DOD updates DISA's role as the department's cloud broker

Shift reflects a greater openness toward commercial services, while outlining how agencies can procure them.

The Pentagon is refining the Defense Information Systems Agency’s role as the Defense Department’s cloud broker, while outlining how DOD agencies can acquire commercial cloud services. But DISA will continue to play a central role in DOD’s move to the cloud, evaluating and approving the security of commercial services and offering the department’s private milCloud.

A recent draft memo from DOD Acting CIO Terry Halvorsen cancelled the 2012 memo that established DISA as the department’s cloud broker. But even after declaring that 2012 memo (and an updated guidance from December 2013) cancelled, Halvorsen refers to DISA as “the Broker” in clarifying its role. Although the original memo allowed for commercial, internal and other federal services, the new policy indicates a greater openness to commercial providers.

“DISA, as the Broker, will focus on ensuring the security of the Department of Defense Information Networks (DODIN) and the cybersecurity challenges associated with outsourcing DoD missions and data to commercial clouds,” the memo states. DISA also will maintain a DoD Cloud Access Point to guarantee secure connections to commercial clouds.

The guidance still requires that commercial services have a Provisional Authorization from DISA, but if a component agency wants to use a provider that doesn’t have one, it can work with DISA to perform a security assessment.

The upshot:  DOD components can opt for a commercial service based on a business case analysis, as long as those services meet DOD’s security requirements and are cheaper than what they can get from the department.

DISA Vice Director Maj. Gen. Alan Lynn said as much—without mentioning memos—earlier this month at AFCEA NOVA’s Joint Warfighter IT Day. “If industry can come to us with a cloud solution that is cheaper, then we are going to go to it,” Lynn said. ”That’s the bottom line.”

Pending security approval, of course. And milCloud will still be an option. “(T)here are some things that we’re never going to put into a commercial cloud that we’ll need the milCloud for,” Lynn said. “So we’re going to be able to live side by side with industry in the cloud in the future.”

DOD’s move to the cloud is intended to cut costs and support the Joint Information Environment, the department’s plan for an interoperable architecture that encompasses all of the U.S. military services, other DOD component agencies and coalition partners. But the move has been slow and cautious because of security concerns. Hence DISA’s enforcement of the strict requirements of the DOD Cloud Security Model—which go beyond those of the Federal Risk and Authorization Management Program used by civilian agencies—and the presence of milCloud.

Some commercial providers earlier this year had objected to the idea of milCloud as a primary provider for DOD agencies, suggesting that it constituted unfair competition with the private sector. But while milCloud will still be an option, DOD has been moving toward greater use of commercial services, especially for reasons of cost.

Meeting DOD’s security requirements, however, has proved to be difficult, time-consuming and expensive. To date, four services—Autonomic Resources Cloud Platform, CGI Federal’s IaaS solution, Amazon Web Services’ Government Community Cloud and AWS’ East/West US Public Cloud—have been approved for Levels 1 and 2 of the DOD Cloud Security Model, which cover public-facing and unclassified data. Last month, AWS’ GovCloud became the first service to gain approval for Levels 3, 4 and 5, which cover moderate-impact and controlled unclassified information. The security model also has a classified-only Level 6.