The military isn’t dipping its toes into cloud waters, it’s diving in. The Pentagon outspends many countries, and its 2015 cloud investment will reach nearly $773 million, accounting for 37 percent of all Federal cloud spending.
But the military must operate in vastly divergent environments, from desktops in garrison to forward deployed units operating without direct connectivity to their commands, said Ken Bible, Chief Technology Advisor at U.S. Marine Corps.
Bible was one of three panelists tackling “Cybersecurity in the Cloud at the Armed Forces Communications and Electronics Association (AFCEA) Cybersecurity Technology Summit in Washington, D.C., April 2.
“We need a government owned environment for the best garrison and tactical strategy,” Bible said. “Readiness is a top priority. We need more environments based on where people are in the battlefield.”
Dr. Portia Crowe, Cyber Chief Technology Officer, U.S. Army PEO C3T, spoke to the difficulty of handling both active data in motion and data at rest.
“Aside from increasing our jointness, we need to learn from intelligence like the NSA and CIA,” said Crowe.
Both intelligence agencies are champions of the cloud.
While these methods worked for the two tightly-structured intelligence agencies, the Armed Forces is still trying to deliver cloud services to its scattered users around the world with low-bandwidth connections.
“We used to build data centers in the back of tents,” said Bible. “Most of the world today isn’t dependent on a wired infrastructure. The military has to consume cloud based services wherever the action is.”
Matt Goodrich, director of the Federal Risk Management & Assessment Program (FedRAMP), which certifies Cloud vendors meet minimum security standards, said defense applications will often exceed FedRAMP standards.
But FedRAMP is also working closely with the Pentagon and industry on a new FedRAMP High security standard. A draft standard was circulated this winter, and a new draft is due out for review in summer. To date, FedRAMP standards have met only low and moderate security levels, as dictated by FISMA, the Federal Information Security Management Act. “What we want to do is have a thoughtful dialogue around those security controls that we think are needed at the high baseline,” said Goodrich.
Five agencies – the Defense Department, Department of Justice, Department of Homeland Security, Veterans Affairs, and Health and Human Services – represent 75 percent of the market for high-impact systems, he said.
Some vendors have asked for a simplified standard, and object to additional security features sought by the Pentagon, which is pursuing its own FedRAMP Plus standard.
Said Goodrich: “I have to remind people of the distinct and different mission of the DoD. They’re kind of their own government in a way.”
But he left the door open to simplifying the varying standards and security levels. “Industry says, ‘Tell us what to do once so we don’t have to keep changing it.’ But if they really want that, then we need to set a high security baseline,” Goodrich said.
Join the conversation. Post a comment below or email me at firstname.lastname@example.org.