DOD engaging industry to help with cloud transition

In its push into cloud computing, the Defense Department is looking to more actively involve commercial providers, establish common security standards and reevaluate what information should be deemed classified.

DOD CIO Terry Halvorsen last Friday hosted the first of what is to be a series of DOD CIO Cloud Industry Days in Washington, with the goal of keeping industry up to speed on DOD’s needs as part of an ongoing dialog, according to a DOD release. Halvorsen said he wants to avoid a situation where commercial providers develop cloud services in line with one set of standards only to find that “we’ve found new security threats and [their solution] is not going to work.” He also sees collaboration as a way to expand the use of the cloud.

The key to making any cloud solution works is security, and DOD could use its leverage as large customer to raise the “national cyber bar” on security, he said, with common standards that could apply across government and industry and allow DOD to take advantage of the cost savings inherent in using the cloud. Common standards could also eventually allow for interconnectivity between government and commercial systems, such as those in the financial sector, which could further increase savings.

The Defense Information Systems Agency, which evaluates cloud solutions for DOD use, recently released its security requirements guide for cloud computing. The guide does away with DISA’s strict Cloud Security Model and hews more closely to the Federal Risk and Authorization Management Program used by civilian federal agencies, though it sets additional security requirements when needed.

One question, Halvorsen said, is how often that extra security is truly needed. “I think [relatively sensitive data] is a much smaller portion of our data than we think it is,” he said. One example: budget data from 1949 that was sensitive in the years following World War II but is of little interest now—and yet is still stored with classified information.

Though its progress has been slow because of security concerns, DOD is moving inexorably to the cloud. One goal is to put as much non-sensitive data into the cloud as it can, via commercial or government-provided services. It also can allow some classified data in the cloud, with DISA’s milCloud, which last fall was configured to handle the requirements for SIPRNet, DOD’s Secret IP Router Network. And the evolving Joint Information Environment, designed to provide an interoperable platform for all the military services, other DOD component agencies and coalition partners, also will rely on the cloud.

“All the service CIOs get that we’ve got to go there. Top leadership gets that we've got to go there,” Halvorsen added. The open dialog with industry is intended to help it come about.