DISA releases new security guide for cloud computing

The Defense Information Systems Agency has released its new security requirements guide for cloud computing, which is intended to make it easier—and quicker—for Defense Department agencies to procure commercial cloud services while still ensuring security.

The new SRG puts out to pasture the Cloud Security Model, under which only a handful of vendors had received authorization, and more closely follows the Federal Risk and Authorization Management Program used by civilian federal agencies—although it does set additional requirements in areas where extra security is needed. In many cases, cloud providers will seek to comply with the SRG in coordination with their FedRAMP reauthorization.

"The SRG is designed to ensure that DOD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk," Mark Orndorff, DISA Risk Management Executive, said in a statement.

The new guide sets the security requirements for information up to the Secret classification, sets standards for what systems or information can be handled in a virtual environment and what data should be physically separated, and tweaks the impact levels identified under the old Cloud Security Model.

Under the SRG, the old model’s Level 1, which had covered publicly released information, is combined with Level 2, covering data cleared for public release as well as unclassified information not deemed to be mission-critical. This data would not require access top DOD networks.

Likewise, Level 3 has been combined with Level 4, covering controlled unclassified information, or CUI. This applies to mission-critical information that could impact national security if exposed, personal or personally identifiable information, health records and other sensitive information, such as that designated Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information. This data would be held in a cloud that would require a secure connection to DOD networks.

Level 5 covers CUI deemed by law, other government regulations or the agency that owns the information to need a higher level of protection than Level 4 provides. It also covers unclassified National Security Systems.

Level 6 covers information classified as Secret, such as classified national security information, and, as with level 5, requires that the information reside in physically separate environment that can’t be reached via a virtual cloud.

Any information with a higher security classification, the SRG notes, “are governed by other policies and are beyond the scope of this document.”

DOD’s established desire to move to a cloud environment has been slowed somewhat by security concerns and the difficulty commercial cloud providers have had in meeting DOD’s security requirements, which have been more stringent than FedRAMP’s. They still will be concerning sensitive data, but the new SRG is designed to help speed up the acquisition process by hewing more closely to FedRAMP.

It also lets agencies negotiate directly with authorized cloud providers, rather than going through DISA as the primary cloud broker. The broker plan, established in 2010, was changed last fall, when DOD reduced DISA’s broker role and decided to have it concentrate on ensuring security.

The new rules also define security policies, requirements and the architecture for implementing commercial cloud services while providing guidance to DOD officials evaluating potential commercial cloud providers.

A growing list of public cloud vendors including Amazon Web Services, Microsoft Azure and Google Platform have gained various levels of authorization to offer cloud services to government agencies under the FedRAMP, Federal Risk and Authorization Management Program.

The cloud computing guidance comes as DISA reorganizes to become more agile in it deployment of information technology. Air Force Lt. Gen. Ronnie Hawkins, DISA's director, told an industry group this week that the agency still needs to step up its game as it oversees deployment of cloud platform across Pentagon agencies.

George Leopold also contributed to this report.