DoD trying to remove the haze around its use of commercial clouds

The Department of Defense recently released the results of a 45-day study, detailing three new approaches to help military services and agencies ensure the secu...

T he Defense Department is taking a second bite at the cloud security apple. The Pentagon, without a doubt, understands how to protect government-only clouds, but with the growing acceptance and use of commercial clouds, achieving the proper balance of security, cost and accessibility has proved to be more challenging than expected.

To that end, DoD recently released the results of a 45-day study, called The DoD Cloud Way Forward, detailing three new approaches to help military services and agencies ensure the security of the commercial clouds they use.

“A key aspect of the report is clear guidance to both cloud service providers and DoD Cloud Customers describing the cradle-to-grave process they must follow in order to move DoD computing into commercial cloud infrastructure,” wrote DoD acting Chief Information Officer Terry Halvorsen, in the memo attached to the report. “Finally, this study identifies key additional work items which the Department must complete to implement report recommendations and remove current barriers to the usage of commercial cloud. These items include additional technical refinement of security requirements, an update to the department’s policies that currently hinder the use of commercial cloud, and continued focus on the resolution of legal issues that constrain the use of commercial cloud.”

The report basically is a pre-cursor to the upcoming and long-awaited commercial cloud policy update from DoD.

Government Executive first reported the release of the study.

A former federal CIO, who requested anonymity because they still do business with DoD, said the study outlines a lot of good things and a lot of challenges, but the reality of the ability of a commercial cloud environment to protect information appropriately hasn’t been demonstrated yet.

“The department is running toward savings potentially at the expense of information security,” the source said. “Either the Federal Information Security Management Act standards need to be lowered or enforced, but the government can’t embrace the cloud until that is faced. Commercial cloud has yet to be proven as a cost savings to the government. It provides agility and flexibility, but when security is baked in the costs are not well known and especially since the security aspects are not sorted out.”

Still, the report gives a lot of insight into where DoD is heading over the next few years. Halvorsen said in September the new approach will be less centralized around the Defense Information Systems Agency and more by individual service.

At the same time, DoD is trying to clarify how commercial cloud vendors can meet the military’s security requirements for cloud without driving the cost through the roof.

The study lays out a new cloud security model that differentiates between national security and non-national security systems, while at the same time introduces the concept of mission-critical systems.

The cloud security model still breaks down the impact levels into six categories, but DoD now will reduce the requirements under Levels 1-2. The goal in doing that is to align the military much more closely with the rest of the government, including the security controls under the Federal Risk Authorization and Management Program (FedRAMP).

DoD modified Levels 3-4 to separate the requirements for non-national security systems. The Pentagon proposes two impact levels for non-NSS systems that contain controlled unclassified information (CUI) that recognizes the better recognizes the risks of losing or having the data exposed.

For impact levels 5-6, DoD said the requirements under current version 2.1 are too strict and “exceeds the requirements of the vast majority of fielded DoD systems.” Therefore, the department is changing the baseline to better align with mission needs, and “significantly lowers the number of security requirements cloud service providers (CSPs) would have to meet. DoD cloud customers will still have the option to negotiate additional security controls directly with CSPs if required.”

Finally, DoD introduced the concept of mission impact where military services and agencies must also consider what would happen to the warfighter if a system went down or if bad actors stole data. DoD wants the services to consider mission impact as part of its designation within the levels 1-6.

“DoD cloud customers are expected to use the impact level that best guards against the highest impact concern for their mission, data, and application,” the paper stated. “DoD cloud customers should use these levels as the basis for their requirements, and tailor them as necessary for the data and importance of their mission. For example, if a mission has high confidentiality and/or high integrity impact, additional controls will have to be added over the CSM impact levels. The work performed during this effort lays the groundwork for collapsing some of the levels.”

In the end, the changes have one overarching goal: “to accelerate deployments of missions at all impact levels to cloud services in the near term.”

The source said lowering the security bar for levels 1-4 for non-national security systems makes sense, but until FedRAMP is doing more than using a FISMA checklist to ensure compliance and requires penetration testing, then the compliance mentality is still a problem.

“The good news is the honoring of reciprocity between agency ATOs and that is a first,” the source said.

Another major change is for vendors serving DoD. The study recommended creating an Enterprise Cloud Service Broker (ECSB) cloud service catalog that would be available for all DoD to use. It also establishes a new process for CSPs. While the approval to operate authority (ATO) resides solely with the mission owner, DoD will assess vendors — first to make sure they meet FedRAMP requirements and then second, and if necessary, to ensure they meet any DoD additional requirements.

From the study, DoD detailed 20 new policy and regulatory changes needed to meet their commercial cloud goals. The expected actions include:

  • Update the DoD CIO core data center memorandum to recognize approved cloud services as appropriate destination in addition to core data centers.
  • The DoD CIO will issue a policy allowing low-impact PII (i.e., business card information) to be maintained in level 2 cloud services (currently, even low- impact personally identifiable information is classified as CUI and would require Level 3 cloud services)
  • Draft DoD CIO memo will reflect the change of level 3 data and new hosting options.
  • The DoD CIO will develop a policy recommending that systems perform a risk assessment on their development and test systems to see if approved cloud services would be appropriate to support their dev/test activities. Dev/Test environments are typically 5-15 times larger than production environments, so migrating these to CSP may result in significant savings.
  • The DoD CIO will develop additional guidance on the acquisition of commercial cloud services for DoD contract officers and acquisition professionals.
  • The DoD CIO and the Defense Information Systems Agency will develop an acquisition plan for military services and agencies to obtain cloud service from a CSP that is not is the Enterprise Cloud Service Broker cloud service catalog.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

    Pentagon Austin

    Pentagon finishes review of Austin’s failure to tell Biden and other leaders about his cancer

    Read more
    Congress Defense

    Big pay raise for troops in defense bill sent to Biden. Conservatives stymied on cultural issues

    Read more