DOD approves four cloud solutions for department-wide use

Four cloud service solutions thus far have achieved provisional authorization under additional security controls required by the Defense Department: Autonomic Resources Cloud Platform (ARC-P), CGI Federal's IaaS solution and Amazon Web Services' Government Community Cloud and East/West US Public Cloud.

What that means is that each of the four solutions has been assessed against additional security controls on top of baseline standards they met under the Federal Risk and Authorization Management Program (FedRAMP), allowing them to compete DOD-wide for cloud computing contracts under the Defense Information Systems Agency's Enterprise Cloud Service Broker catalog.

However, these CSPs have been authorized only at DOD Impact Levels 1 and 2, which cover the department's unclassified public and unclassified private information. DISA assigns impact levels to data depending on its type and confidentiality, integrity and availability in categorizations of low-, moderate-, or high-risk under the Federal Information Process Standard Publication (FIPS) 199.

The bulk of DOD's expected cloud savings is expected to occur at Impact Levels 3-5, which signify higher-risk unclassified data, but CSPs have yet to be assessed against these standards.

In an e-mailed statement, DISA Chief Technology Officer David Mihelcic said he anticipates formal assessments at impact levels 3-5 to begin in the second quarter of 2014. Impact Level 6 is designated for classified information only, and draft standards for commercial CSPs to meet have not been formally released yet for that level.

Requirements and criteria for levels 3-5 were made available to industry in December 2013, Mihelcic said. Sources tell FCW one reason for the delay between standards release and potential assessments is that templates drafted by DISA for CSPs to create their Systems Security Plans (SSPs) were held up.

"The CSPs are left basically waiting for the form," the source said.

DOD's cautious path to the cloud is a point of contention among many commercial cloud providers that view such slow efforts as contrary to the Obama administration's Cloud First policy, but some positive signs have come from Pentagon CIO Teri Takai. She recently told the House Armed Services subcommittee that nine CSPs are in the pipeline to provide services to DOD.