The Blog

DISA issues new cloud, cyber security guidance

Relevant links are at the bottom of this post.

The Defense Information Systems Agency on July 24 issued three new documents targeting cloud security, including two new requirements guides and a new concept of operations.

The three new documents more thoroughly define cloud security and the steps to achieving it, outlining the responsibilities of the organizations and managers increasingly capitalizing on commercial cloud offerings. The release underscores the Defense Department’s growing adoption of commercial cloud offerings.

The cloud access point (CAP) functional requirements document (FRD) prescribes a barrier of protection between the Department of Defense Information Network (DoDIN) and Internet-based public cloud service offerings, directing defense agencies to implement protections for the connection points linking the two. The first DISA-established CAP is a modified NIPRNet federated gateway, according to the documents.

“As DoD strives to meet the objectives of the DoD CIO to maximize the use of cloud computing, the DoDIN perimeter must continue to be protected against cyber threats from external connections,” the documents state. “The CAP will proactively and reactively prevent attacks against the DoDIN infrastructure, particularly traffic from mission applications that originates in the cloud service environment…there are many information assurance functions that may be implemented as detect and prevent measures to address the different types of external attacks.”

The documents note as potential external attacks denial of service, data exfiltration, malicious code injection, domain name system hijacking and user session/route hijacking.

In response, the CAP aims to protect the DoDIN and its network services, protect other DoD missions from incidents that affect a particular cloud service provider’s supported missions, provide perimeter defenses and sensing for commercial cloud-hosted applications and providing a point at which boundary network computer defenses will occur.

Currently, DISA’s CAP capabilities are at initial operating capability and are in use in “two geographically diverse locations” that officials did not specify. But DISA’s goal is to institute a strategy over the next six months that scales CAPs’ use across DoD, said Jack Wilmer, DISA infrastructure development executive.

“A CAP being fully scalable and able to support the enterprise, to include the availability of the application protection enterprise-wide, is scheduled to be ready by early 2016,” Wilmer said. “We are working with the [cloud service providers], industry and stakeholders to plan long-term goals, how best to take advantage of industry best practices, and fully realize the virtualization and optimization of the CAP.”

The CAP SRG was accompanied by a DoD cloud computing SRG, an overarching document that incorporates and supersedes DISA’s previously issued and less thorough cloud security model documents.

The cloud SRG specifies DoD’s model for leveraging commercial cloud offerings along with detailing the security controls and requirements necessary for using cloud-based solutions within defense agencies. The cloud SRG is as much for cloud vendors as it is for DoD users and “mission owners,” and sets a baseline for assessing commercial providers, granting authority to operate. It also aims to support DoD CIO directives to migrate military websites and applications to the cloud and consolidate data centers.

Lastly, DISA’s July 24 release of security guidance documents also includes a DoD concept of operations (CONOPS) for cloud computer network defense, a set of reporting and incident-handling procedures for the organizations that will defend DoD cloud operations and assets.

At the CONOPS’ core are the “twin objectives” of defending the DoD Information Systems Network from attack via external cloud and defending systems, applications, and virtual networks hosted within the cloud.

The CONOPS defines how mission owners, cloud service providers and Joint Force Headquarters-DoDIN will cooperate with mission, boundary and DoDIN cloud computer network defenses in responding to cyber incidents, including specific procedures and responsibilities.

“This document is expected to evolve as the procedures are put into practice and new best practices emerge,” including changes to the cloud SRG, top-level Pentagon guidance and JIE implementation strategies, the CONOPS documents states. “As such it should be treated as a foundation upon which to improve in addition to providing uniformity and efficient cooperation in cloud” computer network defenses.

Cloud Computing CONOPS Comment Period Memo