U.S. Defense Department Leverages Safe Enough for Cloud Security
DISA leads the probe for a balance between commercial cloud security services and what they will cost.
There are no do-overs when it comes to safeguarding the U.S. military’s sensitive data. With that key, concise and blunt notion in mind, defense leaders say they are taking a slow, methodical, multipronged approach as the Defense Information Systems Agency develops a cloud security model for the whole of the Defense Department.
With current security controls too strict and limiting, agency personnel are sleuthing for the ideal balance that would let a greater number of commercial cloud service providers compete for billions in federal funding, while still safeguarding national security. Their goal is to determine what might be safe—and what might be safe enough.
“We’re working on the assumption that commercial is cheaper,” says the Defense Information Systems Agency’s (DISA’s) vice director, Maj. Gen. Alan Lynn, USA. “So it’s a balance between security and cost. As you know, our funds are on the downturn, not the upturn, so we have to figure out that balance between security and cost.”
DISA leads the Defense Department’s cybersecurity review as the U.S. military segues to the formidable undertaking it has called the Joint Information Environment, or JIE—the concept of a unified and interconnected defense information network architecture. One part of the migration includes rewriting requirements that would allow more commercial cloud providers to break into the market. To that end, the Defense Department has set in motion five pilot programs that officials anticipate will provide answers in the use of commercial cloud services.
“One of the most important factors in moving applications to any cloud environment is the assumed risk,” says DISA’s chief information officer (CIO), Dave Bennett. “We must consider the controls that are in place to protect the data, at the same time, looking at what commercial opportunities we can leverage to achieve our goals.”
When the Defense Department tasked DISA to build out the security model for standards on cloud computing, the agency did so by using regulations spelled out in the Federal Risk and Authorization Management Program (FedRAMP) as the foundation. FedRAMP sets the baseline security standard that federal cloud products must meet. But those were just starting points. Additional defense-only restrictions might have, in the end, hindered the process instead of helped it.
“We think we’ve made the process too hard and made the criteria too high,” says Mark Orndorff, mission assurance executive for DISA. “There is a set of requirements tied to national security, and as we walk into the cloud security model, that benchmark, for good reason, is a high benchmark. … Now we’re going to walk our way through and see where in that spectrum between the national security system requirements and the FedRAMP requirements is the right space for [Defense Department] business.”
The Defense Department has six security classifications for all its data: Level 1 is unclassified and approved for general public release, and some commercial cloud companies already service some of this data; level 2 is unclassified limited access, which is not covered by regulations but is data in which the mission owner seeks to protect using access controls; levels 3-5 are controlled unclassified information, such as personally identifiable information, protected health information and for official use only; and, finally, level 6 is classified up to secret. It is at levels 3-5 where the department is stymied by the self-imposed “above FedRAMP” restrictions to migrate data to commercial clouds, officials say, to meet requirements set a few years ago by the Office of Management and Budget in its “cloud first” policy that overhauls federal information technology programs.
“We’re working now on specifically five pilots to help answer questions that will drive revisions to the criteria and revisions to the process,” Orndorff says. Two of the studies are with Amazon Web Services. DISA had been the cloud broker for the whole of the U.S. Defense Department’s migration to commercial cloud services, but having a single agency tasked with the mission slowed the process too much, prompting a policy change to divide the duties among the services, says Terry Halvorsen, the department’s acting CIO. “I think … we have not moved out into the cloud fast enough,” Halvorsen says. “One of the things we’re going to change, to give us more opportunities to move faster, is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency—in this case, DISA.” And DISA will remain in a lead role to approve security plans for each of the military department’s commercial cloud endeavors.
DISA still will work to best match existing cloud services with customer needs within the confines of the existing guidelines, says Jennifer Carter, DISA’s component acquisition executive. “[Security] is a fundamental part of the cloud broker function to assess the offerings that there are across DOD against the cloud security model, and even that model continues to evolve over time,” Carter declares. “If there isn’t a direct match, we provide feedback into what opportunities there are, and in fact, that is where some of the pilot discussions are happening.”
Currently, the Defense Department enterprise cloud service broker cloud security model identifies requirements for the following: implementation of applicable FedRAMP guidelines, Committee on National Security Systems Instruction and Defense Department security controls; continuous monitoring; confidentiality/integrity/availability reporting; and integration with Defense Department information assurance architecture, policy, guidance and operational constraints.
This year, DISA enacted its milCloud offering, a “government offered service, if you will, but it’s built off of commercially competed contracts leveraging commercial products,” Bennett expresses. “It’s not a militarized instance. It’s a commercially competed, put-together solution for commercial contracts for manpower.”
The Infrastructure-as-a-Service option that is milCloud leverages a combination of commercial off-the-shelf (COTS) and government-developed technology for cloud services. As such, milCloud features an integrated suite of capabilities “designed to drive agility into the development, deployment and maintenance of secure DOD applications,” according to DISA officials.
“MilCloud is basically the government solution that gives customers the opportunity to move their capability into a virtualized infrastructure inside a coordinated center,” Bennett says.
But it is not enough. “We’ve got some questions we want clarified,” Orndorff continues. “How do we get situational awareness of activity inside the cloud so we don’t create a blind spot? What are we going to be able to see from a cyberdefense perspective? We also have command and control questions to make sure we have the right relationships in place. … We have some good, old-fashioned performance objectives that we want to evaluate and some business process areas that we need to evaluate.”