Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services

DoD CIO Memo - Publish Date: 12/15/14

download PDF

This memo clarifies and updates DoD guidance when acquiring commercial cloud services. In the context of this memo, commercial cloud services also refer to cloud services provided by non-DoD federal government organizations.

SUBJECT: Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services

References: (a) DoD Memorandum, "Designation of the Defense Information Systems Agency as the Department of Defense Enterprise Cloud Service Broker," June 26, 2012 (Canceled)

(b) DoD Memorandum, "Supplemental Guidance for the Department of Defense's Acquisition and Secure Use of Commercial Cloud Services," December 16, 2013 (Canceled)

(c) DoD Memorandum, "Use of Enterprise Information Technology Standard Business Case Analysis," October 23, 2014

(d) Federal Risk Authorization and Management Program, http: //cloud.cio.gov/fedramp

(e) DoD Instruction 8500.01 "Cybersecurity", March 14,2014

This memo clarifies and updates DoD guidance when acquiring commercial cloud services, and hereby cancels and replaces references (a) and (b). In the context of this memo, commercial cloud services also refer to cloud services provided by Non-DoD federal government organizations.

1. DoD components may acquire cloud services directly. It is no longer a requirement to use DISA for the acquisition of cloud computing services.

2. Each Component remains responsible for determining what data and missions are hosted by external cloud service providers per the direction below.

3. Each use of cloud services must be analyzed using the Enterprise IT Business Case Analysis (BCA) template as provided in reference (c). The BCA must be approved by the Component CIO and a copy submitted to the DoD CIO. DISA provided cloud services must be considered as part of the BCA.

4. The Federal Risk Authorization and Management Program (FedRAMP) will serve as the minimum security baseline for all DoD cloud services as described in reference (d). Per current policy, components may host Unclassified DoD information that has been publicly released on FedRAMP approved cloud services.

5. For more sensitive DoD unclassified data or missions (called Sensitive Data below), DoD has developed cloud security requirements and guidance that go beyond FedRAMP. A draft of this DoD Cloud Computing Security Requirements Guide (the Guide) is currently out for DoD public comment, with official release scheduled for January 7, 2015. The Guide is intended to give cloud providers a stable security requirement, and to help DoD cloud customers move more rapidly and securely into the cloud. The Guide defines several classes of Sensitive Data, with increasing security requirements for each. Additional detail on the Guide and the Guide development process can be found in paragraph 11.

6. Any cloud service provider that is interested in hosting Sensitive Data will submit evidence to DISA that the provider meets specific requirements of the Guide. DISA will evaluate this evidence and if the provider meets the requirements, DISA will issue a DoD Provisional Authorization (PA). The PA will describe the types of information and mission that can be hosted by a particular cloud service.

7. Per the BCA of paragraph three, using the customer guidance in the Guide and the information in the PA, the CIO of each Component will determine which cloud service provider to use for a particular set of information or mission. DoD Components may only host Sensitive Data in cloud service providers that have an appropriate PA.

8. Commercial cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point (CAP) provided by DISA or through a CAP provided by another DoD Component. All CAPs must be approved by DoD CIO. The current Navy CAP is an example of an approved provisional cloud access point. In the future, in order to standardize cyber defenses, our goal is that all DoD access to commercial cloud services be via a DISA provided CAP. This CAP will protect all DoD missions from incidents that affect a particular cloud service provider, and will provide perimeter defenses and sensing for applications hosted in the commercial cloud service.

9. Operations in a cloud environment are diverse and will require different concepts of operations (CONOPS), business strategies, etc. Components are responsible for cyberspace defense of all information and missions hosted in commercial cloud services, and will share cyberspace defense information as necessary and appropriate with cloud service providers, in accordance with reference (e). DoD Components that acquire or use cloud services are still responsible for ensuring that end to end security requirements are met. To operate and defend successfully, this will require collaboration and information sharing among the Component, DISA and the cloud service provider.

10. The DoD Cloud Computing Security Requirements Guide will be an evolving document informed by public and private input. It is intended to be a collaborative document between the government and private sector that recognizes the rapid technology and business changes in the cloud services environment. To assist in the development and use of the DoD Cloud Computing Security Requirements Guide, DoD will be holding a series of meetings, the first being a technical interchange meeting in person and via the web with interested DoD and industry partners on December 18, 2014. Comments on the draft DoD Cloud Computing Security Requirements Guide are due by December 29, 2014. Details can be found at http: //iase.disa.mil/cloud security/Pages/index.aspx. In January 2015, the Deputy CIO for Cybersecurity will host the first regular meeting with DoD and industry, at which time the organizations with key cloud responsibilities in DoD will describe DoD requirements, processes, and plans, and seek feedback from our government, private and public partners in the cloud environment. In addition, comments on the Guide are welcome at any time, via the following email address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

11. Additional information on procuring cloud services is provided in attachment (1).

DoD CIO point of contact for cloud is Robert Vietmeyer, robert.w.vietmeyer.civ@mail.mil, (571) 372-4461. The DISA point of contact is the Risk Management Office, disa.meade.ma.mbx.maops@mail.mil, (301) 225-7900.

Signed by:
Terry A. Halvorsen

TAGS: Cloud