Defense

DISA to issue multiple Level 5 cloud authorizations

Shutterstock image (by bestfoto77): cloud network security lock.

In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.

The move was announced Nov. 17 by John Hale, DISA's chief of enterprise applications, and it is the latest in a series of steps the Defense Department is taking to balance the potential cost-saving benefits of commercial cloud services with concerns about securing DOD data.

Level 5 includes high-sensitivity data on national security systems and runs through cloud access points to the unclassified NIPRNet. It is one level shy of the highest designation, which is for classified data.

Amazon Web Services already has provisional authorization to handle Level 5 data, which vendors must have in order to bid on contracts.

Hale said the Pentagon is taking an all-of-the-above approach to cloud by pursuing hybrid, public and private offerings. "There's no one size that fits all from the department's perspective," he said at an FCW-sponsored event in Washington.

The Pentagon's self-described cloud evangelizer went so far as to say he foresees a day when nuclear command and control information could be stored in a commercial cloud.

"There's a certain portion of the workload which we don't feel comfortable with in the commercial environment today, but I do wholeheartedly believe the commercial environment will get there very quickly," he said.

The Pentagon currently has added security controls -- detailed in a security requirements guide -- for cloud offerings that go beyond the Federal Risk and Authorization Management Program for civilian agencies. But that could change as the FedRAMP process matures.

DOD is conducting pilot projects to determine whether the FedRAMP high-baseline security controls are enough to protect Levels 4 and 5 data, said Robert Vietmeyer, a cloud specialist in the DOD CIO's office. The second version of the guide is due out soon. The third version will include a verdict on the FedRAMP high baseline's ability to meet DOD security needs, he added.

"We would really love to have alignment as we move forward, but we do recognize that the Defense Department is under advanced persistent threats from a cybersecurity perspective that some of the other federal agencies aren't," he said at the FCW event. "So we don't want to force all of the federal government into accepting all the controls that are required" by DOD.

Hale expressed confidence that FedRAMP will reach a point where an additional DOD security process is no longer needed.

Vendors said they would welcome more clarity on the DOD cloud-approval process.

"It's still not defined well enough for most vendors...to be able to provide the government what they want," Dan Kent, CTO for the U.S. public sector at Cisco, told FCW.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.