DISA has launched an internal secure cloud for the military to use. (Army)
With news of Amazon Web Services achieving security approval to provide cloud services for the Defense Department, as well as the Defense Information Systems Agency’s launch of its internal, secure milCloud platform, DoD is inching closer to the rest of the government in moving to the cloud.
Amazon Web Services is the latest company, along with Autonomic Resources and CGI Federal, to receive authority to operate (ATO) under DoD’s impact levels 1 and 2 after clearing 298 FedRAMP cloud security controls as well as nearly two dozen additional military-specific requirements. At the same time, DISA’s rollout of milCloud allows defense components access to higher-level security cloud services while also cutting IT costs, streamlining capabilities and more flexibility than before, according to DISA officials.
“MilCloud allows us to...integrate various applications at the [core data center] level,” Brig. Gen. Frederick Henry, DISA chief of staff, said recently. MilCloud’s offerings would be comparable to those that currently are commercially available, “but in a more secure fashion,” he said.
Presumably, that means the ability to handle data deemed more sensitive than that approved for impact levels 1 and 2, which deal only with public-facing, unclassified, non-sensitive data. Criteria for levels 3 through 5 reportedly are out of the draft stages and under review, and level 6, which would relate to classified data, has not yet progressed that far.
“The time spent with DISA going through assessments for levels 1 and 2 was documentation and clarification for how our security posture met the controls,” said Chris Giles, AWS global security assurance architects leader. “Now that levels 3 through 5 are finalized, DISA [is] reaching out to service providers to initiate conversations on the approach for initiating assessments for levels 3 to 5.”
The progress comes amid a massive demand for cloud services at DoD. Military spending on cloud services could reach $2.6 billion by fiscal 2018, an increase from $414 million in fiscal 2013, according to Alexander Rossino, principal research analyst at Deltek.
Numerous companies are still in the process of receiving ATO at levels 1 and 2, but much of DoD’s demand – and companies’ push for ATO – likely will target the higher-security levels, where there is more money to be made.
From fiscal 2009 to the end of fiscal 2013, DoD agencies and the services have awarded more than $750 million worth of cloud contracts, a number that is expected to grow as more companies are certified to provide military-grade services. By comparison, in that same time frame, civilian agencies collectively awarded roughly $21 billion in cloud contracts, and the CIA spent $600 million on its 2013 AWS cloud services contract alone, according to Deltek.
In January, DISA officials hinted that some challenges they’re facing in the cloud realm could spur them hire a single provider to provide a cloud infrastructure, as the CIA did last year. The CIA chose Amazon to build an infrastructure-as-a-service cloud walled off from the existing AWS commercial cloud and the Internet and run in the secure internal CIA environment; in other words, AWS is building cloud for the intelligence community and will maintain the hardware and facility, but the IC will actually manage what goes into it, what applications are used and the security controls.
“As part of the CIA deal with Amazon, when new services are developed for the commercial market they will become available to the entire IC via the CIA’s Amazon cloud,” Rossino said. “This solution would address several challenges for DISA. First, it would enable DISA to comply with legislative mandates to use a commercial cloud provider. Second, it would allow DISA to more easily comply with U.S. Cyber Command’s requirement [for] visibility into a commercial cloud solution so they can trace back [incidents] if/when they occur. This has potentially been a problem for some vendors because they might be reluctant to just open doors and become an extension of DoD networks.”