The U.S. Defense Department is committed to pursuing cloud-based services and steadily has been improving its capabilities to utilize the technology. The latest evidence of DoD embracing the cloud is its approval of a protocol that will facilitate the use of the technology at higher security levels.
The department’s Defense Information Systems Agency, or DISA, has granted provisional authorization for the use of cloud services to levels 3 to 5 of its Cloud Security Model, or CSM. DISA’s authorization, revealed last month by Amazon Web Services, applies to the AWS GovCloud offering.
AWS and two other vendors, CGI Federal and Autonomic Resources, in March received CSM authorizations covering security levels 1 and 2 — for low-risk unclassified data that is publicly releasable or controlled. AWS currently is the only company with higher-level authorization.
When fully operable, the CSM program will allow all elements of the DoD to tap into a cloud security assurance process that has department-wide application, thus saving each component the need to create its own cloud security protocol.
CSM’s basis is the Federal Risk and Authorization Management Program, developed through the General Services Administration as a one-stop resource for federal agencies that need cloud security assurances. CSM enhances FedRAMP for DoD requirements.
DoD Pilot Program Priorities
“This new authorization allows DoD customers to conduct development and integration activities that are required to secure controlled unclassified information in AWS GovCloud at levels 3 to 5 of the CSM. Simply put, DoD agencies can now use AWS’ compliant infrastructure for all but classified (level 6) workloads,” said Chad Woolf, director of AWS Risk and Compliance.
While AWS’ characterization of DISA’s selection is correct with respect to eventual broad potential within DoD, it initially will be limited in scope.
“DISA granted a conditional provisional authorization to support piloting of missions categorized for impact levels 3 to 5 on the AWS GovCloud. The pilots will address a number of issues to include procedures to monitor and secure access to the data to ensure protection of DoD networks,” Mark Orndorff, DISA’s program executive officer for mission assurance, told the E Commerce Times.
“DISA is working with the services to implement several commercial cloud pilots in the very near term while continuing to work with other cloud providers on the provisional authorization process. The AWS authorization is limited to only approved pilots using the AWS Infrastructure as a Service offering at this time, and is not currently extended to include other shared services,” he said.
“Step one in DoD’s movement to the cloud was the authorization of cloud providers for levels 1 and 2 followed by the migration of workload in those categories.The approval of AWS for piloting levels 3 to 5 is the next logical step in the DoD cloud strategy,” Orndorff said.
“The AWS authorization supports some operational evaluations across several systems that will firm up the detailed plans necessary to fully leverage the commercial cloud across a broad range of requirements,” he pointed out. “At the conclusion of these pilots, we expect to have a solid solution for connecting DoD to commercial cloud providers, validated procedures for executing cyberdefense activities, and established business processes.”
Security Moves Bolster Cloud Adoption
For the Defense Department, the move to the higher security level indicates a continuing and fairly aggressive strategy to utilize cloud services on a department-wide basis.
“Without question, this shows a commitment to the cloud. It also indicates the closeness with which the DoD has been working with the intelligence community,” Alex Rossino, a senior analyst at Deltek, told the E-Commerce Times.
“DoD and the federal intelligence sector share many common concerns about securing data in an era of increasing fiscal hardship. They both want to use the latest technology solutions, like cloud, particularly if these solutions reduce costs and provide scalability,” he said.
“The intelligence community has been blazing the trail for DoD in the form of contract agreements like the one the CIA signed with AWS to build a commercial cloud infrastructure within a secure government enclave. It is an example that works, and DoD is moving toward it,” Rossino pointed out.
“DISA Chief Technology Officer Dave Bennett has made clear that DISA wants to pursue a cloud strategy with three parts to it,” he continued. “One is the use the agency’s Infrastructure as a Service milCloud offering for DoD customers. The second is use of a commercial cloud infrastructure ‘inside the DoD fence line’ for cybersecurity purposes, and the third is use of purely commercial cloud solutions for publicly releasable data. This leaves a lot of room for multiple players.”
Still, the security authorization process is just one component of cloud adoption at the department.
“Building a DoD IT system means integrating many different parts and subsystems,” said Shawn McCarthy, research director at IDC Government Insights.
For example, DoD currently is moving toward a Risk Management Framework that aligns with a similar National Institute of Standards and Technology protocol.
“Many commands within DoD are in the process of adjusting to this change. While some will welcome the Authority to Operate approval as a way to quickly tap into AWS services, these services often are just one component of a larger information system,” McCarthy said.
“The AWS back end could be used for one or more of these parts of the larger system, but in most cases it will not be used to host all parts. A larger set of compliance testing usually is still necessary — and systems integration continues to play a key role,” he explained.
AWS Gains Positioning Edge
Within that scenario, however, AWS has managed to put itself into an advantageous position at least for the short term.
“I anticipate that AWS will be exclusive for a few months — maybe longer, if the other vendors have a tougher time being certified,” McCarthy told the E-Commerce Times.
DISA is taking an active role in pursuing cloud security capabilities on both the CSM and FedRAMP tracks, according to Orndorff.
“Assessments of FedRAMP-compliant offerings from providers such as HP, Lockheed Martin, AT&T, Akamai, Microsoft and Oracle — along with a cloud solution offered by the U.S. Department of Agriculture — are under way. We continue to work closely with the FedRAMP program office and cloud providers to add to the list of approved cloud offerings,” he said.
The potential for DoD’s cloud business is significant.
“We predict that DoD will spend about US$165.7 million on cloud efforts in federal fiscal year 2014 — but that is for all types of cloud, not just the security levels recently approved for AWS,” McCarthy said.
“While this level of certification is a highly coveted milestone for AWS, it’s not the sort of thing that will turn into new business overnight for the company,” he noted.
DoD cloud spending could top the $2 billion mark within four years, according to Deltek.
“Even though the payoff for this certification won’t be immediate, it does set AWS up to be a major partner in the construction and ongoing operations of new DoD systems,” said McCarthy. “By teaming with large systems integrators and big defense contractors, AWS could become the back end of choice for new systems, assuming the company can keep its price points low enough.”