Halvorsen formalizes new DOD cloud procurement policy

Acting Defense Department CIO Terry Halvorsen has issued a memo outlining the Pentagon’s new cloud procurement policy, formally allowing the military services and other DOD agencies to procure commercial cloud services rather than leaving that authority to the Defense Information Systems Agency.

The Dec. 15 memo codifies a long-expected policy change and marks a significant break from the approach taken by Halvorsen’s predecessor, Teri Takai.

The new policy is meant to hasten DOD’s move to the commercial cloud while also retaining control of important security requirements for sensitive information. "I think some just criticism of the department has been we have not moved out into the cloud fast enough," Halvorsen said in September.

Halvorsen's Dec. 15 memo cancels a June 2012 memo issued by Takai that designated DISA as DOD's enterprise cloud broker. It also requires each DOD agency to assess its use of cloud services through a business case analysis template that must be approved by the agency CIO. The template gives DOD agencies a common means of justifying their procurements based on cost, security and interoperability.

The new policy requires commercial cloud services working with sensitive unclassified DOD data to go through a "cloud access point" approved by the DOD CIO. A CAP is like a firewall meant to insulate other parts of DOD from a security issue affecting a particular cloud service provider. The memo points to the current Navy CAP as one that has been approved.

The new memo also elaborates briefly on a draft of a security requirements guide that DISA recently issued. The draft security guide, which goes a step beyond Federal Risk Authorization and Management Program requirements in covering more sensitive data for commercial and DOD cloud providers, is meant to be an "evolving" and "collaborative document between the government and private sector that recognizes the rapid technology and business changes in the cloud services environment," the memo states.

In January, Deputy CIO for Cybersecurity Richard Hale will host a meeting to get feedback on the draft from "our government, private and public partners in the cloud environment," it adds.