Cloud Hosting

For more than two years, the Defense Department has had procedures in place that, at least on paper, allow its sensitive data be housed in commercial cloud computing facilities. But migrations to the cloud have been relatively few and far between for anything besides public, unclassified data.

Thats partially because for impact levels 4 and above, not only do providers have to earn authorizations that go above-and-beyond the governmentwide FedRAMP process, any data they process also has to make its way through a DoD-provided Cloud Access Point (CAP).

The department is taking a fresh look at that latter point, saying its current CAP policies may be creating an unnecessary roadblock to DoDs cloud ambitions. As of now, there are only two access points in existence one run by the Defense Information Systems Agency and one by the Navy.

Dr. John Zangardi, the departments acting chief information officer said hes asked his office to revisit the policy with an eye toward letting commercial cloud vendors provide a CAP-like capability on their own.

Sponsored Content - Download our Executive Briefing to learn how agency and industry experts are hoping to reduce insider threats.

Its my job to ensure the most effective IT support to the warfighter and to make best use of resources, so the question to my staff is, How can we do CAP better? he said last week at the Defense Cyber Operations Summit in Baltimore, Md. Specifically, can it be provided as a service? Its a significant question, but if it is resolved, it should open opportunities for services and components to move more quickly to commercial cloud providers.

DoDs current policy on access points is laid out in the security requirements guide (SRG) it published in April 2015 and last updated in March of this year. It requires all network traffic thats making its way between DoD systems and a commercial cloud provider to pass through government-operated monitoring systems firewalls and other intrusion prevention systems even when the cloud providers system is operating entirely within a DoD facility.

The overall objectivewill remain the same: giving some reasonable level of assurance that Defense networks cant be penetrated viatheir connections to cloud providers, since most commercial cloud facilities are connected to the public Internet in some fashion, Zangardi said. He said the latest SRG will be updated to reflect any changes in DoDs thinking when we get that far.

Cloud access points are among the issues likely to be raised later this week when DoD hosts an industry day to hash out the issues surrounding a final cybersecurity-focused contracting rule the department issued last October after nearly a year of public comment and revisions.

The final, updated version failed to address industrys concerns, and their representatives have been asking for a face-to-face meeting ever since.

The final version of the update to the Defense Federal Acquisition Regulation Supplement sweeps in what had been two separate interim rules. One portion requires contractors to report any data breaches involving Defense information within 72 hours and implement the National Institute of Standards and Technologys new guidelines for protecting controlled unclassified information by the end of 2017.

A second makes plain that vendors must comply with the controls in DoDs cloud SRG as a condition of their contracts, but goes a few steps further, including demanding that government personnel be allowed to physically enter cloud hosting facilities to conduct audits or inspections.

Thats because according to a 27-page FAQ the department issued earlier this year its interpretation of the Federal Information Security Management Act dictates that it treat any ITsystem thats operated on DoDs behalf as though it were a government operation.

Both before and after the issuance of the final rule, industry officials have expressed confusion over how the new rule fits in with a host of other provisions the government added to the Federal Acqusition Regulation at about the same time including one by the National Archives and Records Administration that set governmentwide definitions for what constitutes controlled unclassified information, and another new FAR provision that requires all federal contractors to come into compliance with at least some of NISTs guidelines for protecting CUI.

Our objective at this meeting is to clarify some foundational questions, Zangardi said. What are the clauses? What is Covered Defense Information? How is it identified and marked? How does the rule work in the cloud computing environment? It should be a substantive, productive discussion.

See original here:
DoD reexamining cloud policies to remove bottleneck for sensitive data - FederalNewsRadio.com