DoD and Cloud Computing:
Where are we now?
(Working Title)
DoD: Committed To The Cloud
The Department of Defense is making a major move to the cloud. After issuing Updated
Guidance on the Acquisition and Use of Commercial Cloud Computing Services1 in December
2014 and major changes to the Cloud Computing Security Requirements Guide2 in January 2015,
this trend is now more than evident. A mid-grade security level provides restricted access to
sensitive information through a virtual cloud environment that requires a secure connection to
DoD networks, through the use of common access cards (CACs) or other authorized credentials.3
DoD is even working with the FedRAMP Program Management Office in the development of
guidelines for placing FISMA high data in the cloud as well. All of these realities are indicative
1
Figure 1- DoD Cloud Computing Market - Federal Times
http://iase.disa.mil/Documents/commercial_cloud_computing_services.pdf
(http://www.federaltimes.com/section/dod-cloud/)
2
http://iase.disa.mil/cloud_security/Documents/u-cloud_computing_srg_v1r1_final.pdf
3
http://www.federaltimes.com/story/government/omr/dod-cloud/2015/01/13/disa-securityguidance-dod-cloud/21699549/)
1
of a desire to build a close partnership with commercial cloud computing solution providers.
In the DoD, cloud computing transitions are driven by
technical efficiencies, security considerations and
budgetary factors. While commercially available services
will typically cost less than equivalents provided by the
department’s internal provider DISA, these options can
only be realized if the mission is not compromised and
approved security safeguards are in place.4
“If industry can come to us
with a cloud solution that is
cheaper, then we are going to
go to it. That’s the bottom
line.”
– Maj. Gen. Alan Lynn , Vice
Director,
Defense
Systems Agency
Information
DOD components can opt for a commercial service based
on a business case analysis. These organizations are also
looking for cost- efficient ways to facilitate “data distribution” via a blend of government-owned
facilities and commercial cloud providers. This trend refocuses department internal metrics on
dollars and performance rather than numbers of servers and data centers. Modernization efforts
also see application rationalization is important to successful outcomes.
DoD and FedRAMP
The new DISA security requirements guide for cloud computing not only makes it easier and
quicker for Defense Department agencies to procure commercial cloud services, but it also
closely follows the Federal Risk and Authorization Management Program used by civilian
federal agencies while still ensuring security. DoD agencies can also negotiate directly with
cloud providers, rather than going through DISA as the primary cloud broker. This was changed
in the Fall of 2014 when DOD reduced DISA’s broker role and decided to have it concentrate on
ensuring security. As if to emphasize this alignment with government civilian cloud computing
governance, May 2015 additions to DoD’s cloud portfolio was made up almost entirely of
services from commercial providers. It also included security approval to the cloud version of
OMB MAX, the Office of Management and Budget’s platform for exchanging budget and
programmatic data between federal agencies, the Treasury Department’s Workplace.gov
platform and the infrastructure-as-a-service offering provided by the Agriculture Department’s
National Information Technology Center.5
4
http://defensesystems.com/articles/2014/09/16/disa-cloud-broker-dod-memo.aspx
http://federalnewsradio.com/defense/2015/05/dod-grants-new-security-approvals-to-23-cloudproviders/
5
2
“The granting of these provisional authorizations is an important
step in our strategy to drive cost down by moving more of our
mission data to the cloud.”
- Terry Halvorsen, DoD Chief Information Officer
The cloud products certified by DISA in May 2015 gained their initial approval via all three
pathways through the FedRAMP process: they were either sponsored and certified by another
government agency, sought and won approval from the Joint Authorization Board or were
certified by third-party accreditors authorized as part of FedRAMP. Providers that meet
FedRAMP standards are eligible to handle the DoD’s less sensitive data without any additional
security measures. A “FedRAMP+” concept is used to leverage work done as part of the
FedRAMP assessment when additional security controls and requirements are necessary to meet
and assure any other critical mission requirements.
Even though the Government Accountability Office estimates that only about 12 percent of all
systems are labeled as high impact systems, the Defense Department, DHS and other agencies
are expressing a need for a high-impact baseline standard.6 When developed, this standard would
apply only to non- classified technology systems as characterized under the Federal Information
Security Management Act (FISMA). Classified systems would remain the purview of milCloud
or service-specific clouds.
ViON: Your Trusted Cloud Computing Partner
ViON knows cloud computing. More importantly, however,
we know how to do cloud within the DoD mission and
culture. Our long term relationship with the DoD also gives
us unique insight into the linkages between fiscal challenges
and the department’s mission success. That insight led us to
cloud computing solution designs that meet or exceed mission
requirements while simultaneously addressing contemporary
fiscal challenges.
The ViON Cloud Services team will help you research and
build your cloud transition business case. We help you take
the critical steps to understand your current environment and
design the best approach to meet your mission and budgetary
goals. We will deliver the required technical, cost and ROI
metrics to support all critical decisions. If desired, we will
also support your FedRAMP PMO and DISA interactions.
6
http://federalnewsradio.com/defense/2014/11/fedramp-developing-a-fisma-high-baseline-in2015/
3
With our On Demand solutions, ViON shares the financial risk by retaining ownership of all
related equipment. This approach is a business strategy in which the provider acquires all data
center infrastructure and provisions that infrastructure to the DoD customer on an "as needed" or
"as a service" basis. Rather than agencies acquiring infrastructure that may not be used to its
fullest potential, ViON On-Demand reduces the risks by only providing what is needed to
complete and maintain mission requirements. There are no minimums, no ceilings, and no
penalties for deactivating equipment early. This approach also aligns costs with dynamic changes
in operation tempo by charging a daily service fee determined by the system's layout, the
customer's initial requirements, and the customer's projected requirements. The daily service fee
can be applied in an a la carte approach or combined into different tiers (e.g., gold, silver,
bronze). Customers can then easily forecast and budget new projects by using the set service fees
to determine an expected payment stream.
ViON On-Demand options are available through public, private or hybrid cloud deployment
models and can be used to meet any FedRAMP+, milCloud interface or service-specific
requirements. We also remain in lockstep with DISA cloud computing security guidance through
the use of Virtustream Viewtrust cybersecurity management and governance services. This
offering builds a 360° view of all infrastructure assets, continuously monitoring them for
compliance and risk. Viewtrust performs automated risk analysis based on threats and their
impact, enabling automated mitigation through integration with third party tools and
technologies. In one recent On-Demand engagement, a DoD customer mission planner
anticipated the purchase of 600TB of storage over a 6 months period. Under the On-Demand
4
financial delivery model, an initial 250TB of storage capacity was provisioned during the first
month. Detailed analysis of actual use reduced the planned capacity to 350TB, a 42% cost
savings. All technology infrastructure requirements were successfully met with no reduction in
operational status or mission capability.
“(T)here are some things that we’re never going to put into a
commercial cloud that we’ll need the milCloud for, so we’re going to
be able to live side by side with industry in the cloud in the future.”
– Maj. Gen. Alan Lynn , Vice Director, Defense Information Systems Agency
5