DISA's commercial cloud strategy remains a work in progress

Wednesday - 1/22/2014, 4:30am EST

Jared Serbu reports.

Download mp3

Two months after the Defense Department told vendors it needed to rethink its approach to buying cloud computing services from commercial providers, DoD says it's still assessing the proper place for commercial cloud in the military and the right acquisition strategy to procure those services.

In early November, the Defense Information Systems Agency, which DoD has tasked as its single broker for cloud services, announced it was pulling back from an acquisition strategy for cloud services for unclassified data that could have been worth up to $450 million. In a short statement to vendors, DISA said it had overestimated the demand within DoD for commercial cloud products.

But Tony Montemarano, the agency's director of strategic planning, said DISA certainly is not giving up on commercial offerings.

"The cancellation of the contract initiative was a realization that our requirement wasn't quite clear. We didn't have the requirement we thought we did as far as volume," he told an AFCEA luncheon in Arlington, Va., Tuesday. "But our commercial cloud strategy is not changing. We're adjusting to make sure we're going after the contract vehicles we need to go after."

DISA officials say both they and the wider Defense Department think there are a lot of areas in which commercial cloud would be a better, more cost effective substitute for some of the computing services that the military services and Defense agencies currently run on their own. But they say several big questions and potential hang-ups need to be resolved.

A similar approach to the CIA?

Dave Mihelcic, DISA's chief technology officer, said the agency believes it can't take a one-size-fits-all approach to the cloud acquisition. It will need to tailor contracts to suit all six levels of security requirements the agency outlined in its recent cloud security model, which covers everything from publicly-releasable information to classified data.

"Across that span, we're going to see different solutions appropriate for different levels of data," he said. "And the acquisition strategies may be different based on the kind of service we're trying to acquire, whether it's software as a service, platform as a service. Whether we use pure commercial public cloud or a DoD cloud is going to vary."

DISA officials say they're also seriously considering following the approach the CIA took when it hired a cloud provider — in that case, Amazon — to build a cloud environment based on its technology, but walled off from the public Internet and secured within the agency's own IT environment.

But Montemarano said there's currently a crimp in the supply line of companies who meet DISA's security needs.

DoD has committed to using products that have been certified under the Federal Risk and Authorization Management Program (FedRAMP), the governmentwide construct designed to give security certifications to cloud systems once so they can be used throughout government.

"But the question I've got is, how many solutions out there are FedRAMP compliant? The answer is, not very many," he said. "We ourselves are going to take our own DoD-developed cloud and put it through FedRAMP. We're going to stand up and embrace it, but we need some cooperation from industry to comply with the regulations of the federal government.

Currently, the Joint Authorization Board, which includes DoD, the Homeland Security Department and the General Services Administration, has approved eight infrastructure-as-a-service providers, one software-as-a-service provider and platform-as-a-service provider under FedRAMP. The board also granted a FedRAMP authorization the Agriculture Department's private cloud for infrastructure-as-a- service.

Framework needed

Montemarano also said DoD is concerned about the impact on day-to-day network operations of taking data and computing capacity that's currently housed within the military and placing it in outside servers that the department's cyber workforce might not have complete visibility into.

"The fact of the matter is there is a demand signal from U.S. Cyber Command. They want to understand exactly what's happening, when there's an anomaly, exactly what the fix is," he said. "That three or four star general in the field is not interested in hearing, 'We're working on it, I'll let you know when we're done.' We have a command and control requirement that's there, and it's hard because that's not the way commercial products are set up normally. But that demand signal has not gone away."

And once DoD gets to the point where it's making large-scale use of commercial cloud capabilities, officials say they'll need to have a framework of criteria in place for deciding which systems belong in the commercial space and prioritizing which ones to migrate first.