Email this Article Email   

CHIPS Articles: Department of the Navy Cloud Policy

Department of the Navy Cloud Policy
By ASN RD&A and DON CIO Memo - October-December 2020
This joint memorandum provides updated policy for the accelerated promotion, acquisition, and consumption of cloud services in the Department of the Navy in direct support of the DON Information Superiority Vision.

Subj: DEPARTMENT OF THE NAVY CLOUD POLICY

Encl: (1) References
(2) Clarification of Policy for Acquisition of Cloud Services

1. Purpose. This joint memorandum provides updated policy for the accelerated promotion, acquisition, and consumption of cloud services in the Department of the Navy (DON) in direct support of the DON Information Superiority Vision found in reference (a).

2. Cancellation. This memorandum cancels and replaces references (b) and (c).

3. Applicability and Scope

  1. This policy memorandum is applicable to all DON commands and activities.
  2. All forms of cloud computing as defined in reference (d) are in scope of this policy memorandum. The scope includes and is not limited to all commercial and government cloud; all forms of cloud deployment models to include public, private, private on-premises, community, and hybrid cloud; all forms of cloud deployment environments to include development, integration, test, pre-production, and production; all forms of cloud service models to include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS); all professional services in support of cloud computing; and any other subcomponent or derivative form of cloud computing.
  3. The scope includes all networks and environments, including, but not limited to, all enterprise, legacy, ashore, afloat, tactical, mobile, lab, and classroom environments.
  4. The scope includes all funding types and sources, to include non-appropriated funds. There shall be no exclusions or exemptions to this policy based on funding type or source.
  5. Nothing in this policy memorandum shall supersede or supplant existing operational directives, policy, or regulation. In the event of conflicting guidance, the following hierarchy shall apply:
    1. Federal statutes and implementing regulations
    2. Department of Defense (DoD) policy or instruction
    3. DON or Secretary of the Navy policy or instruction
    4. U.S. Navy or U.S. Marine Corps policy or instruction
    5. Local (e.g., Echelon II or Major Subordinate Command) policy or instruction
  6. Upon knowledge of any conflicting guidance based on the hierarchical guidance above, the Department of the Navy Chief Information Officer (DON CIO) shall be notified and the DON Cloud Policy shall be updated accordingly.

4. Policy. In accordance with references (d) through (t), the following policy directs how cloud computing services shall be acquired and consumed in the DON:

  1. Cloud Technology

    1. The DON shall maintain its global strategic advantage by harnessing the power of data and information systems through cloud computing. Cloud computing is the primary approach to transforming how the DON delivers, protects, and manages access to data and applications across all mission areas. Cloud computing as defined by reference (d) shall be adopted and consumed in such a way as to maximize its inherent characteristics and advantages.
    2. The DON cloud computing environment shall ensure effective support for the full range of missions and data classifications with a purposefully orchestrated multi-cloud, multivendor strategy that focuses investments on limiting duplication, reducing inefficiencies, and accelerating digital modernization efforts.
    3. All new software and software development shall leverage the inherent characteristics of cloud computing services, shall maximize use of enterprise cloud services, and shall support continuous integration/continuous delivery to the maximum extent possible that both mission requirements and technical capabilities allow.


  2. Cloud Acquisition

    1. All cloud computing services in the DON as defined in reference (d) and in scope as described in paragraph 3.b above shall be acquired in accordance with references (e) through (g) and enclosure (2), and starting no later than ninety (90) days from issuance of this memo shall be provisioned and their consumption monitored via the DON’s Naval Digital Marketplace https://cloud.navy.mil. The Naval Digital Marketplace shall be managed and maintained by the DON's Program Executive Office for Digital and Enterprise Services (PEO Digital).
    2. In accordance with DoD's current Guidance for Implementation of the Department of Defense Cloud Strategy contained in references (h) through (k), and any future updated DoD policy or guidance, the DON’s Naval Digital Marketplace will be continuously updated by PEO Digital to provide visibility, awareness, and access to all DoD approved cloud contracts which may include, but are not limited to, commercial, Federal, Defense Information Systems Agency (DISA), Air Force, and Army cloud contracts, in addition to existing Navy and Marine Corps cloud contracts.
    3. The DON shall follow a path toward a unified DoD Enterprise Cloud Environment (DECE) using DoD approved enterprise cloud solutions in accordance with reference (k), so long as they can support the DON workload and mission owner requirements. When DoD approved enterprise cloud solutions cannot support validated DON mission owner requirements, DON acquired Fit-for-Purpose Clouds (FPCs) shall be allowed on a case-by-case basis based on a formal assessment and approval process managed by DON CIO and in accordance with reference (k), and paragraph 5.b.(4) of this memorandum.
    4. Starting ninety (90) days from issuance of this memo, all requirements for cloud computing services that do not leverage existing contracts in the DECE or DON’s Naval Digital Marketplace shall be submitted to PEO Digital in accordance with reference (f) for review and validation during Step 4 of the Service Acquisition Process, prior to submission to the Services Requirements Review Board (SRRB), in order to limit duplication, maximize enterprise purchasing efficiencies, and accelerate digital modernization efforts. Also starting ninety (90) days from issuance of this memo, all new cloud services shall not be procured as part of, or embedded in, a larger systems integration or contractor support service contract unless the cloud services portion is in support of an existing DON CIO approved FPC.
    5. The most expeditious and flexible path to cloud services acquisition shall be pursued. Acquisition methods for all cloud services include, but are not limited to, use of any and all appropriate Defense Federal Acquisition Regulation Supplement (DFARS) Subparts; use of Other Transaction Authority (OTA) (as authorized by 10 U.S.C. § 2371b); purchases for experimental purposes (as authorized by 10 U.S.C. § 2373); use of Government-wide Acquisition Contracts (GWACs); and use of GSA Multiple Award Schedule (MAS) contracts.
    6. An approved IT Procurement Request (ITPR) is required for the acquisition of all cloud computing services in accordance with references (m) and (n) and all current and applicable DON ITPR policy and directives. This policy memorandum suspends the requirement for a Business Case Analysis (BCA) as defined by reference (s) as part of the ITPR for commands seeking to acquire existing DECE or DON CIO approved FPC cloud computing services via the DON’s Naval Digital Marketplace.
    7. DON and Service level commands and activities that utilize Military Intelligence Program (MIP) and/or National Intelligence Program (NIP) funds are encouraged to leverage existing cloud services offered by the Intelligence Community (IC)
    8. All DON organizations will coordinate with the DON Special Access Program Central Office (DON SAPCO) for cloud computing services in accordance with reference (t) for the protection of special access required information.


  3. Cloud Operations and Cyber Defense

    1. PEO Digital shall work with Fleet Cyber Command (FLTCYBERCOM) and Marine Corps Forces Cyberspace Command (MARFORCYBER) via the respective DON Deputy CIO (DDCIO) to capture the requirements and develop solutions for a Naval integrated command and control (C2) system designed to perform centralized service management of network operations for all DON cloud computing services and workloads, no matter where they are hosted. These services and workloads will fall within the operational control and authority of the designated Service Cyber Component.
    2. All DON cloud computing services and workloads shall be assigned to a Cyber Security Service Provider (CSSP), per applicable Service level policy.
    3. The DON Chief Information Security Officer (CISO) and Service level Authorizing Officials (AOs) shall require that all cloud-hosted systems, applications, and environments are within approved Risk Management Framework (RMF) authorization boundaries in accordance with reference (q).
    4. DON CISO and Service level AOs shall maximize use of reciprocity in accordance with reference (q) by leveraging existing DoD Provisional Authorization (PA) bodies of evidence (e.g. scope, testing, results, residual risk, plan of action and milestones (POA&M), continuous monitoring data, etc.) to the maximum extent possible to reduce security authorization processing time. A cloud service/cloud service offering that has been granted a DoD PA shall be presumed by the Service level AOs as being fully tested and compliant with required Assessment Procedures (AP)/Control Correlation Identifiers (CCI) authorized in the DoD PA unless status has been documented or determined to be non-compliant by other sources. Service level AOs shall ensure security controls that are shared with the cloud service offering (CSO)/cloud service provider (CSP) are assessed in accordance with established polices. Risk decisions are at the discretion of the Service level AO, and authorization decisions for systems with residual levels of High Risk or Very High Risk are approved or endorsed by the DON CIO. Secretariat organizations shall be considered part of the Navy Service for the purpose of cloud service authorization.

5. Responsibilities

  1. Assistant Secretary of the Navy for Research, Development, and Acquisition (ASN (RD&A)) is responsible for the acquisition and sustainment of cloud services; designating associated technical specifications; achieving efficiencies in the acquisition process; and ensuring effective delivery of those services to meet customer needs. As the Service Acquisition Executive, ASN (RD&A) may delegate Milestone Decision Authority as appropriate.

    1. PEO Digital is delegated authority to plan and execute the acquisition and delivery of cloud services to meet the requirements of all system/mission owners throughout the DON in accordance with this DON Cloud Policy. Within ninety (90) days of issuance of this memo, PEO Digital shall coordinate with DON Deputy CIO (Navy) (DDCIO(N)) and DON Deputy CIO (Marine Corps) (DDCIO(MC)) to develop and publish a DON cloud services acquisition and delivery plan for both Naval Services and all Secretariat organizations. The PEO Digital DON cloud services acquisition and delivery plan, and the DDCIO(N) and DDCIO(MC) developed cloud implementation plans as directed in paragraph 5.b.(1), will include fully coordinated recommendations to DON CIO via the DON CISO on the most effective and efficient arrangement for security authorization of cloud services.
    2. PEO Digital shall designate a Cloud Service Management Organization (Cloud SMO), which shall serve as the single DON gateway for acquisition and delivery of cloud services.
    3. PEO Digital is delegated authority to approve all requests for temporary exceptions to the acquisition-specific elements of this policy as defined in paragraph 4.b above. Requests for temporary exceptions to the acquisition-specific elements of this DON Cloud Policy shall be submitted by the respective DDCIO for Service level requests, and by the requesting organization for Secretariat level requests, to the Cloud SMO for review and endorsement prior to submission to PEO Digital.
    4. All requests for non-expiring exceptions to the acquisition-specific elements of this policy as defined in section 4.b above shall require ASN (RD&A) approval. Requests for new non-expiring exceptions to the acquisition-specific elements of this policy shall be submitted by the respective DDCIO for Service-level requests, and by the requesting organization for Secretariat level requests, via the Cloud SMO and PEO Digital for review and endorsement prior to submission to ASN (RD&A).


  2. DON CIO establishes policy, compliance, budget certification, enterprise architecture, and technology standards for information technology, information management, information resource management, cybersecurity, and data, to include National Security Systems and IT embedded in platforms, business systems, weapon systems, control systems, and other operational technology.

    1. DON CIO shall ensure that within one hundred and twenty (120) days of issuance of this memo that DDCIO(N) and DDCIO(MC) develop and publish their respective Service-level cloud implementation plan(s) or similar documents to address both common and Service-unique, mission requirements and internal business processes required to implement this policy memorandum. The DDCIOs shall collaborate to ensure standardization across the DON to the maximum extent possible. The Cloud SMO and PEO Digital shall provide consultation to the DDCIOs to ensure alignment between the Service’s cloud requirements and the PEO Digital published cloud services acquisition and delivery plan. The DDCIO(N) and DDCIO(MC) cloud implementation plans will include fully coordinated recommendations to DON CIO via the DON CISO on the most effective and efficient arrangement for security authorization of cloud services.
    2. DON CIO shall ensure that all Secretariat organizations implement this DON Cloud Policy in accordance with the PEO Digital published cloud services acquisition and delivery plan with the support of the Cloud SMO and PEO Digital. Secretariat organizations shall be considered part of the Navy Service for the purpose of cloud service acquisition, delivery, and authorization.
    3. DON CIO shall ensure that PEO Digital and the DDCIOs collaborate to review and advise DON CIO on the adequacy, or any shortfalls, of budget levels and resources required by PEO Digital and the Cloud SMO to fully implement and execute this DON Cloud Policy and the PEO Digital published cloud services acquisition and delivery plan for both Services and all Secretariat organizations.
    4. All requests for new FPCs shall require DON CIO approval. Requests for new FPCs shall be submitted by the respective DDCIO for Service level requests, and by the requesting organization for Secretariat level requests, via the Cloud SMO and PEO Digital for review and endorsement prior to submission to DON CIO.
    5. All requests for non-expiring exceptions to the cloud technology, operations, and cyber defense elements of this DON Cloud Policy as defined in sections 4.a. and 4.c. above shall require DON CIO approval. Requests for new non-expiring exceptions to the cloud technology, operations, and cyber defense elements of this policy shall be submitted by the respective DDCIO for Service level requests, and by the requesting organization for Secretariat level requests, via the Cloud SMO, PEO Digital, and DON CISO for review and endorsement prior to submission to DON CIO.

6. Governance

  1. ASN (RD&A) and DON CIO shall leverage existing and appropriate governance for Naval cloud services acquisition and sustainment. Participation as needed shall also include end-user community representatives who are practitioners of cloud-native and/or distributed systems software development to ensure policy reflects industry standards, commercial trends, and pragmatic realities.

  2. The Department of the Navy point of contact for this matter is Ms. Jane Rathbun, Deputy Assistant Secretary of the Navy for Information Warfare and Enterprise Services (DASN IWAR) and DON Chief Technology Officer (CTO), at (703) 697-1054, and jane.rathbun@navy.mil.

Signed by:
Aaron D. Weis
Department of the Navy
Chief Information Officer

Signed by:
James F. Geurts
Assistant Secretary of the Navy
Research, Development, and
Acquisition

Download the Cloud Policy Joint Memo

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer