DoD to test cloud security requirements above, beyond FedRAMP

Thursday - 6/19/2014, 4:01am EDT

Listen to Jason Miller's interview with Kevin Dulany and Maria Roat.

Download mp3

The Defense Department is testing what cybersecurity in the cloud would look like for certain mission-critical systems.

DoD's pilots come as the agencies leading the Federal Risk and Authorization Management Program (FedRAMP) are just beginning to explore what the future state of cloud security would look like in two or three years.

Kevin Dulany, DoD's chief of the risk management oversight division in the chief information officer's office, said the Defense Information Systems Agency is working with the services to identify a mission-critical application in the cloud to ensure the additional cyber requirements for Level-3 security are appropriate and achievable.

"We are looking at the business case of the additional parameters for controlled unclassified information, because we are very conscientious about where our data resides and how it's protected," Dulany said Wednesday after a panel discussion on cloud security at the AFCEA Bethesda, Maryland, Chapter's Cloud Technology Symposium in Washington. "We are looking at internally doing pilots based on the categorization, based upon the data types, to see what's the security requirements for those data types, but also is it applicable, is it the right environment to take out to the commercial [cloud], so that's why we are doing pilots under the auspicious risk executive function."

The risk executive function is an internal group of executives who determine how much risk DoD can accept for enterprisewide services, such as cloud.

Dulany said the enterprise cloud broker at DISA is running the pilots and will submit the results to the risk executive function for approval.

"We are really trying to establish the process, the foundation, as well as the requirements. Do we have the right requirements based upon the mission, and it is applicable to go into those environments?" he said.

Dozens more controls

Dulany said the pilot has started, but he wasn't exactly sure how long it would last. He said the goal is to do incremental implementation and monitoring to ensure the security controls are correct.

James Pyon, vice president at CGI Federal, said during the panel discussion that Levels 3 and 4 include more than 20 additional security controls. He said Level 5 includes more than 50 additional controls.

On the civilian side, there isn't a lot of support for FedRAMP standards that go beyond the low or moderate level.

Maria Roat, the FedRAMP director, said agencies and vendors have asked over the last year whether the Joint Authorization Board, which is made up of DoD, the Homeland Security Department and the General Services Administration, would develop a new baseline for systems that are rated high or Level 5 or 6 in the military.

Roat said agencies have a hard time identifying systems that need to have that level of security. She said the Government Accountability Office found agencies rated 88 percent of their systems as needing low or moderate security, while only 12 percent needed a high level of information assurance. Roat said most of those high systems were from DoD and DHS.

"There's more interest in that high baseline, in particular. I've had discussions with [DHS] National Protections and Programs Directorate, really looking at what are those systems around critical infrastructure that have high requirements, as opposed to other agencies that might have high availability only for that requirement, and with what NIST is doing around the cloud framework, looking at what's that high baseline for the cloud," she said. "So there is a lot of discussion going on around the cloud. I don't have that good number yet of what it should be."

Ongoing adjustment to requirements

FedRAMP recently updated its current set of low-moderate standards based on revisions by the National Institute of Standards and Technology to its special publication 800-53.

Roat said the FedRAMP office is paying attention to what DoD is doing with its pilots, but the military's requirements are somewhat different than what civilian agencies need.

"A lot of agencies really have a requirement for high availability. That high, high, high across the board for the baseline, they are really not clamoring for that, if you will," she said. "Even when you look at the agencies at the low and moderate levels for the authorizations that have been issues, agencies are not even adding controls to that right now."

Roat said DoD is the only exception to that rule, but almost uniformly civilian agencies are accepting the risk posture of the cloud service providers.

Agencies still are adjusting to the initial low and moderate standards. They faced a June 5 deadline to buy or use only cloud services that meet FedRAMP standards.