DISA to issue multiple Level 5 cloud authorizations
- By Sean Lyngaas
- Nov 17, 2015
In the next 18 months, the Defense Information Systems Agency will issue four to five provisional authorizations for commercial cloud providers to handle sensitive Level 5 government data, according to a DISA official.
The move was announced Nov. 17 by John Hale, DISA's chief of enterprise applications, and it is the latest in a series of steps the Defense Department is taking to balance the potential cost-saving benefits of commercial cloud services with concerns about securing DOD data.
Level 5 includes high-sensitivity data on national security systems and runs through cloud access points to the unclassified NIPRNet. It is one level shy of the highest designation, which is for classified data.
Amazon Web Services already has provisional authorization to handle Level 5 data, which vendors must have in order to bid on contracts.
Hale said the Pentagon is taking an all-of-the-above approach to cloud by pursuing hybrid, public and private offerings. "There's no one size that fits all from the department's perspective," he said at an FCW-sponsored event in Washington.
The Pentagon's self-described cloud evangelizer went so far as to say he foresees a day when nuclear command and control information could be stored in a commercial cloud.
"There's a certain portion of the workload which we don't feel comfortable with in the commercial environment today, but I do wholeheartedly believe the commercial environment will get there very quickly," he said.
The Pentagon currently has added security controls -- detailed in a security requirements guide -- for cloud offerings that go beyond the Federal Risk and Authorization Management Program for civilian agencies. But that could change as the FedRAMP process matures.
DOD is conducting pilot projects to determine whether the FedRAMP high-baseline security controls are enough to protect Levels 4 and 5 data, said Robert Vietmeyer, a cloud specialist in the DOD CIO's office. The second version of the guide is due out soon. The third version will include a verdict on the FedRAMP high baseline's ability to meet DOD security needs, he added.
"We would really love to have alignment as we move forward, but we do recognize that the Defense Department is under advanced persistent threats from a cybersecurity perspective that some of the other federal agencies aren't," he said at the FCW event. "So we don't want to force all of the federal government into accepting all the controls that are required" by DOD.
Hale expressed confidence that FedRAMP will reach a point where an additional DOD security process is no longer needed.
Vendors said they would welcome more clarity on the DOD cloud-approval process.
"It's still not defined well enough for most vendors...to be able to provide the government what they want," Dan Kent, CTO for the U.S. public sector at Cisco, told FCW.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.