DISA piloting DOD cloud security model
DOD agencies are testing framework with controlled unclassified information.
The Defense Information Systems Agency is piloting the cloud security model it developed for the Defense Department in an effort to better formalize processes for future commercial cloud service acquisitions.
To test the new model, DISA will leverage a series of pilot programs between mission partners -- various DOD agencies -- and cloud service providers as both take initial steps to harnessing commercial cloud computing services within DOD.
According to a DISA spokesperson, "If a mission partner wishes to execute a cloud service pilot with controlled unclassified information" - the information at DOD Impact Levels 3, 4 and 5 - "it coordinates its implementation plans with DISA, the cloud broker."
Once a mission partner procures the pilot cloud service, the agency and DISA will meet regularly to assess the pilot and its effectiveness.
The requirements for DOD Impact Levels 3-5 are in draft format and may still evolve as DOD continues its cautious path to the cloud, but mission partners’ cloud service pilots at those levels will also provide DISA valuable information for the Cloud Security Model pilot, according to the spokesperson.
“Mission partners run their own impact levels 3-5 cloud service pilots, and the implementation of those pilots validates that the requirements documented in the Cloud Security Model are clear and comprehensive,” the DISA official said. “The assessments from several pilots will result in a comprehensive Cloud Security Model and associated processes. The idea of the pilot effort is not to limit competition, but to formalize the processes to be used for future cloud service acquisitions.”
Any DOD organization can sponsor a pilot effort coordinated with DISA, and there is “no fixed duration” for the pilot period, according to the DISA spokesperson. The Cloud Broker Program Management Office, with support from the DISA Mission Assurance Executive team, has oversight responsibilities on the pilot.
Pilot planning began in mid-December 2013 and additional pilots can be added as DOD organizations seek commercial cloud solutions. That process includes identification of pilot objectives, coordination of the acquisition package, cybersecurity assessment of the implementation and situational awareness and monitoring of pilot execution.
“Typical acquisition planning entails the pilot sponsor identifying what the success factors and checkpoints are, how they will verify user satisfaction, what their exit strategy is if things don’t work out and what their way ahead is if the services work well,” the DISA spokesperson said.
For the pilots, CSPs “must meet the Cloud Security Model requirements prior to actually storing CUI data and the evaluation criteria should address their ability to meet those requirements,” meaning data does not go to the cloud until a CSP is up to snuff.
Thus far, only Autonomic Resources has achieved provisional authorization under additional security controls currently required by the DOD at Impact Levels 1 and 2. Not coincidentally, Autonomic Resources will be among the early CSPs participating in these pilots, which will help pave the way for how DOD handles commercial cloud acquisitions in the future.
“We’re in a position to help provide feedback into an emerging process,” said Autonomic Resources CEO John Keese.
DISA will evaluate the results of the pilot later in 2014 and anticipates its results leading to an “approved Cloud Security Model document and associated processes that will assist mission partners to more securely acquire cloud services.”