Defense

DISA to issue multiple Level 5 cloud authorizations

Shutterstock image (by bestfoto77): cloud network security lock.

In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.

The move was announced Nov. 17 by John Hale, DISA's chief of enterprise applications, and it is the latest in a series of steps the Defense Department is taking to balance the potential cost-saving benefits of commercial cloud services with concerns about securing DOD data.

Level 5 includes high-sensitivity data on national security systems and runs through cloud access points to the unclassified NIPRNet. It is one level shy of the highest designation, which is for classified data.

Amazon Web Services already has provisional authorization to handle Level 5 data, which vendors must have in order to bid on contracts.

Hale said the Pentagon is taking an all-of-the-above approach to cloud by pursuing hybrid, public and private offerings. "There's no one size that fits all from the department's perspective," he said at an FCW-sponsored event in Washington.

The Pentagon's self-described cloud evangelizer went so far as to say he foresees a day when nuclear command and control information could be stored in a commercial cloud.

"There's a certain portion of the workload which we don't feel comfortable with in the commercial environment today, but I do wholeheartedly believe the commercial environment will get there very quickly," he said.

The Pentagon currently has added security controls -- detailed in a security requirements guide -- for cloud offerings that go beyond the Federal Risk and Authorization Management Program for civilian agencies. But that could change as the FedRAMP process matures.

DOD is conducting pilot projects to determine whether the FedRAMP high-baseline security controls are enough to protect Levels 4 and 5 data, said Robert Vietmeyer, a cloud specialist in the DOD CIO's office. The second version of the guide is due out soon. The third version will include a verdict on the FedRAMP high baseline's ability to meet DOD security needs, he added.

"We would really love to have alignment as we move forward, but we do recognize that the Defense Department is under advanced persistent threats from a cybersecurity perspective that some of the other federal agencies aren't," he said at the FCW event. "So we don't want to force all of the federal government into accepting all the controls that are required" by DOD.

Hale expressed confidence that FedRAMP will reach a point where an additional DOD security process is no longer needed.

Vendors said they would welcome more clarity on the DOD cloud-approval process.

"It's still not defined well enough for most vendors...to be able to provide the government what they want," Dan Kent, CTO for the U.S. public sector at Cisco, told FCW.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected