Is DOD’s Bar Too High for Cloud Security?
Breaking into the federal cloud computing market can be tough, especially for companies looking to do business with the Department of Defense.
That’s in part because DOD’s security standards for industry exceed the government’s own Federal Risk and Authorization Management Program (FedRAMP) baseline requirements.
“There is a set of requirements tied to national security systems, and as we walked into the cloud security model we used that benchmark. And …. for good reason, that’s a high benchmark, as opposed to using the FedRAMP benchmarks,” Mark Orndorff, mission assurance executive for the Defense Information Systems Agency, told reporters Wednesday during DISA’s Forecast to Industry event at Maryland’s Fort Meade.
That’s being revisited, he said, because the process might have been made too hard. “We may have the criteria too high,” Orndorff said. DOD is launching a series of pilots programs to determine the right balance between national security system and FedRAMP requirements that are sufficient for protecting department business systems but don’t place unnecessary burdens on industry.
Setting the bar that high seemed like the right decision at the time, and it’s human nature and good risk management to be conservative when making a major change like moving to the cloud, Orndorff added. DISA is tasked with developing the cloud security model that governs what requirements vendors must meet to do business with DOD.
“We look at the above FedRAMP factors, but that doesn’t mean that every system cares about every single one of the additional factors, depending on the sensitivity level,” he said. DOD acting CIO Terry Halvorsen has charged DISA with clarifying its guidance to industry concerning requirements as well as guidance to DOD customers about assessing their cloud requirements and aligning them with the department’s security model.
To date, only a handful of vendors, including Amazon Web Services, have completed the rigorous process for proving their offerings are secure enough to host DOD data.
“The security model makes perfect sense to people like me that live security all day, and we’re trying to do an English-language translation of that so that it will make better sense to everybody else,” Orndorff explained.
What’s the Purpose of DOD’s Cloud Pilots?
There are several questions the Defense Department wants to clarify during the pilots:
• How does DOD maintain situational awareness in the cloud?
• What will command and control capabilities be in the cloud?
• How would DOD respond to incidents in a cloud environment?
• What are performance objectives for cloud services?
One of the pilots involves DISA’s Information Assurance Support Environment, a system that provides security technical implementation guides (STIGs) to the public. The public portion of the system currently is hosted in a commercial facility. The private side of the system — available only to approved users —also will move to a commercial provider, but DOD will maintain situational awareness of its data.
“In parallel with that we’re doing a detailed scrub of every above FedRAMP requirement to make sure that we haven’t put something on industry that doesn’t really make sense or isn’t required,” Orndorff noted.
To date, DOD has only awarded five provisional authority to operate (ATOs) to vendors seeking to offer cloud services to the department, he said. Four vendors have met the requirements for handling DOD’s public and private unclassified information, known respectively as level one and level two data. Amazon Web Services is the only company approved to manage level three, four and five data — DOD’s controlled unclassified information, Nextgov reported. Other companies are awaiting reviews, but Orndorff admits the process is too long.
“In the scrub of the process, our objective is going to be that we leverage FedRAMP much more, and if we have any additional requirements that we push to get them added to FedRAMP,” he added. The revised FedRAMP standards incorporate many of the requirements that matter most to the department.
The goal is to inform DOD vendors early on during the FedRAMP evaluation process of any additional requirements so they can address them at that time. Doing so should enable vendors to meet governmentwide standards and any additional DOD standards simultaneously.
DOD Weighs Its Cloud Options
As the Pentagon’s cloud broker, DISA wants to provide defense customers with a full suite of options, based on the risk they’re willing to assume and the sensitivity their data.
“It is a fundamental part of the cloud broker function to assess the offerings that there are across DOD against the cloud security model, and even that model continues to evolve over time,” said Jennifer Carter, DISA’s component acquisition executive and one of several executives who spoke with reporters at Fort Meade.
DISA is weighing the benefits and risks of moving military data to commercial facilities and DOD data centers that are commercially operated as well as to the intelligence community’s private cloud and DISA’s milCloud offering.
“We are looking to leverage commercial cloud in a variety of ways, and we’re not saying no to any particular option, and especially at this stage in the game,” said Dave Bennett, CIO and director of Enterprise Information Service for DISA. Initially, the agency will focus on Infrastructure as a Service offerings.
“The other assumption is commercial cloud is going to be cheaper,” said Maj. Gen. Alan Lynn, DISA vice director and senior procurement executive. “We think it is, but we want to make sure. It’s a balance between security and cost and, as you know, funds are on the downturn not on the upturn. So we’ve got to figure out that balance between security and costs.”
If you missed DISA’s Forecast to Industry event, you can view presentation slides here.
To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.
