The Defense Department, through its hotly contested Joint Enterprise Defense Infrastructure cloud contract, has made clear it is moving the entire enterprise to the commercial cloud. That includes its cybersecurity operations.
Last month, the Defense Information Systems Agency, the Pentagon’s IT services provider, released a “sources sought” notice looking for input from small businesses on shifting its Defensive Cyber Operations infrastructure of its Acropolis cybersecurity program to an Infrastructure as a Service cloud environment.
The solicitation indicates that DOD wants to be able to access its most sensitive data in the cloud, regardless of the JEDI contract.
Timothy Van Name, deputy director of the Defense Digital Service, said in March the DOD wants to be able to have the JEDI platform support unclassified data when it is initially launched. The Pentagon wants “secret level” IaaS and Platform as a Service offerings under JEDI available within six months of the contract award, and “top secret” within nine months.
In designing the new cloud instance of the Acropolis environment, DISA says the new architecture must be built in a way that will blend the current DOD owned and operated infrastructure with IaaS virtual private cloud capabilities offered by the cloud service provider. Importantly, the cloud must be secure enough to operate at Impact Level 5 and Impact Level 6.
As FedScoop reports: “Vendors with IL5 authorization can handle the most sensitive DOD controlled unclassified information; at IL6, vendors can work with DOD’s classified information up to the Secret level.” There are only seven providers in DISA’s cloud services catalog that can operate at Impact Level 5, including DISA’s own milCloud 2.0. The others are Amazon Web Services, IBM (for two services), Microsoft (also two services) and Oracle. AWS is the still the only cloud provider that is authorized to operate at IL6, for its Secret Commercial Cloud Services Environment (SC2S), which is an IaaS offering.
DOD Seeks Cloud Environment for Acropolis
Acropolis is designed to provide the Pentagon with a secure, consolidated and integrated Defensive Cyber Operations and situational-awareness environment for cybersecurity analysts within the DOD to protect and defend the Department of Defense Information Network.
DISA notes in the solicitation that Acropolis is “where we fight” cybersecurity adversaries. “The success of the Acropolis mission revolves around our ability to successfully collect, store, translate, enrich and deliver DCO data to both external and internal subscribers from within the Acropolis environment,” the notice says.
Acropolis collects terabytes of new DCO alerts, logs and other critical cybersecurity data from sources located throughout the DODIN, and combines that data into a centralized data-brokering service, according to DISA. The service securely receives data from external sources without loss, translates and enriches that data as required, and finally delivers it to both internal and external subscribers, DISA says.
“In support of data transport, Acropolis utilizes specialized cross-domain solutions to transport unclassified data to an isolated classified Secret environment, which allows the use of classified analytics on unclassified data,” the notice says.
The new cloud environment must ensure that “critical services such as Data Brokering and cross domain remain within the DoD owned and operated boundary, while the backend services, databases, and ancillary servers are shifted to IaaS” within a dedicated virtual private cloud instance, according to the notice.
DISA says a critical aspect of the new architecture will be the expansion of the existing DOD’s Acropolis Transport Network to the cloud service provider’s location.
“Acropolis will not utilize commercial transport services or cloud provider gateways,” the notice says. “The cloud provider is required to host a DoD owned network encryption device and router within their facility to provide the necessary confidentiality, integrity, and availability from the DODIN infrastructure to the cloud provider’s IaaS virtual environment.”
DISA says there is no guarantee it will award a contract, but that if it does it will do so in either fiscal year 2018 (which ends at the end of September) or fiscal year 2019.