Halvorsen formalizes new DOD cloud procurement policy
- By Sean Lyngaas
- Dec 17, 2014
Acting Defense Department CIO Terry Halvorsen's memo reverses the cloud policy put in place by his predecessor, Teri Takai.
Acting Defense Department CIO Terry Halvorsen has issued a memo outlining the Pentagon’s new cloud procurement policy, formally allowing the military services and other DOD agencies to procure commercial cloud services rather than leaving that authority to the Defense Information Systems Agency.
The Dec. 15 memo codifies a long-expected policy change and marks a significant break from the approach taken by Halvorsen’s predecessor, Teri Takai.
The new policy is meant to hasten DOD’s move to the commercial cloud while also retaining control of important security requirements for sensitive information. "I think some just criticism of the department has been we have not moved out into the cloud fast enough," Halvorsen said in September.
Halvorsen's Dec. 15 memo cancels a June 2012 memo issued by Takai that designated DISA as DOD's enterprise cloud broker. It also requires each DOD agency to assess its use of cloud services through a business case analysis template that must be approved by the agency CIO. The template gives DOD agencies a common means of justifying their procurements based on cost, security and interoperability.
The new policy requires commercial cloud services working with sensitive unclassified DOD data to go through a "cloud access point" approved by the DOD CIO. A CAP is like a firewall meant to insulate other parts of DOD from a security issue affecting a particular cloud service provider. The memo points to the current Navy CAP as one that has been approved.
The new memo also elaborates briefly on a draft of a security requirements guide that DISA recently issued. The draft security guide, which goes a step beyond Federal Risk Authorization and Management Program requirements in covering more sensitive data for commercial and DOD cloud providers, is meant to be an "evolving" and "collaborative document between the government and private sector that recognizes the rapid technology and business changes in the cloud services environment," the memo states.
In January, Deputy CIO for Cybersecurity Richard Hale will host a meeting to get feedback on the draft from "our government, private and public partners in the cloud environment," it adds.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.