The Defense Information Systems Agency’s (DISA) plan to move a key cybersecurity service to the cloud is in keeping with the push toward cloud computing for many of the Department of Defense’s operations, including those involving classified information. The question at the moment is whether the cloud services DISA wants to tap into are secure enough to handle the job.
DISA recently released a Sources Sought notice looking for input from small businesses on moving the Defensive Cyber Operations (DCO) infrastructure of its Acropolis program to an Infrastructure-as-a-Service cloud environment.
Acropolis is a core element of DoD cyber operations support–collecting, storing, and analyzing data from across the department’s Non-secure IP Router Network (NIPRNet) and Secret IP Router Network (SIPRNet) into an out-of-band network to provide global situational awareness of the DoD Information Network (DODIN). Described by DISA as “Where We Fight” cyber adversaries, Acropolis is a shared service that collects terabytes of cybersecurity data from throughout the DODIN into a Data Brokering Service, analyzes and enriches the data, and delivers it to internal and external subscribers, according to the solicitation. The service involves cross-domain processes, for example transporting unclassified data to a Secret-level environment, where classified analytics can be performed on classified data.
In preparing the next cloud-based iteration, “a new architecture must be built that will blend the current DoD owned and operated infrastructure with IaaS [Infrastructure as a Service] offered by the cloud service provider,” DISA said. An IaaS virtual private cloud (VPC) will handle backend services, databases, and ancillary services, while critical services such as data brokering and cross-domain functions will be staying inside DoD’s owned-and-operated boundary, the solicitation said.
A weak link in the plan at the moment involves potential vendors with the necessary security levels, of which there are few. The solicitation requires the vendors be authorized at Impact Levels (IL) 5 and 6 under DoD’s Cloud Computing Security Requirements Guide. IL 5 covers controlled unclassified information and requires a dedicated infrastructure. IL 6 handles classified information up to Secret. The Sources Sought notice says DISA is looking for a single provider and that it “must have authorization to provide IL-6 services prior to an award.”
As of July 16, only seven services listed on DISA’s Cloud Service Catalog are authorized up to IL 5, and none of them are small businesses, unless you count DISA’s own milCloud 2.0, which is on the list. Other services authorized at IL 5 are Amazon Web Services (AWS), IBM (2 services), Microsoft (also 2 services), and Oracle. AWS is the still the only one okayed at IL 6, for its Secret Commercial Cloud Services Environment (SC2S), which is an IaaS offering.
As DoD is doing with its potentially $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud acquisition, DISA could be taking a “propose it and they will come” approach. In announcing the acquisition, DoD officials said that JEDI is planned to cover all of DoD’s security levels, though not right away. Officials said they expected to make a single JEDI award for IaaS, Platform-as-a-Service (PaaS) and support services for up to 10 years, initially for unclassified information with classified capabilities added in an iterative process.
Cloud services have been moving up the Impact Level ladder recently, so more offerings could be available by the time an Acropolis award is made. The Sources Sought notice doesn’t guarantee that an award will be made, but, if a contract is awarded, DISA said it will likely be in FY 2018 or 2019.
And potential vendors might even have a little extra time to get security authorization since not all of DoD’s cloud plans are moving as fast as originally planned. DoD announced JEDI in March with plans for a quick procurement. An industry day coincided with its draft solicitation, with a two-week window for initial responses, a final solicitation set for May, and an award expected in September. That original plan has slowed down, with the final solicitation placed on hold and new DoD CIO Dana Deasy saying earlier this month there was no set date for its release.