While the military services and other Department of Defense components get on board toward greater adoption of cloud services, the Defense Information Systems Agency (DISA) doesn’t want them to forget about security, particularly on the part of cloud providers.
DISA is offering a set of Risk Management Service Product packages that track the path of high-level policy statements to the low-level technical implementations where the rubber meets the road. The goal is to give cloud providers a holistic view of their information systems risk, and ensure the security compliance of systems operating within the DISA Computing Ecosystem, the agency said in an announcement.
“We are providing mission partners options based on their requirements and elected services,” said Stephanie Watt, DISA’s chief of the Cyber Controls Section in the Computing Ecosystem’s Cyber Services Line of Business. “We are also saving mission partners time and resources by leveraging our tested, validated, and compliant CCIs.”
CCIs are Control Correlation Identifiers, which recognize the singular elements of identification and authentication (IA) controls and best practices. By tying a security requirement outlined in a policy framework to the security settings of ground-level implementations, CCIs let an organization trace the line of security requirements from their origins in a policy statement to their execution at low-level implementations, thus demonstrating compliance with multiple IA frameworks.
The Risk Management Framework (RMF) packages apply an additional layer of security, and give DISA a level of control. If a mission partner selects a secure-at-will service package, for instance, DISA can make appropriate configuration changes on its own, securing at will without having to first get partner approval, Watt said.
“Another added benefit for mission partners is that these packages are in addition to, not a replacement of, what the mission partner is currently inheriting from the DISA Data Center and Enterprise Infrastructure Backbone Network RMF packages,” Watt said. “We are not replacing what is currently inherited, we are adding to it by providing more inheritance.”
Along with its DISA Service Product packages, the agency has three other packages within the RMF:
- The DISA Inherited Policy (DIP) Package contains policy and guidance controls shared between DISA and mission partners. DIP is assess-only, in that there is no authority to operate or approval required by the mission partner.
- The DISA Data Center Package contains common, physical, and environmental controls for mission partners with programs and systems hosted within DISA data centers and field activities. It requires approval by the DISA Authorizing Official.
- The DISA Network Package, which also requires approval, contains common transport and network infrastructure controls for partners using the DISA Computing Ecosystem Command Circuit Service Designators.
The Department of Defense is in the midst of a concerted push toward faster adoption of commercial cloud computing as a way to speed up adoption on new, innovative technologies which Deputy Secretary of Defense Patrick Shanahan has said is “critical to maintaining our military’s technological advantage.” The White House also wants to accelerate cloud adoption for the Federal government overall, even recommending modifying acquisition rules to speed up the process.
DISA, which offers defense agencies an option through its milCloud portfolio, also has released a guide to enterprise cloud adoption.
As Dudley Moore told us in the 1990 movie Crazy People–Volvo, they’re boxy, but they’re safe. Interesting value proposition in a world that’s looking beyond the box.