DISA to issue multiple Level 5 cloud authorizations
In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.
In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.
The move was announced Nov. 17 by John Hale, DISA's chief of enterprise applications, and it is the latest in a series of steps the Defense Department is taking to balance the potential cost-saving benefits of commercial cloud services with concerns about securing DOD data.
Level 5 includes high-sensitivity data on national security systems and runs through cloud access points to the unclassified NIPRNet. It is one level shy of the highest designation, which is for classified data.
Amazon Web Services already has provisional authorization to handle Level 5 data, which vendors must have in order to bid on contracts.
Hale said the Pentagon is taking an all-of-the-above approach to cloud by pursuing hybrid, public and private offerings. "There's no one size that fits all from the department's perspective," he said at an FCW-sponsored event in Washington.
The Pentagon's self-described cloud evangelizer went so far as to say he foresees a day when nuclear command and control information could be stored in a commercial cloud.
"There's a certain portion of the workload which we don't feel comfortable with in the commercial environment today, but I do wholeheartedly believe the commercial environment will get there very quickly," he said.
The Pentagon currently has added security controls -- detailed in a security requirements guide -- for cloud offerings that go beyond the Federal Risk and Authorization Management Program for civilian agencies. But that could change as the FedRAMP process matures.
DOD is conducting pilot projects to determine whether the FedRAMP high-baseline security controls are enough to protect Levels 4 and 5 data, said Robert Vietmeyer, a cloud specialist in the DOD CIO's office. The second version of the guide is due out soon. The third version will include a verdict on the FedRAMP high baseline's ability to meet DOD security needs, he added.
"We would really love to have alignment as we move forward, but we do recognize that the Defense Department is under advanced persistent threats from a cybersecurity perspective that some of the other federal agencies aren't," he said at the FCW event. "So we don't want to force all of the federal government into accepting all the controls that are required" by DOD.
Hale expressed confidence that FedRAMP will reach a point where an additional DOD security process is no longer needed.
Vendors said they would welcome more clarity on the DOD cloud-approval process.
"It's still not defined well enough for most vendors...to be able to provide the government what they want," Dan Kent, CTO for the U.S. public sector at Cisco, told FCW.