While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
There was a time when Defense Department officials balked at the idea of integrating commercial cloud services with military networks, let alone hosting sensitive data in a contractor-owned facility. But those sentiments are evolving, along with the options DOD is considering for developing a commercial cloud ecosystem for its users.
The department is exploring two private cloud deployment models that would put commercial cloud technologies in DOD data centers or adjacent to them, the Defense Information System Agency noted in a request for information last month. As the entity charged with tracking how DOD operates cloud connection points and what technology is operating across the network, DISA is exploring those models' viability and whether they warrant a request for proposal to industry.
One option, the Data Center Leasing Model, would enable “market-leading cloud ecosystem vendors to be allocated discrete floor/rack space inside DOD facilities,” including core data centers, according to DISA. Vendors would have to undergo “sufficient security scrutiny and accreditation” before their hardware and software would be cleared to reside in a DOD facility.
The other option is using an On-Premise Container Model (OPCM), where IT resources would be stored in a shipping container at a DOD facility and would reside “under the physical protections of the local facility,” DISA explained.
“These models are being considered as possible alternatives in providing cloud ecosystems and services to the DOD community,” the agency added. Both models present unknowns for the government. DISA must consider how much space the containerized solutions require to run effectively for small, medium and large configurations. What physical security mechanisms would be in place to protect a containerized solution, and what are the requirements for handling DOD’s most sensitive data?
When it comes to handing over military data to commercial cloud providers, DOD has set the bar high. DOD has approved only five Infrastructure as a Service offerings for storing and hosting DOD’s public and private unclassified information, known respectively as level one and level two data. Two of the IaaS offerings are from Amazon. Hewlett Packard IaaS, Autonomic Resources and CGI Federal provide the others.
“One of the steps in the process for a Cloud Service Provider (CSP) to become an authorized provider of computing services for DOD cloud customers is a security assessment,” says Pentagon spokeswoman Lt. Col. Valerie Henderson. “The security assessment generally consists of satisfying FedRAMP and any DOD-specific security requirements specific to the type and classification of the information for which cloud services are being sought. Once the security assessment and other steps are satisfactorily completed, the CSP is added to a Cloud Service Catalog with all the other CSP providers that have been authorized to host computing services for DOD Cloud Customers.”
There is some leeway if DOD users find that none of the approved services in the catalog meet their needs, but the process can be lengthy. Obtaining a Global Information Grid (GIG) Waiver can take three to six months, depending on the level of analysis required, Henderson explains. The DOD CIO has the final say on whether waivers are granted or denied.
DOD users can sponsor a new contractor to be included in the catalog or apply for a waiver to use a service not included in the catalog, Henderson notes. A waiver is also required “if the DOD Cloud Customer wants to use an approved cloud service for a type and classification of information for which it has not already approved.”
To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.