Doug Gardner, Technical Director for the Mission Assurance Executive at DISA, participates in a panel discussion about IT security during the Federal Cloud Computing Summit at the Ronald Reagan Building in Washington, D.C., on Tuesday, December 17, 2013. At left is Maria Roat, FedRAMP Director at GSA. (Mike Morones/Staff) (Mike Morones)
The Defense Department is one step closer to finalizing what it takes to securely host the military’s controlled unclassified data in a commercial cloud. A pilot program is getting underway that will test DoD-specific standards – called “impact levels” – that go beyond those required by the governmentwide cloud security program known as FedRAMP.
Last week, a panel of senior military leaders approved the pilot program that will test practical means for the private sector and DoD to implement the standards, said Doug Gardner, with the Defense Information Systems Agency. The panel is chaired by Rear Adm. Marshall Lytle, chief information officer for U.S. Cyber Command, and determines what risks are being added to the DoD enterprise.
The panel will get a progress report on the pilot in six months.
DoD requirements for hosting controlled unclassified data are more rigorous than standards approved for storing unclassified data in the cloud, said Gardner, who spoke Tuesday at the Federal Cloud Computing Summit in Washington. As DISA’s technical director for the PEO for mission assurance, Gardner is among the group tasked with defining DoD security requirements for commercial cloud service providers.
The pilot program will help DoD understand how to implement what it calls a computer network defense service provider, or CNDSP, concept for cloud vendors. Gardner described CNDSPs as a group of security specialists who manage the flow of security data reporting between DoD organizations and agencies to higher levels like Cyber Command and provide an oversight mechanism.
DoD is working through the requirements for applying this concept to the commercial space, Gardner said.
In creating these impact levels, Gardner said that FedRAMP’s 298 security controls by and large met DoD’s needs but did not account for a few basic standards for hosting unclassified data.
The bigger issue is ensuring vendors can customize their cloud environments to meet DoD’s unique needs for handling more sensitive data, Gardner said. To do so, vendors have to structure and secure their cloud environments for DoD’s unclassified NIPRNet.
DoD wants enough visibility into the security landscape of these cloud environments to make relevant military decisions, he said.
“We felt a need to customize the basic [cloud] implementation so that it’s integrated with DoD from a command and control perspective,” Gardner said. “When we get to our most sensitive data, absolutely we want to see.”