Relevant links are at the bottom of this post.
As the Department of Defense (DOD) continues to adopt commercial cloud capabilities, the Defense Information Systems Agency (DISA) is helping cloud service providers and DOD mission owners work through the DOD Cloud Provisional Authorization (PA) process, which allows DOD to provisionally authorize a cloud service offering (CSO) and leverage that information many times over throughout DOD, saving mission owners time and money versus conducting independent assessments.
The DOD cloud assessment process leverages the Federal Risk and Authorization Management Program (FedRAMP), the government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP emphasizes a “do once, use many times” approach, enabling these results to be used as part of the DOD assessment process.
“In the ideal case, a cloud service provider (CSP) begins by getting a FedRAMP Joint Authorization Board (JAB) provisional authorization, allowing them to sell their cloud service to the federal government,” said Gordon Bass, chief of DISA’s Assessment and Certification Branch.
DOD uses impact levels, which are based on the type of data to be processed, to assess a provider’s offering. These impact levels range from level 2, publically releasable and non-mission critical unclassified information, to levels 4-6 which address controlled unclassified information and other information categories that require higher levels of protection. If the cloud service provider is able to demonstrate compliance with the FedRAMP moderate controls, that vendor is provided a DOD PA at impact level 2 for their cloud service offering. PA’s at higher impact levels are based on the vendor’s ability to meet additional DOD security requirements mandated by the impact level of the information that the cloud offering will support.
“Subsequently obtaining a DOD cloud provisional authorization at impact level 4 requires meeting about 10 percent more controls than the 325 FedRAMP controls,” said Bass.
Although DISA conducts assessments and issues PAs, it is the mission owner’s responsibility to identify a provisionally authorized service offering that offers the best mix of capabilities and security to meet their needs, and either request additional testing or leverage the assessment and impact level recommendation DISA has authorized for that service offering.
A DOD provisional authorization optimally positions cloud service providers to bid on DOD cloud contracts. The next step after acquisition and prior to starting operations in the cloud is for a mission owner’s authorizing official to grant an interim authority to test (IATT) or authority to operate (ATO) to their system that will be using the cloud service.
“Thus we see the benefit, that after DISA’s independent review and granting of a PA, any DOD component can issue an IATT or ATO and can reuse the work that went into the FedRAMP and DOD PA assessment to ensure compliance with the controls. The mission owner inherits that body of evidence that has been put together. They can look at that package and determine if testing was adequate or if they have additional needs over and above the testing done. This is how mission partners gain economies – by not having to start at the beginning every time they assess a cloud service offering,” said Bass.
The DOD cloud assessment process optimally takes three months to complete, depending on the quality of the assessment package submitted by the cloud service provider.
“If I get a perfect or near perfect package – we will process it in less than 13 weeks,” said Bass.
To date, DOD has granted provisional authorizations to 59 commercial cloud service offerings.