The Defense Information Services Agency (DISA) issued long awaited guidance last week, reducing the number of classification levels for Cloud data from four to six. The 152-page guide incorporates, supersedes, and rescinds the previously published Cloud Security Model and applies to all CSP offerings, regardless of who owns or operates the environments.
The guidance follows Acting DoD CIO Terry Halvorsen’s decision last month to allow the military services and other DoD agencies to buy commercial cloud services directly, rather than going through DISA on each procurement.
“The new guidelines specify what can be placed in public clouds, what needs to be contained within a virtual environment and what data must be kept on physically separate networks,” reports Aaron Boyd in Federal Times.
The base level allows agencies to put information on public clouds that are either openly viewable or discoverable the Freedom of Information Act. A mid-grade security level provides restricted access to sensitive information through a virtual cloud environment that requires a secure connection to DoD networks, through the use of common access cards (CACs) or other authorized credentials. The highest level deals with national security systems, which will remain on restricted DoD networks, separate from the cloud until further notice.
DISA Risk Management Executive Mark Orndorff said the guidelines are “designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk.”
Orndorff wrote in a prepared memo that DISA expects to update the guidelines quarterly.
DISA said the guidelines serve several purposes, including:
- Providing security requirements and guidance to non-DoD owned and operated CSPs that wish to have their service offerings included in the DoD Cloud Service Catalog
- Establishing a basis on which DoD will assess the security posture of a non-DoD CSP’s service offering, supporting the decision to grant a DoD Provisional Authorization that allows a non-DoD CSP to host DoD missions
- Defining the policies, requirements, and architectures for the use and implementation of commercial cloud services by DoD Mission Owners
- And providing guidance to DoD Mission Owners and Assessment and Authorization officials (formerly Certification and Accreditation) in planning and authorizing the use of a CSP
To help clarify all the cloud changes, Halvorsen is hosting a Cloud Industry Day at the U.S. Department of Commerce auditorium on January 29. Continue the conversation on February 12 on the Hill with the Cloud Computing Caucus Advisory Group, where Terry Halvorsen and other Defense IT leaders will elaborate on the status and future of DoD cloud strategy.
Want to weigh in? Post a comment below or email me at firstname.lastname@example.org.