The Defense Department is in active discussions with leaders of the commercial information technology sector about how to update or possibly replace the rulebook that’s governed its security demands for firms that have provided it with cloud computing services for nearly three years.
Representatives from the DoD chief information officer’s office hosted two separate sessions within the last 60 days with cloud firms that offer infrastructure, platforms and software-as-a-service to discuss how the department might modernize its approach to cloud security.
The focus, said Essye Miller, the deputy DoD CIO for cybersecurity, has been on making the Pentagon’s security demands less specific and prescriptive, perhaps by relying more on the security protections cloud providers already build into their commercial products to achieve the level of security DoD wants.
“The discussion was really, truly to the point: What are those things that industry can provide for us and where do we need to adjust, not only in terms of requirements, but to shift our language from specifically what we’re looking for in terms of solutions to expected outcomes,” she told reporters on a conference call this week.
The department’s Cloud Security Requirements Guide, first issued by the Defense Information Systems Agency in January 2015 and revised in minor ways several times since then, has laid out the various security controls cloud providers must employ if they want to host or process DoD data at several different security levels, ranging from publicly-releasable data to secret information.
“We have not made a decision that we will redo the SRG, but I think we are taking into consideration feedback from our industry partners on where we need to adjust,” Miller said. “Some of it will be based on the requirement. As we see more capabilities to rationalize our infrastructure, this won’t be a cookie cutter-type answer. We need to wind up in a posture such that we’ve got the spectrum covered.”
DoD IT officials have previously acknowledged that some aspects of the department’s cloud security rules were creating a “bottleneck” in migrating systems to the commercial cloud, particularly when it comes to systems that involve sensitive data. Those migrations have been few and far between, partially because of the requirement that data the department categorizes at impact levels four, five and six — sensitive and secret information — transit to and from cloud providers via a DoD-provided Cloud Access Point.
But Miller said a September directive from Deputy Defense Secretary Patrick Shanahan, which ordered a number of steps to “accelerate” DoD’s cloud adoption at an enterprise level, added some urgency to making the department’s security rules less burdensome.
“I think we’ll have to, and this isn’t strictly about cloud,” she said. “If you look at what we did with electronic health records, as we worked with Cerner and Leidos, both from an industry and government perspective, the lessons learned were that there were adjustments to be made on both ends. We are typically more stringent when industry offers innovation that we may not have explored. So my word of encouragement to folks who work in our security business is balance. How do we strike a balance between our security controls and the experience that industry brings to bear?”
Although DoD’s current cloud security rules are ostensibly tailored specifically for cloud computing environments and were designed from the beginning to let system owners take “informed risks” in their decisions to migrate to commercial service providers, the underlying security rules are mostly based on DoD’s experience with brick-and-mortar data centers, said Ken Bible, the Marine Corps’ deputy chief information officer.
“They emerged over many years of racking and stacking the controls we placed over traditional IT in the DoD environment, and I think industry can help us think through what of those guidelines can change, based not only on virtualization at the application, server, system level, but now with things like network function virtualization, what can change?” he said. “Our standards today were built in a time where every system was a rack of computers, and now we’re talking about buying those racks of gear simply as a service.”
In his Sept. 13 memo, Shanahan told the Defense Department to “accelerate” its move to the cloud in a two-phase process. In the first, he tasked the Defense Digital Service with conducting a “tailored acquisition process” to enter into a contract with a company or companies that can support information up to the secret level. The second phase tells a newly-established cloud steering group to begin transitioning DoD systems to the newly-acquired cloud solution.
Defense officials said that although it remained unclear precisely what changes the department will have to make to its security approval process to enable that to happen, they would likely be based on some of the lessons learned from approximately 200 separate cloud “activities” now underway throughout the department.
“We’re going to build on some of the momentum that’s already been building across the services,” said Maj. Gen. Ed Wilson, the deputy principal cyber advisor to the secretary of defense. “We have several examples that have already been pathfinders or pilots for us. We have some experience, and harnessing those lessons is going to be important to us. It’s not like we’re jumping into an abyss. It all gets back to roles and responsibilities when it comes to risk. What’s the role of a contracted entity versus the government, and how do we divide that up?”
One of those pathfinders has been the Army’s experiment to allow a contractor-owned-and-operated cloud facility to operate within its gates at Redstone Arsenal, Alabama.
The Army awarded a $62 million contract to IBM to operate the facility a year ago. It’s intended to serve as a test case for how the military might take advantage of the flexibility and lower costs of commercial cloud computing while simplifying the security process by housing the data inside the physical and virtual fenceline of a military installation.
Kevin Aven, IBM’s co-account lead for Army and Marine Corps matters, said the project is running months ahead of schedule and is already positioned to begin hosting its first applications dealing with sensitive data. But one of the biggest hurdles has been making sense of what DoD-specific cybersecurity controls must be applied to the Army’s new private cloud in light of the protections IBM already provides as part of its product.
“The biggest challenge we’re still working our way through is security redundancy,” Aven said. “The Army has certain security protocols for a traditional data center, but we bring with us a responsibility to provide that same security in our normal delivery of a cloud environment. The Army’s security protocols were built with the assumption that you’re working in a traditional data center. We don’t want redundant security, because that translates to latency. You’re always trying to remove as much of that latency as you can so that the person who’s using that application is getting the kind of experience they’re looking for.”