Cloud Computing

DISA piloting DOD cloud security model

face with clouds

The Defense Information Systems Agency is piloting the cloud security model it developed for the Defense Department in an effort to better formalize processes for future commercial cloud service acquisitions.

To test the new model, DISA will leverage a series of pilot programs between mission partners -- various DOD agencies -- and cloud service providers as both take initial steps to harnessing commercial cloud computing services within DOD.

According to a DISA spokesperson, "If a mission partner wishes to execute a cloud service pilot with controlled unclassified information" - the information at DOD Impact Levels 3, 4 and 5 - "it coordinates its implementation plans with DISA, the cloud broker."

Once a mission partner procures the pilot cloud service, the agency and DISA will meet regularly to assess the pilot and its effectiveness.

The requirements for DOD Impact Levels 3-5 are in draft format and may still evolve as DOD continues its cautious path to the cloud, but mission partners’ cloud service pilots at those levels will also provide DISA valuable information for the Cloud Security Model pilot, according to the spokesperson.

“Mission partners run their own impact levels 3-5 cloud service pilots, and the implementation of those pilots validates that the requirements documented in the Cloud Security Model are clear and comprehensive,” the DISA official said. “The assessments from several pilots will result in a comprehensive Cloud Security Model and associated processes. The idea of the pilot effort is not to limit competition, but to formalize the processes to be used for future cloud service acquisitions.”

Any DOD organization can sponsor a pilot effort coordinated with DISA, and there is “no fixed duration” for the pilot period, according to the DISA spokesperson. The Cloud Broker Program Management Office, with support from the DISA Mission Assurance Executive team, has oversight responsibilities on the pilot.

Pilot planning began in mid-December 2013 and additional pilots can be added as DOD organizations seek commercial cloud solutions. That process includes identification of pilot objectives, coordination of the acquisition package, cybersecurity assessment of the implementation and situational awareness and monitoring of pilot execution.

“Typical acquisition planning entails the pilot sponsor identifying what the success factors and checkpoints are, how they will verify user satisfaction, what their exit strategy is if things don’t work out and what their way ahead is if the services work well,” the DISA spokesperson said.

For the pilots, CSPs “must meet the Cloud Security Model requirements prior to actually storing CUI data and the evaluation criteria should address their ability to meet those requirements,” meaning data does not go to the cloud until a CSP is up to snuff.

Thus far, only Autonomic Resources has achieved provisional authorization under additional security controls currently required by the DOD at Impact Levels 1 and 2. Not coincidentally, Autonomic Resources will be among the early CSPs participating in these pilots, which will help pave the way for how DOD handles commercial cloud acquisitions in the future.

“We’re in a position to help provide feedback into an emerging process,” said Autonomic Resources CEO John Keese.

DISA will evaluate the results of the pilot later in 2014 and anticipates its results leading to an “approved Cloud Security Model document and associated processes that will assist mission partners to more securely acquire cloud services.”

About the Author

Frank Konkel is a former staff writer for FCW.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Thu, Jan 23, 2014 Gov't Employee United States of America

DISA's efforts to compete with commercial cloud giants like Google and Microsoft and Amazon vice consuming their commoditized offerings tailored to government standards and requirements to achieve cost savings begs the question - What's the Cloud First Policy?

Thu, Jan 23, 2014 USA

Concur - UC. Furthermore, the only solution that meets DISA's new Cloud Security Model requirements is their own solution set called - DoD EE which is a private MS Exchange 7 instance (Old Technology and not commercial cloud at all). Failure to work with the giants like Microsoft (O-365) and Google (GAFG) to consume their commodity offerings "as is" when the enterprise partners have invested millions of dollars to ensure they exceed the Government's use requirements- see Casey Coleman's efforts at GSA... Fantastic forward leaning Government CIO taking smart risks to achieve cost savings. On the other hand, DISA reaching the "commercial cloud" is a stretch of imagination because it competes with their own internal business model and I fear that it will never happen in my lifetime. #waste of tax dollars

Wed, Jan 22, 2014

DISA comes up with noble ideas but they are back logged big time. For instance, look at Unified Capabilities.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above