Acquisition and Use of Commercial Cloud Computing Services
DON CIO Memo - Publish Date: 05/15/15
This memo provides updated guidance for leveraging commercial cloud services in
the Department of the Navy, implements the December 15, 2014 cloud computing guidance from DoD CIO, cancels the DON CIO June 4, 2013 memo, "Update to Department of the Navy Approach to Cloud Computing," and supersedes all direction concerning cloud pilots and cloud services in the DON CIO July 31, 2013 memo, "Enterprise Mobility and Cloud Service Pilot Project Governance."
Subj: ACQUISITION AND USE OF COMMERCIAL CLOUD COMPUTING SERVICES
Ref: (a) Department of the Navy Chieflnformation Officer Memorandum, Update to Department of the Navy Approach to Cloud Computing, June 4, 2013
(b) DON CIO Memorandum, Enterprise Mobility and Cloud Service Pilot Project Governance, July 31, 2013
(c) Department ofDefense CIO Memorandum, Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, December 15,2014
(d) DoD CIO Memorandum, Use ofEnterprise Information Technology Standard Business Case Analysis, October 23, 2014
(e) Federal Risk Authorization and Management Program, http://cloud.cio.gov/fedramp
(f) SECNAVINST 5720.44C, Department ofthe Navy Public Affairs Policy and Regulations, Change Transmittal!, October 14, 2014
(g) DoD Cloud Computing Security Requirements Guide (SRG), v1 rl,
http ://iase.disa.mil/ cloud_security/Pages/index.aspx
(h) DoD Instruction 8500.01, Cybersecurity, March 14, 2014
Encl: (1) Cloud Services Supplemental Guidance
(2) Revised Information Impact Levels
(3) DON Enterprise IT Abbreviated BCA
This memorandum provides updated guidance for acquiring commercial cloud services in the Department of the Navy (DON). It also cancels reference (a) and all direction concerning cloud pilots and services in reference (b). Reference (c) states that Department of Defense (DoD) Components may now acquire
cloud services directly, without employing the Defense Information Systems Agency (DISA) as a cloud broker. To ensure the consistent, best value, enterprise-wide approach directed by DoD CIO, the DON will adhere to the following requirements.
1. Each anticipated use of commercial cloud services will first be analyzed using either the DoD Enterprise IT Business Case Analysis (BCA) template provided in reference (d) or the DON Enterprise IT Abbreviated Business Case Analysis template, provided in enclosure (3). Whichever template is used, DISA- provided cloud services must be included as one of the alternatives considered. All BCAs will be reviewed by the
respective Service DON Deputy CIO. Those recommended for approval will be submitted to DON CIO for final approval. Per reference (c), DON CIO will forward approved BCAs to DoD CIO.
2. Federal Risk Authorization and Management Program (FedRAMP) authorization is the minimum security baseline for all DoD commercial cloud services, as described in reference (e).
3. Non-Controlled Unclassified Information (Impact Level2) that is publicly releasable may be hosted by a Cloud Service Provider (CSP) that is FedRAMP compliant. The decision to accept such authorization is subject to acceptance by the application/system owner, Service DON Deputy CIO, and the responsible Navy or Marine Corps Authorizing Official (AO). Level2 information systems and applications are prime
candidates for commercial cloud services due to the low attendant risk. Guidance concerning information release and public communication is provided in reference (f).
4. For more sensitive Controlled Unclassified Information (CUI) (Impact Level4), a DoD Provisional Authorization (P A) is required in addition to FedRAMP Authorization. Per reference (g), DISA will issue a DoD PA ifthe CSP meets the requirements. The PA will describe the types of information and associated systems that can be hosted by a particular cloud service. The Navy or Marine Corps AO must issue an Authority to Operate accepting the risk for the system or application being hosted in a commercial cloud environment and for the environment itself.
5. A commercial cloud service hosting CUI (Impact Level4) must be connected to customers through a cloud access point (CAP) provided by either DISA or another DoD Component. All CAPs must be approved by the DoD CIO.
6. Defense Procurement and Acquisition Policy (DP AP) will develop appropriate contract language to address the issues, guidance and requirements in DFARS Case 20 13-D024, Contracting for Cloud Services. In the interim, DON mission owners with approved BCAs are advised to use the language provided in the DP AP Class Deviation-SUBPART 239.99-CLOUD COMPUTING (DEVIATION 2015-00011).
7. DON entities that acquire commercial cloud services are responsible for the cyberspace defense of all information and associated systems hosted therein and for ensuring that end-to-end security requirements are met in accordance with reference (h). Successful operation and defense will require collaboration and information sharing among the DON, DISA and the CSP.
The DON point of contact is Ms. Susan Shuryn, 703-695-2005; email@example.com.
John A. Zangardi