It’s no secret that the Defense Department has an aggressive plan to move as much of its data as possible to the cloud. In many ways, it has no choice: The cloud provides unmatched economies of scale for a Pentagon IT infrastructure that is simply too expensive to operate.
But the department’s Acting Chief Information Officer, Terry Halvorsen, is thinking even bigger than the Pentagon’s $40 billion IT budget and the billions he plans to save by moving to the cloud. According to Halvorsen, the Defense Department’s input to the government’s cloud security certification process, known as Federal Risk and Authorization Management Program, or FedRAMP, could help raise the bar for basic cybersecurity hygiene across the government and the private sector.
“We have to raise the national level of cyber hygiene. As we work through these cloud and mobility partnerships, we have the opportunity to raise that national level,” Halvorsen said, speaking Thursday at DOD’s cloud industry day conference in Washington, D.C. “This opportunity is a national opportunity,” he said.
Halvorsen used the industry day to clarify DOD’s approach to cloud adoption and how it aligns with the civilian agency approach under FedRAMP. There are areas where DOD will be able to use FedRAMP “out of the box,” Halvorsen said. In other cases, the department will be forced to follow “FedRAMP Plus” — the FedRAMP certification process with additional security controls requested specifically by DOD. Halvorsen is also hoping DOD’s participation in the FedRAMP process can identify common ways agencies can standardize levels of protection and certification.
“If you look at the federal government space, we are actually big enough that if we do this in a better partnership we could drive the cost down to very comparable [levels] to open cloud,” he said. “I think that’s where we have to go. I think this is part of the opening round of [thinking about] how we do that.”
Rob Vietmeyer, DOD’s cloud computing lead and the author of the original cloud policy in 2012, called the questions that have been raised about DOD’s acceptance of the FedRAMP security controls a red herring. “That really hasn’t been the big challenge,” he said. Although the Pentagon thinks “there are some additional controls that need to be rolled into FedRAMP that aren’t there,” Vietmeyer said he expects to see complete synchronization between DOD and FedRAMP on security controls.
The biggest challenge to date for DOD has been understanding the unique computer network defense, or CND, requirements that moving to the cloud presents. For example, the Pentagon is looking at a scenario where there will be multiple organizations providing for the defense of the enterprise cloud infrastructure, including the Defense Information Systems Agency, various commercial providers and component agencies within DOD.
Vietmeyer acknowledged the department is “still learning how they are going to do that,” but officials are studying CND requirements for network boundaries, cloud access boundaries and the virtual data center.
DOD’s initial pilot projects revealed many back-end configuration challenges that, in some cases, prevented the data from flowing. “On the back side we found all of these other processes we need to worry about, like how do we open up the ports and protocols on the routers, how do we reconfigure our white lists so we can white list the right sites, how do we maintain our [Domain Name System settings] and our addresses,” Vietmeyer said. The department is not trying to automate those processes, he said.
Halvorsen, on the other hand, views the biggest challenges facing DOD’s cloud strategy from a nontechnical perspective. Among the issues the department and industry must figure out is how multiple service providers will share information with each other, particularly security data.
“This won’t be a single-cloud environment. This is going to be multiple clouds. We’re going to have multiple partnerships,” Halvorsen said. “The only way that is going to work effectively, efficiently and securely is if we share common data. Particularly in the security area, we’re going to have to have common infrastructure, common sensors and common data exchange, and it has to cross government and industry boundaries.”
But there’s also the challenge of sharing liability that must be understood. Commercial providers who accept DOD data in the cloud pick up a different level of liability than they are typically used to, Halvorsen said. When a commercial provider loses defense information they have all of the normal legal liabilities that come into play, but “you also have a bit of a political liability,” he said. “Our data gets lost, it’s going to make the news and it’s going to get interest by Congress and interest by the American people.”
And when data losses do occur, the department must be able to handle the incident in the most transparent way possible. “That is the thing I am most concerned about as I look at some of the proposals coming back,” Halvorsen said. Companies need to realize that DOD will be obligated to name them in any incident involving data loss, he said.
For now, private cloud providers are clamoring for a concrete baseline of requirements that they can work toward and that won’t change. Halvorsen, however, was quick to clarify the department’s position on that issue.
“That’s not going to happen. Not for a while,” he said. “There’s no way to keep this topic as constant as I think industry would like it to be.”