Cloud service providers no longer need the Department of Defense’s go-ahead to store unclassified information in Federal Risk and Authorization Management Program-approved, moderate baseline offerings.
The Defense Information Systems Agency, within DoD, issued a blanket provisional authorization Thursday streamlining cloud authorizations departmentwide.
As long as a provider has a provisional authority to operate (P-ATO) from the FedRAMP Joint Authorization Board, it can host Impact Level 2 data for the DOD.
“This authorization allows for data designated publicly releasable, or IL-2, to be stored in the cloud on authorized FedRAMP offerings without waiting for DoD to issue a specific authorization document,” said Roger Greenwell, risk management executive at DISA, in a statement. “We worked with officials from the DoD, Chief Information Office and mission partners on the drafting of the policy and believe this approach provides significant benefit to both the DoD community, as well as the cloud industry.”
Jack Wilmer, the Pentagon’s deputy chief information officer for cybersecurity, announced the change was coming during a July meeting of the House Oversight and Reform Committee.
Provisional authorizations allow the government to evaluate cloud offerings once and then reuse them, but until now DoD has made providers additionally meet 38 Committee for National Security Systems — a one- to six-week process.
If a provider loses its P-ATO or neglects continuous monitoring, DOD will revoke its reciprocal authorization.
DOD has used FedRAMP to make about 140 cloud offerings available, only 20 of which needed additional assessments. The provisional authorization covers most of the other 120 offerings.