Department of the Navy Cloud Policy
ASN RD&A and DON CIO Memo - Publish Date: 12/07/20
download PDF
This joint memorandum provides updated policy for the accelerated promotion, acquisition, and consumption of cloud services in the Department of the Navy in direct support of the DON Information Superiority Vision.
JOINT MEMORANDUM FOR DISTRIBUTION
Subj: DEPARTMENT OF THE NAVY CLOUD POLICY
Encl: (1) References
(2) Clarification of Policy for Acquisition of Cloud Services
1. Purpose. This joint memorandum provides updated policy for the accelerated promotion,
acquisition, and consumption of cloud services in the Department of the Navy (DON) in direct
support of the DON Information Superiority Vision found in reference (a).
2. Cancellation. This memorandum cancels and replaces references (b) and (c).
3. Applicability and Scope
- This policy memorandum is applicable to all DON commands and activities.
- All forms of cloud computing as defined in reference (d) are in scope of this policy
memorandum. The scope includes and is not limited to all commercial and government cloud;
all forms of cloud deployment models to include public, private, private on-premises,
community, and hybrid cloud; all forms of cloud deployment environments to include
development, integration, test, pre-production, and production; all forms of cloud service models
to include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS); all professional services in support of cloud computing; and any other
subcomponent or derivative form of cloud computing.
- The scope includes all networks and environments, including, but not limited to, all
enterprise, legacy, ashore, afloat, tactical, mobile, lab, and classroom environments.
- The scope includes all funding types and sources, to include non-appropriated funds.
There shall be no exclusions or exemptions to this policy based on funding type or source.
- Nothing in this policy memorandum shall supersede or supplant existing operational
directives, policy, or regulation. In the event of conflicting guidance, the following hierarchy
shall apply:
- Federal statutes and implementing regulations
- Department of Defense (DoD) policy or instruction
- DON or Secretary of the Navy policy or instruction
- U.S. Navy or U.S. Marine Corps policy or instruction
- Local (e.g., Echelon II or Major Subordinate Command) policy or instruction
- Upon knowledge of any conflicting guidance based on the hierarchical guidance above,
the Department of the Navy Chief Information Officer (DON CIO) shall be notified and the
DON Cloud Policy shall be updated accordingly.
4. Policy. In accordance with references (d) through (t), the following policy directs how cloud computing services shall be acquired and consumed in the DON:
- Cloud Technology
- The DON shall maintain its global strategic advantage by harnessing the power of
data and information systems through cloud computing. Cloud computing is the primary
approach to transforming how the DON delivers, protects, and manages access to data and
applications across all mission areas. Cloud computing as defined by reference (d) shall be
adopted and consumed in such a way as to maximize its inherent characteristics and advantages.
- The DON cloud computing environment shall ensure effective support for the full
range of missions and data classifications with a purposefully orchestrated multi-cloud, multivendor strategy that focuses investments on limiting duplication, reducing inefficiencies, and
accelerating digital modernization efforts.
- All new software and software development shall leverage the inherent characteristics
of cloud computing services, shall maximize use of enterprise cloud services, and shall support
continuous integration/continuous delivery to the maximum extent possible that both mission
requirements and technical capabilities allow.
- Cloud Acquisition
- All cloud computing services in the DON as defined in reference (d) and in scope as
described in paragraph 3.b above shall be acquired in accordance with references (e) through (g)
and enclosure (2), and starting no later than ninety (90) days from issuance of this memo shall be
provisioned and their consumption monitored via the DON’s Naval Digital Marketplace
https://cloud.navy.mil. The Naval Digital Marketplace shall be managed and maintained
by the DON's Program Executive Office for Digital and Enterprise Services (PEO Digital).
- In accordance with DoD's current Guidance for Implementation of the Department of
Defense Cloud Strategy contained in references (h) through (k), and any future updated DoD
policy or guidance, the DON’s Naval Digital Marketplace will be continuously updated by PEO
Digital to provide visibility, awareness, and access to all DoD approved cloud contracts which
may include, but are not limited to, commercial, Federal, Defense Information Systems Agency
(DISA), Air Force, and Army cloud contracts, in addition to existing Navy and Marine Corps
cloud contracts.
- The DON shall follow a path toward a unified DoD Enterprise Cloud Environment
(DECE) using DoD approved enterprise cloud solutions in accordance with reference (k), so long as they can support the DON workload and mission owner requirements. When DoD approved
enterprise cloud solutions cannot support validated DON mission owner requirements, DON
acquired Fit-for-Purpose Clouds (FPCs) shall be allowed on a case-by-case basis based on a
formal assessment and approval process managed by DON CIO and in accordance with
reference (k), and paragraph 5.b.(4) of this memorandum.
- Starting ninety (90) days from issuance of this memo, all requirements for cloud
computing services that do not leverage existing contracts in the DECE or DON’s Naval Digital
Marketplace shall be submitted to PEO Digital in accordance with reference (f) for review and
validation during Step 4 of the Service Acquisition Process, prior to submission to the Services
Requirements Review Board (SRRB), in order to limit duplication, maximize enterprise
purchasing efficiencies, and accelerate digital modernization efforts. Also starting ninety (90)
days from issuance of this memo, all new cloud services shall not be procured as part of, or
embedded in, a larger systems integration or contractor support service contract unless the cloud
services portion is in support of an existing DON CIO approved FPC.
- The most expeditious and flexible path to cloud services acquisition shall be pursued.
Acquisition methods for all cloud services include, but are not limited to, use of any and all
appropriate Defense Federal Acquisition Regulation Supplement (DFARS) Subparts; use of
Other Transaction Authority (OTA) (as authorized by 10 U.S.C. § 2371b); purchases for
experimental purposes (as authorized by 10 U.S.C. § 2373); use of Government-wide
Acquisition Contracts (GWACs); and use of GSA Multiple Award Schedule (MAS) contracts.
- An approved IT Procurement Request (ITPR) is required for the acquisition of all
cloud computing services in accordance with references (m) and (n) and all current and
applicable DON ITPR policy and directives. This policy memorandum suspends the
requirement for a Business Case Analysis (BCA) as defined by reference (s) as part of the ITPR
for commands seeking to acquire existing DECE or DON CIO approved FPC cloud computing
services via the DON’s Naval Digital Marketplace.
- DON and Service level commands and activities that utilize Military Intelligence
Program (MIP) and/or National Intelligence Program (NIP) funds are encouraged to leverage
existing cloud services offered by the Intelligence Community (IC)
- All DON organizations will coordinate with the DON Special Access Program
Central Office (DON SAPCO) for cloud computing services in accordance with reference (t) for
the protection of special access required information.
- Cloud Operations and Cyber Defense
- PEO Digital shall work with Fleet Cyber Command (FLTCYBERCOM) and Marine
Corps Forces Cyberspace Command (MARFORCYBER) via the respective DON Deputy CIO
(DDCIO) to capture the requirements and develop solutions for a Naval integrated command and
control (C2) system designed to perform centralized service management of network operations
for all DON cloud computing services and workloads, no matter where they are hosted. These services and workloads will fall within the operational control and authority of the designated
Service Cyber Component.
- All DON cloud computing services and workloads shall be assigned to a Cyber
Security Service Provider (CSSP), per applicable Service level policy.
- The DON Chief Information Security Officer (CISO) and Service level Authorizing
Officials (AOs) shall require that all cloud-hosted systems, applications, and environments are
within approved Risk Management Framework (RMF) authorization boundaries in accordance
with reference (q).
- DON CISO and Service level AOs shall maximize use of reciprocity in accordance
with reference (q) by leveraging existing DoD Provisional Authorization (PA) bodies of
evidence (e.g. scope, testing, results, residual risk, plan of action and milestones (POA&M),
continuous monitoring data, etc.) to the maximum extent possible to reduce security
authorization processing time. A cloud service/cloud service offering that has been granted a
DoD PA shall be presumed by the Service level AOs as being fully tested and compliant with
required Assessment Procedures (AP)/Control Correlation Identifiers (CCI) authorized in the
DoD PA unless status has been documented or determined to be non-compliant by other sources.
Service level AOs shall ensure security controls that are shared with the cloud service offering
(CSO)/cloud service provider (CSP) are assessed in accordance with established polices. Risk
decisions are at the discretion of the Service level AO, and authorization decisions for systems
with residual levels of High Risk or Very High Risk are approved or endorsed by the DON CIO.
Secretariat organizations shall be considered part of the Navy Service for the purpose of cloud
service authorization.
5. Responsibilities
- Assistant Secretary of the Navy for Research, Development, and Acquisition (ASN
(RD&A)) is responsible for the acquisition and sustainment of cloud services; designating
associated technical specifications; achieving efficiencies in the acquisition process; and
ensuring effective delivery of those services to meet customer needs. As the Service Acquisition
Executive, ASN (RD&A) may delegate Milestone Decision Authority as appropriate.
- PEO Digital is delegated authority to plan and execute the acquisition and delivery of
cloud services to meet the requirements of all system/mission owners throughout the DON in
accordance with this DON Cloud Policy. Within ninety (90) days of issuance of this memo,
PEO Digital shall coordinate with DON Deputy CIO (Navy) (DDCIO(N)) and DON Deputy CIO
(Marine Corps) (DDCIO(MC)) to develop and publish a DON cloud services acquisition and
delivery plan for both Naval Services and all Secretariat organizations. The PEO Digital DON
cloud services acquisition and delivery plan, and the DDCIO(N) and DDCIO(MC) developed
cloud implementation plans as directed in paragraph 5.b.(1), will include fully coordinated
recommendations to DON CIO via the DON CISO on the most effective and efficient
arrangement for security authorization of cloud services.
- PEO Digital shall designate a Cloud Service Management Organization (Cloud
SMO), which shall serve as the single DON gateway for acquisition and delivery of cloud
services.
- PEO Digital is delegated authority to approve all requests for temporary exceptions to
the acquisition-specific elements of this policy as defined in paragraph 4.b above. Requests for
temporary exceptions to the acquisition-specific elements of this DON Cloud Policy shall be
submitted by the respective DDCIO for Service level requests, and by the requesting
organization for Secretariat level requests, to the Cloud SMO for review and endorsement prior
to submission to PEO Digital.
- All requests for non-expiring exceptions to the acquisition-specific elements of this
policy as defined in section 4.b above shall require ASN (RD&A) approval. Requests for new
non-expiring exceptions to the acquisition-specific elements of this policy shall be submitted by
the respective DDCIO for Service-level requests, and by the requesting organization for
Secretariat level requests, via the Cloud SMO and PEO Digital for review and endorsement prior
to submission to ASN (RD&A).
- DON CIO establishes policy, compliance, budget certification, enterprise architecture, and
technology standards for information technology, information management, information resource
management, cybersecurity, and data, to include National Security Systems and IT embedded in
platforms, business systems, weapon systems, control systems, and other operational technology.
- DON CIO shall ensure that within one hundred and twenty (120) days of issuance of
this memo that DDCIO(N) and DDCIO(MC) develop and publish their respective Service-level
cloud implementation plan(s) or similar documents to address both common and Service-unique,
mission requirements and internal business processes required to implement this policy
memorandum. The DDCIOs shall collaborate to ensure standardization across the DON to the
maximum extent possible. The Cloud SMO and PEO Digital shall provide consultation to the
DDCIOs to ensure alignment between the Service’s cloud requirements and the PEO Digital
published cloud services acquisition and delivery plan. The DDCIO(N) and DDCIO(MC) cloud
implementation plans will include fully coordinated recommendations to DON CIO via the DON
CISO on the most effective and efficient arrangement for security authorization of cloud
services.
- DON CIO shall ensure that all Secretariat organizations implement this DON Cloud
Policy in accordance with the PEO Digital published cloud services acquisition and delivery plan
with the support of the Cloud SMO and PEO Digital. Secretariat organizations shall be
considered part of the Navy Service for the purpose of cloud service acquisition, delivery, and
authorization.
- DON CIO shall ensure that PEO Digital and the DDCIOs collaborate to review and
advise DON CIO on the adequacy, or any shortfalls, of budget levels and resources required by
PEO Digital and the Cloud SMO to fully implement and execute this DON Cloud Policy and the
PEO Digital published cloud services acquisition and delivery plan for both Services and all
Secretariat organizations.
- All requests for new FPCs shall require DON CIO approval. Requests for new FPCs
shall be submitted by the respective DDCIO for Service level requests, and by the requesting
organization for Secretariat level requests, via the Cloud SMO and PEO Digital for review and
endorsement prior to submission to DON CIO.
- All requests for non-expiring exceptions to the cloud technology, operations, and
cyber defense elements of this DON Cloud Policy as defined in sections 4.a. and 4.c. above shall
require DON CIO approval. Requests for new non-expiring exceptions to the cloud technology,
operations, and cyber defense elements of this policy shall be submitted by the respective
DDCIO for Service level requests, and by the requesting organization for Secretariat level
requests, via the Cloud SMO, PEO Digital, and DON CISO for review and endorsement prior to
submission to DON CIO.
6. Governance
- ASN (RD&A) and DON CIO shall leverage existing and appropriate governance for
Naval cloud services acquisition and sustainment. Participation as needed shall also include end-user community representatives who are practitioners of cloud-native and/or distributed systems
software development to ensure policy reflects industry standards, commercial trends, and
pragmatic realities.
- The Department of the Navy point of contact for this matter is Ms. Jane Rathbun, Deputy
Assistant Secretary of the Navy for Information Warfare and Enterprise Services (DASN IWAR)
and DON Chief Technology Officer (CTO), at (703) 697-1054, and jane.rathbun@navy.mil.
Signed by:
Aaron D. Weis
Department of the Navy
Chief Information Officer
Signed by:
James F. Geurts
Assistant Secretary of the Navy
Research, Development, and
Acquisition