Defense

DISA to issue multiple Level 5 cloud authorizations

Shutterstock image (by bestfoto77): cloud network security lock.

In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.

The move was announced Nov. 17 by John Hale, DISA's chief of enterprise applications, and it is the latest in a series of steps the Defense Department is taking to balance the potential cost-saving benefits of commercial cloud services with concerns about securing DOD data.

Level 5 includes high-sensitivity data on national security systems and runs through cloud access points to the unclassified NIPRNet. It is one level shy of the highest designation, which is for classified data.

Amazon Web Services already has provisional authorization to handle Level 5 data, which vendors must have in order to bid on contracts.

Hale said the Pentagon is taking an all-of-the-above approach to cloud by pursuing hybrid, public and private offerings. "There's no one size that fits all from the department's perspective," he said at an FCW-sponsored event in Washington.

The Pentagon's self-described cloud evangelizer went so far as to say he foresees a day when nuclear command and control information could be stored in a commercial cloud.

"There's a certain portion of the workload which we don't feel comfortable with in the commercial environment today, but I do wholeheartedly believe the commercial environment will get there very quickly," he said.

The Pentagon currently has added security controls -- detailed in a security requirements guide -- for cloud offerings that go beyond the Federal Risk and Authorization Management Program for civilian agencies. But that could change as the FedRAMP process matures.

DOD is conducting pilot projects to determine whether the FedRAMP high-baseline security controls are enough to protect Levels 4 and 5 data, said Robert Vietmeyer, a cloud specialist in the DOD CIO's office. The second version of the guide is due out soon. The third version will include a verdict on the FedRAMP high baseline's ability to meet DOD security needs, he added.

"We would really love to have alignment as we move forward, but we do recognize that the Defense Department is under advanced persistent threats from a cybersecurity perspective that some of the other federal agencies aren't," he said at the FCW event. "So we don't want to force all of the federal government into accepting all the controls that are required" by DOD.

Hale expressed confidence that FedRAMP will reach a point where an additional DOD security process is no longer needed.

Vendors said they would welcome more clarity on the DOD cloud-approval process.

"It's still not defined well enough for most vendors...to be able to provide the government what they want," Dan Kent, CTO for the U.S. public sector at Cisco, told FCW.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.