumvent that legal issue, the document stated.

Other potential changes include amending the security control baselines for impact levels 5 and 6 from “High-High to Moderate-Moderate.” That comes after feedback from the 45-day report suggested the “High-High” baseline for impact levels 5 and 6 “exceeds the requirements of the vast majority of fielded DOD systems.”

Specific DOD customers would, however, have the option to negotiate additional security controls directly with cloud service providers.

An Evolving Effort, But Questions Remain

DOD’s move to cloud computing has been much slower than that of its counterparts across the rest of government.

While civilian agencies and even the intelligence community have found ways to bring innovative, daring solutions to government, DOD has lagged behind mostly because of security concerns.

IDC Government Insights concluded in a September report the federal government spent more than $3 billion on cloud computing in fiscal 2014, but the Pentagon’s cloud spend accounts for only a fraction of that total.

A revamped cloud security model may help expedite DOD’s cloud migration, but assuming few changes to the draft document before its public release, some questions still remain.

The draft document does not thoroughly delineate how DOD will handle creating cloud access points between a cloud service providers and the NIPRNet, the nonclassified IP router network, used by DOD to exchange sensitive but unclassified information.

Workloads at impact levels 3 and up will require a connection to the NIPRNet, but there’s been little guidance from DOD to industry on that front, according to multiple industry sources.

If the draft holds, another interesting point sure to raise eyebrows is that workloads at impact levels 3-5 cannot be hosted in a public cloud environment.

The draft guidance states that virtually separating tenants “is allowed if all tenants are federal government cloud customers. Otherwise, the DOD will require the cloud infrastructure to be physically separated from non-DOD/federal government tenants.”

In other words, the draft language indicates only cloud providers with government-only enclaves will be able to host data at impact levels 3 and above. Data at impact level 6, which includes classified information, can only be hosted in an environment physically separated from anything other than other DOD entities hosting impact level 6 information.

The DOD spokeswoman declined to discuss the draft with Nextgov.

(Image via Gil C/Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.