While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
As the Pentagon’s designated cloud broker, the Defense Information Systems Agency has played a central role in forging relationships between the Defense Department and commercial cloud vendors.
DISA’s role as cloud broker was intended to “promote use of cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security as government-provided services,” according to a 2012 memo from then-CIO Teri Takai. Those aspirations have been slow to materialize under the current broker model.
The memo also required DOD components to work with DISA to acquire cloud services or obtain a waiver. But that model will change as soon as next month: A new memo will clarify DISA’s new role, acting DOD CIO Terry Halvorsen told reporters Tuesday.
“I think some just criticism of the department has been we have not moved out into the cloud fast enough,” Halvorsen said. “So, one of the things that we’re going to change, to give us more opportunities to move faster, is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency — in this case, DISA.”
DISA is still officially the cloud broker because the memo is not out, “but we are going to make changes to DISA’s cloud broker role,” he added. As the department expands its use of cloud services, DISA will approve the military departments' security plans and track how the department is operating cloud connection points and what technology is operating across the network. These responsibilities align with DISA’s role in a joint task force being stood up to improve security of the DOD Information Network, or DoDIN.
The military departments will be required to submit data, including costs, of their cloud investments to Halvorsen’s office and to DISA. Contracting language, pricing data and contracting costs will be shared among DoD components.
“What I’m imagining is being able to move faster and not having to do all this through a single contract activity,” Halvorsen said. Having additional acquisition capabilities should speed the process.
In August, Halvorsen announced that DOD would launch five cloud pilots to test how it could move some sensitive military data to commercial clouds. Two of those pilots are underway with Amazon, the only vendor approved thus far to manage military data categorized at levels three through five.
“One of the things we're testing is the premise that this is going to be less expensive,” Halvorsen said of commercial cloud. The pilots will also help DOD determine if it is less expensive and if it is mission-successful.
Specifically, Halvorsen wants to know whether commercial cloud services meet the minimum security required for carrying out the department’s mission. And how long it takes internally to get a security waiver. The initial data indicates the waiver process is too long, Halvorsen said, but the pilots will help determine what part of the process should be streamlined. The pilots will also provide data on which companies are interested in supporting commercial solutions that meet DOD’s security and financial expectations. Commercial cloud should enable DOD to be more agile and take advantage of industry innovations. Data collected during the pilot will give DOD definitive answers.
Maj. Gen. Alan Lynn, DISA vice director and senior procurement executive, has said similar things about the cost of commercial cloud services.
“The other assumption is commercial cloud is going to be cheaper,” Lynn told reporters at DISA’s annual industry event last month. “We think it is, but we want to make sure. It’s a balance between security and cost, and, as you know, funds are on the downturn, not on the upturn. So we’ve got to figure out that balance between security and costs.”
The department’s focus on moving to commercial cloud doesn’t mean an end to DISA-provided services. In fact, DOD components will be required to complete a business case analysis that includes consideration of DISA cloud offerings.
DISA’s milCloud offering exceeds security standards set by the Federal Risk and Authorization Management Program and is the department's most thoroughly tested cloud offering. But DOD will not always default to DISA’s services because officials believe commercial cloud will be cheaper. The Army, for example, is deciding what applications must be hosted in a government facility and what applications can be moved to level five or six commercial providers.
As commercial cloud evolves, Halvorsen expects DISA's cloud offerings will follow suit.
"We're looking at how you would change milCloud, too," he said. "It’s not just going to stand still."