The Defense Information Systems Agency (DISA) is poised to release final security guidance for purchasing cloud services on Tuesday as the Defense Department shifts to commercial providers.
After receiving more than 800 comments on the draft guidelines, DISA reorganized the security levels to allow certain work areas to exist in virtual private networks while still keeping the most sensitive data physically separated on DoD networks.
The final draft also tweaks the authorization requirements to track closer to the Federal Risk and Authorization Management Program (FedRAMP) except in specific areas where greater security assurance is needed.
Special Section: DoD Cloud Future
Per a Dec. 15 memo from the DoD Office of the CIO, defense agencies have been given more authority to purchase cloud services from commercial vendors rather than using DISA as the sole broker. While the move is intended to speed up the acquisition process, DISA is charged with ensuring that security standards don’t flag with the use of commercial providers.
“Where is that right balance point that will allow us to get the full benefits of commercial cloud providers while doing that with the right level of security?” Mark Orndorff, mission assurance executive and designated accrediting authority for DISA, said during a DISA panel hosted by the AFCEA D.C. Chapter Monday. “This is an opportunity to get the agility, economic and technical advantages from commercial cloud and do that without putting the department at risk by leveraging the virtual separation capabilities that commercial cloud providers have, up to a level of sensitivity.”
The original draft listed six classes of security requirements for different levels of data. Those have been pared down to three in the final document, combining two levels at each new tier.
Orndorff said DoD might consider allowing national security data into a virtualized network at some point in the future, though at this time it is not a hard goal. For now, information at that security level will live in physically separate, private networks within DoD.
“We just want to spend more time before we decide if that’s a goal,” Orndorff explained. “We are very open minded to it but we want to do due diligence to assess: what is the risk, what are the mitigations and how do we want to press forward.”
DISA also revised the vendor assessment requirements to be slightly more rigorous than FedRAMP.
The majority of assessment controls use FedRAMP as a baseline, “asking for additional security requirements only when it’s absolutely necessary and makes sense for DoD-legitimate reasons,” Orndorff said.
“The net-net is that we will gain more in efficiency and effectiveness by allowing the virtualization for a set of DoD work than we will put at risk,” he added.
Orndorff noted the final guidelines were expected a week earlier but were held up for final revisions.
“The risk guys wanted to take more risk than the lawyers were ready for us to take,” he said. “So we took a little more time to make sure we had all our ‘i’s dotted and ‘t’s crossed.”
DISA will publish the final guidance document on the Information Assurance Support Environment website by end-of-business Tuesday.
“This is a challenge the DoD is definitely up for,” said DISA CTO David Mihelcic. “There’s potentially huge savings long-term for certain workflows to be moved to this commercial cloud environment.”