Dec 17 2014

DOD Updates Guidance for Buying Cloud Services

DOD agencies and the military services are now empowered to buy cloud services directly from commercial vendors.

It’s official: The Defense Information Systems Agency (DISA) is no longer the Defense Department’s enterprise cloud broker, and DOD components are now free to work directly with companies to buy cloud services.

“It is no longer a requirement to use DISA for the acquisition of cloud computing services,” according to a Dec. 15 memo signed by acting DOD CIO Terry Halvorsen. In September, Halvorsen told reporters that the purpose is to accelerate the adoption of cloud services.

“I think some just criticism of the department has been we have not moved out into the cloud fast enough,” he said. “So, one of the things that we’re going to change, to give us more opportunities to move faster, is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency — in this case, DISA.”

Ultimately, DOD agencies and military services will be responsible for creating a business case analysis that details what data and missions will be hosted by commercial cloud service providers. Current policy allows department branches to host unclassified, publicly released data on services that meet Federal Risk and Authorization and Management Program (FedRAMP) standards . FedRAMP represents the minimum security standards for securing DOD cloud services.

The department has released a draft of its cloud computing security requirements that go beyond FedRAMP, which will apply to more sensitive unclassified data and missions. The final version will be released in January. Final comments are due Dec. 29.

“The guide is intended to give cloud providers a stable security requirement, and to help DOD cloud customers move more rapidly and securely into the cloud,” according to DOD’s cloud memo. “The guide defines several classes of sensitive data, with increasing security requirements for each.”

DISA Isn’t Out of the Cloud Business

Agencies will still work closely with DISA as they procure DOD enterprise services or commercial cloud solutions. DOD components will have to meet all end-to-end security requirements. To fulfill that requirement, DOD branches, DISA and cloud services providers must share information to protect military data. DOD components agencies are also expected "to share cyberspace defense information as necessary and appropriate with cloud service providers," according to the memo.

Cloud service providers that want to host sensitive military data must first submit proof to DISA that they meet the additional security requirements, which will appear in the official guide released in January. For applicants it approves, DISA will issue a DoD Provisional Authorization (PA). "The PA will describe the types of information and mission that can be hosted by a particular cloud service.” (Learn what it takes to be a DOD cloud service provide here.)

To protect DOD components from incidents that originate with the cloud service provider, companies must use a cloud access point (CAP) to connect customers to their services. CAPs must be approved by the DOD CIO and be provided by DISA or DOD components agencies.

To learn more about how cloud computing solutions can help your organization get ahead, visit

Orlando florin Rosu/thinkstock

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT