Cloud Computing

DISA piloting DOD cloud security model

face with clouds

The Defense Information Systems Agency is piloting the cloud security model it developed for the Defense Department in an effort to better formalize processes for future commercial cloud service acquisitions.

To test the new model, DISA will leverage a series of pilot programs between mission partners -- various DOD agencies -- and cloud service providers as both take initial steps to harnessing commercial cloud computing services within DOD.

According to a DISA spokesperson, "If a mission partner wishes to execute a cloud service pilot with controlled unclassified information" - the information at DOD Impact Levels 3, 4 and 5 - "it coordinates its implementation plans with DISA, the cloud broker."

Once a mission partner procures the pilot cloud service, the agency and DISA will meet regularly to assess the pilot and its effectiveness.

The requirements for DOD Impact Levels 3-5 are in draft format and may still evolve as DOD continues its cautious path to the cloud, but mission partners’ cloud service pilots at those levels will also provide DISA valuable information for the Cloud Security Model pilot, according to the spokesperson.

“Mission partners run their own impact levels 3-5 cloud service pilots, and the implementation of those pilots validates that the requirements documented in the Cloud Security Model are clear and comprehensive,” the DISA official said. “The assessments from several pilots will result in a comprehensive Cloud Security Model and associated processes. The idea of the pilot effort is not to limit competition, but to formalize the processes to be used for future cloud service acquisitions.”

Any DOD organization can sponsor a pilot effort coordinated with DISA, and there is “no fixed duration” for the pilot period, according to the DISA spokesperson. The Cloud Broker Program Management Office, with support from the DISA Mission Assurance Executive team, has oversight responsibilities on the pilot.

Pilot planning began in mid-December 2013 and additional pilots can be added as DOD organizations seek commercial cloud solutions. That process includes identification of pilot objectives, coordination of the acquisition package, cybersecurity assessment of the implementation and situational awareness and monitoring of pilot execution.

“Typical acquisition planning entails the pilot sponsor identifying what the success factors and checkpoints are, how they will verify user satisfaction, what their exit strategy is if things don’t work out and what their way ahead is if the services work well,” the DISA spokesperson said.

For the pilots, CSPs “must meet the Cloud Security Model requirements prior to actually storing CUI data and the evaluation criteria should address their ability to meet those requirements,” meaning data does not go to the cloud until a CSP is up to snuff.

Thus far, only Autonomic Resources has achieved provisional authorization under additional security controls currently required by the DOD at Impact Levels 1 and 2. Not coincidentally, Autonomic Resources will be among the early CSPs participating in these pilots, which will help pave the way for how DOD handles commercial cloud acquisitions in the future.

“We’re in a position to help provide feedback into an emerging process,” said Autonomic Resources CEO John Keese.

DISA will evaluate the results of the pilot later in 2014 and anticipates its results leading to an “approved Cloud Security Model document and associated processes that will assist mission partners to more securely acquire cloud services.”

Reader comments

Thu, Jan 23, 2014 Gov't Employee United States of America

DISA's efforts to compete with commercial cloud giants like Google and Microsoft and Amazon vice consuming their commoditized offerings tailored to government standards and requirements to achieve cost savings begs the question - What's the Cloud First Policy?

Thu, Jan 23, 2014 USA

Concur - UC. Furthermore, the only solution that meets DISA's new Cloud Security Model requirements is their own solution set called - DoD EE which is a private MS Exchange 7 instance (Old Technology and not commercial cloud at all). Failure to work with the giants like Microsoft (O-365) and Google (GAFG) to consume their commodity offerings "as is" when the enterprise partners have invested millions of dollars to ensure they exceed the Government's use requirements- see Casey Coleman's efforts at GSA... Fantastic forward leaning Government CIO taking smart risks to achieve cost savings. On the other hand, DISA reaching the "commercial cloud" is a stretch of imagination because it competes with their own internal business model and I fear that it will never happen in my lifetime. #waste of tax dollars

Wed, Jan 22, 2014

DISA comes up with noble ideas but they are back logged big time. For instance, look at Unified Capabilities.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above