Jan 06 2016

Pentagon Faulted for Not Having a Clear Definition of Cloud Computing

Inspector general’s report highlights inconsistencies across DOD regarding accounting for cloud contracts.

The Defense Department does not have a consistent definition for cloud computing or a complete list of cloud computing service contracts, according to a report from the DOD’s inspector general. That makes it impossible for the department to assess the effectiveness of its cloud computing contracts, the report says.

The inspector general’s office, which issued the report in late December, had sought to find out whether its armed services branches and departments “performed a cost-benefit analysis before acquiring cloud computing services” and whether they had “achieved actual savings as a result of adopting cloud services.”

“Due to the limited number of cloud computing service contracts identified, we could not provide a sufficient answer to our announced objective,” the report states. “However, we addressed the need for a standardized cloud computing definition and an integrated repository for cloud computing service contract information to help determine whether DOD is effectively using cloud computing services.”

No Clear Definition of the Cloud

As FedTech reported last year, DOD is looking to store sensitive military data in the cloud to reduce costs and boost performance. The Pentagon has been considering several options, including cloud hosting facilities outside the United States, using a commercial platform for services like email, and modernizing milCloud, the Defense Information Systems Agency’s private cloud offering.

According to the report, the Pentagon doesn’t have complete accounting for cloud computing service contracts because DOD Chief Information Officer Terry Halvorsen had not established “a standard, department-wide definition for cloud computing and did not develop an integrated repository that could provide detailed information to identify cloud computing service contracts.”

Consequently, the Defense Department cannot measure the effectiveness of its cloud computing initiatives and “cannot determine whether it achieves actual cost savings or benefits from adopting cloud computing services.” Additionally, the report raised the specter of security risks because the department doesn’t know what data is being placed in the cloud and hasn’t taken any measures to monitor or secure it.

FedScoop notes that the report makes clear that the DOD is supposed to use the following National Institute of Standards and Technology’s definition of cloud computing: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

The report outlines the five essential characteristics of the NIST definition as having:

  • On-demand self-service. Requires no human interaction with service providers.
  • Broad network access. Capabilities available over the network and accessed through mechanisms such as mobile phones, tablets and laptops.
  • Resource pooling. Provider’s computing resources are pooled to serve multiple consumers with different physical and virtual resources assigned based on consumer demand.
  • Rapid elasticity. Capabilities available for provisioning often appear unlimited to the consumer and can be appropriated in any quantity at any time.
  • Measured service. Cloud systems automatically control and optimize resource use, which can be monitored, controlled and reported, providing transparency for both the provider and consumer.

Despite this, the report found that different components of the DOD interpreted that definition in varying ways. “For example, DOD CIO representatives stated that an IT service did not have to possess all five essential characteristics of the NIST cloud definition to be considered a cloud computing service,” the report says. “Air Force CIO representatives stated they considered all five essential characteristics needed to classify an IT service as a cloud computing service. Navy CIO representatives stated there was a lack of clarity to determine whether a service had to meet all NIST characteristics.”

As a result, there were disagreements within the Pentagon over how many cloud service contracts different service branches had.

FedScoop reports: “The DOD CIO’s office said the Army had three indefinite-delivery, indefinite-quantity contracts, and the Navy and Air Force each had two. The Army, however, told the IG it had nine IDIQ cloud contracts, the Air Force said it had one, and the Navy said it had none.”

Recommendations in Progress

The report recommends that the department’s CIO office “issue guidance to either establish a standard, department-wide cloud computing definition or clarify the National Institute of Standards and Technology definition to consistently identify DOD component cloud computing service contracts.” Additionally, the report recommends that the CIO “establish an integrated repository that provides detailed information to identify DOD cloud computing service contracts” once the first recommendation is completed.

DOD Principal Deputy CIO David DeVries neither agreed nor disagreed with the report’s recommendations, but discussed ways in which the office is addressing the recommendations. However, the IG says it wants a more complete response to the report by Jan. 27.


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.