DISA approves AWS GovCloud for higher security levels

The Defense Information Systems Agency has given Amazon Web Services provisional authorization to operate at security impact levels 3 and 5 of the DOD Cloud Security Model, according to an announcement from the company. AWS and several other cloud services have approval to operate at levels 1 and 2, but Amazon is the first to get approval for the higher classifications.

The authorization, which covers AWS GovCloud (US), would allow Defense Department agencies to deploy cloud solutions involving sensitive data covered under levels 3 to 5. Levels 1 and 2 cover only public-facing, unclassified data. The security model also has a Level 6, for classified-only information.

Amazon said GovCloud includes security features such as AWS Direct Connect, which provides secure routing to DOD’s network, and Common Access Card (CAC) integration.

DOD has been moving toward a cloud-based computing model, but adoption has been fairly slow because of the need to first ensure security. Before AWS’ announcement, only four services had been certified for levels 1 and 2, two of them from AWS—Autonomic Resources Cloud Platform and CGI Federal’s IaaS solution, along with AWS’ Government Community Cloud and its East/West US Public Cloud.

In fact, the slow pace of vendor approvals had defense officials wondering recently if the DOD Cloud Security Model—which includes requirements beyond those of the Federal Risk and Authorization Management Program used by civilian agencies—was too demanding.