Now, the service branch wants to find avenues to speed up the rollout of Software as a Service apps to handle unclassified data and information not related to national security.
According to Lauren Knausenberger, the Air Force’s director of cyberspace innovation, the service is working on a pilot that focuses on the “rapid assessment of SaaS offerings,” especially apps that handle business processes and information at the Defense Department’s cloud security Impact Level 4 or lower, according to FedScoop.
As FedScoop notes, “IL4 cloud services are approved to handle controlled unclassified information like personally identifiable information (PII), health data, export control information and other sensitive collections, not including national security information.”
Other elements of the armed forces have embraced SaaS with gusto. For example, the Army Corps of Engineers is moving to SaaS apps so that users can access the data they need wherever they are, whether they are on a mobile device or not. The Corps also wants to move to a cloud-based collaboration platform that would allow users to more freely share data. SaaS tools give the Corps greater flexibility and make the command more efficient.
Knausenberger said at the Security Through Innovation Summit in April that the Air Force’s pilot is based around the idea that “we should be adopting SaaS as broadly as we can within our business systems and using it to make a lot of the processes we do daily much easier,” according to FedScoop.
Air Force Wants to Speed Up Apps That Deal with Sensitive Data
The Air Force should adopt the cloud security practices of the financial and medical industries if it is dealing with apps that handle PII, Knausenberger said. However, she acknowledged, “we’ve had trouble with that, especially in the DOD, because of the level of control” the department requires.
To overcome the hurdles to getting authorizations to operate, the Air Force wants to streamline some parts of the process upfront. That includes research into a cloud company’s background and ownership as well as tests of the software. Regarding the latter, for example, Knausenberger said, “if they have an ongoing bug bounty program, that might meet that requirement.”
The Air Force wants to also get more information upfront about how cloud service providers continuously update their software from a security perspective, she said.
“But this is something where we could do a little bit of testing, a little bit of documentation and an authorizing official could say we’re going to go forward with this,” she added.
The process will likely be easier on larger cloud vendors and more difficult for startups that have not been vetted or used by the government much, Knausenberger acknowledged. However, it will save cloud companies both time and money if the Air Force can speed up the SaaS accreditation process.
“Vendors tell me that it’s a year or more” to accreditation for IL4 SaaS applications, she said. “I expect that we will be able to accredit some SaaS offerings in a month or less. It could be faster if they had everything ready to go and we had a team ready to go test anything that was needed to be tested.”
The first kind of apps the Air Force is looking to authorize under the pilot are those that use military medical data or Social Security numbers for members of the DOD, Knausenberger said.
“We’re starting small and then we’ll learn from that process and hopefully we can look at something where there is a little bit more of a fast track to getting these offerings approved,” she said.