DoD revisiting security guidelines for commercial cloud

Thursday - 8/21/2014, 5:19am EDT

Jared Serbu reports.

Download mp3

The Defense Information Systems Agency is undertaking a top-to-bottom review of the cybersecurity rules that guide its decisions about whether individual commercial cloud computing systems are safe enough for Defense data. DISA officials have concluded that the current process perhaps is too stringent and definitely is too slow.

The "scrub," as DISA officials are calling it, is a reexamination of a set of cloud security review criteria the agency first put in place last December as part of its role as the Defense Department's exclusive broker for buying commercial cloud solutions.

The review system, as it stands today, uses the controls within the Federal Risk Authorization Management Program (FedRAMP) — the governmentwide cloud security standards — as a baseline, but then layers on a host of DoD-specific constraints, such as mandates that all information be housed in data centers that are physically located within U.S. territorial boundaries.

The idea that vendors should first comply with FedRAMP standards, and then go a bit further if they want to sell cloud services to DoD has proved to be a bit more cumbersome than officials originally had hoped.

"It takes too long. I'll just say that," said Mark Orndorff, DISA's program executive officer for mission assurance. "In the scrub of the process, our objective is going to be that we leverage FedRAMP much more, and that if we have any additional requirements, we push to get them incorporated into FedRAMP. We've been successful at doing that to some extent, but if we do have some other additions, we need to let the cloud providers know that up front, so that they can assess those as part of the FedRAMP process, so that the timeline for industry is the FedRAMP timeline, and nothing else."

A little more risk is acceptable

The "above FedRAMP" process DISA has been using during the last several months has certified just five commercial vendors as safe enough to process and host DoD data.

But four of those are limited to handling only the very lowest levels of classification — information that's already been deemed releasable to the general public. Several other companies still are waiting in line for DISA's go-ahead.

"We think we've made the process too hard, and we may have set the criteria too high," Orndorff told reporters Wednesday during DISA's annual forecast to industry at its Fort Meade, Maryland, headquarters. "Going into some major change like this, I think it's human nature to be on the conservative side until you get your feet wet, but now we're asking where we can drive in some additional efficiencies and where we can accept a little bit more risk as we go forward with the cloud security model."

Orndorff said DISA's criteria for cloud security at what DoD defines as impact levels 1 and 2, which involves data that's already publicly releasable or that wouldn't create many problems if it were to be compromised, have already been almost entirely incorporated into the latest version of FedRAMP's own security controls.

He said DISA and its DoD customers intend to start migrating that type of data from government data centers to commercially hosted ones.

But DoD still has questions about the implications of moving some of the department's more sensitive but unclassified information, such as data that includes personally identifiable information, into commercial environments.

In an attempt to answer those questions, DoD just launched five pilot programs, including one based at DISA.

The pilots attempt to answer how and whether the department should migrate data at impact levels 3, 4 and 5 to commercial clouds, including whether such a move is likely be cheaper than keeping it within a government owned-and-operated environment.

"We also have some questions we need to clarify in terms of how we get situational awareness on what's happening in the commercial cloud so that we don't create a blind spot. We want to make sure we've thought through what we'll be able to see from a cyber defense perspective," Orndorff said. "We have command and control questions. We need to make sure we have the relationships right in case something bad happens, and during these pilots, we're going to pretend that something bad happens and walk through how we'd deal with that. We also have some good old-fashioned performance objectives and business processes that we need to evaluate."

Despite years-long demands from Congress that DoD consider commercial cloud options before building its own solutions, the department still is in the opening stages of a cautious approach to migrating data and applications to outside technology providers.