The Defense Department’s (DoD) Office of the Director, Operational and Evaluation (DOT&E) emphasized in a new report that DoD needs to conduct cybersecurity testing on commercial cloud platforms that are used by the Defense Enterprise Office Solution (DEOS) cloud environment.
In the assessment, DOT&E highlighted the delay of the DEOS schedule in Fiscal Year 2020, and in connection with “DoD efforts to implement a commercial cloud Impact Level (IL-5) federated environment, due to COVID-19.”
“Because the DEOS program plans to use commercial cloud platforms to store classified and unclassified data, it will be critical for the DOD to conduct threat-representative cybersecurity testing on the commercial cloud and its hosting infrastructure,” wrote DOT&E. “This will require appropriate agreements between the DOD and chosen cloud service providers.”
Further, the report found that DoD, the Defense Information Systems Agency (DISA), and the Joint Interoperability Test Command (JITC) lacked a funded and consolidated test forum for addressing Digital Modernization Strategy (DMS) enterprise IT initiatives.
DOT&E provided oversight for 228 programs in FY2020, which included oversight of 14 Major Automated Information Systems (MAIS). Per the report, the oversight activity “begins with the early acquisition milestones, continues through approval for full-rate production, and, in some instances, during full production until removed from the DOT&E oversight list.”
DOT&E made six recommendations for the DoD CIO, Digital Modernization Infrastructure (DMI) Executive Committee (EXCOM), Services, and Director of DISA, including:
- “Conduct thorough cybersecurity operational testing of all DMS enterprise initiatives, including threat-representative testing of the commercial cloud capabilities employing current cybersecurity testing guidance and policy;
- Use operational test data, analyses, and reporting to inform DMI EXCOM decisions;
- Institute and facilitate remote testing capabilities as a requirement for DMI EXCOM-sponsored efforts to facilitate adequate testing under COVID-19 restrictions;
- Update the DEOS Test and Evaluation Master Plan (TEMP) based on the contract award and the master schedule for the planned NIPRNET and SIPRNET deliveries;
- Develop a TEMP for ECAPS current and future capability sets 2 and 3, and more generally for each funded DMS enterprise initiative;
- Fund JITC to fully support DMS enterprise initiatives, testing, and test-related forums.”