Describe the Department of Defense's updated guidance on acquisition and use of cloud computing services
On December 15, 2014, two years after issuing its original strategy, the DoD made significant changes to how it would procure cloud computing services.
The new Memorandum "Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services" clarifies and updates prior memoranda.
The memorandum cancels the original strategy and supplemental 2013 guidance.
The memorandum authorizes Department of Defense components to acquire cloud services directly from a cloud services provider, such as Microsoft, and removes DISA from having to approve the acquisition.
Individual responsibility
The memorandum makes the DoD components, instead, responsible for determining which workloads should be moved to cloud service providers, and provides guidance on doing so through a Business Case Analysis (BCA). The BCA then must be approved by the component CIO and a copy sent to the DoD CIO. DISA, as part of the business case analysis, and DISA's services must also still be considered.
This action is pretty significant. While it is incredibly important to drive towards Digital Transformation, for some workloads that may exist in data centers for decades, it can actually take decades to recover the amount of time and money it takes to migrate or modernize those workloads. The DoD wants to ensure that there is a solid business case made for that migration or modernization.
FedRAMP for security
The memorandum sets FedRAMP as the minimum security baseline for DoD cloud services, and notes that components may host unclassified DoD information that has been approved for public release on FedRAMP-approved cloud services.
For any other information, including classified or unclassified not approved for public release, the memorandum notes that a Security Requirements Guide (SRG) has been released for public comment, and will be the basis that cloud service providers will need to meet to ensure stable security.
DISA for authority
For any cloud service provider to be able to host a sensitive workload, the provider must submit proof to DISA that it meets the requirements of the SRG, and if found to be in compliance, then DISA will issue a Provisional Authority (PA) listing the workloads that may be hosted by that cloud service provider.
Cloud access points (CAPs) for security
The memorandum notes that any access to cloud service providers for sensitive data must do so through a cloud access point provided by DISA or through another component, and approved by the DoD CIO. This is a movement away from decentralized access through DISA.
A change to operational security
The memorandum notes that the concepts of operations (CONOPS) are different for cloud service providers and cloud computing, and cybersecurity is just as important of a factor. It states that DoD components that acquire or use cloud services "are still responsible for ensuring that end-to-end security requirements are met." This compliance must also be performed in collaboration with DISA and the cloud service provider.
The DoD cloud computing security requirements guide (SRG) is evergreen
Finally, the memorandum notes that the DOD Cloud Computing Security Requirements Guide is a continuously growing, continuously refined document that will grow over time, and that all parties should leverage and contribute to its guidance.