Additional Guidance Regarding Acquisition and use of Commercial Cloud Computing Services in the DON
DON CIO Memo - Publish Date: 05/17/16
In a May 17, 2016 memo, the DON CIO issued updated guidance for acquiring commercial cloud services in the DON. The updated memo amends May 15, 2015 guidance titled, "Acquisition and Use of Commercial Cloud Computing Services." This memo delegates final approval authority for Navy and Marine Corps commercial cloud services business case analyses (BCAs) to the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps). DON CIO retains final approval authority of Secretariat BCAs. The memo also cites specific Defense Federal Acquisition Regulation Supplement (DFARS) guidance on acquiring commercial cloud computing services.
Subj: ADDITIONAL GUIDANCE REGARDING ACQUISITION AND USE OF COMMERCIAL CLOUD COMPUTING SERVICES IN THE DEPARTMENT OF THE NAVY
Ref: (a) DON CIO Memorandum, Subj: Acquisition and Use of Commercial Cloud Computing Services, 15 May 2015
(b) DoD CIO Memorandum, Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, 15 December 2014
(c) Defense Federal Acquisition Regulation Supplement (DFARS) Subpart 239.76
(d) DoD Cloud Computing Security Requirements Guide (SRG), Version 1, Release 2, 18 March 2016, et seq.
(e) National Institute of Standards and Technology (NIST) Special Publication 500-291, Version 2, NIST Cloud Computing Standards Roadmap, July 2013
This memorandum updates reference (a) concerning the acquisition of commercial cloud computing services in the Department of the Navy (DON).
Effective immediately, the DON Chief Information Officer (CIO) delegates final approval of Navy and Marine Corps commercial cloud business case analyses (BCAs) to the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps), respectively. A copy of each final approved BCA shall be forwarded to the DON CIO and to the DoD CIO in accordance with reference (b). DON Secretariat commercial cloud BCAs remain under DON CIO approval authority, and shall be routed accordingly within the Navy Information Technology Approval System (NAVITAS).
Commercial cloud computing services shall be acquired in accordance with reference (c) and shall operate in accordance with reference (d). Reference (a) addresses the development of a managed service model to facilitate assessment, employment, and sustainment of authorized commercial cloud offerings by system and application owners. Advancing that approach, the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps) shall establish and oversee Managed Service Organizations (MSOs) to coordinate and assist in any commercial cloud acquisition and operational efforts within their respective organizations. Secretariat organizations may leverage Navy MSOs. An MSO, also referred to as a Cloud Broker per reference (e), will assist application owners throughout the acquisition process and after migration to the commercial cloud environment. This MSO construct enables a governed implementation of cloud service offerings, including regulation of users, configurations, networks, hosts, and other resources to enforce standardization and monitor fiscal, contractual, security, and compliance procedures while in DON operational use.
All other requirements contained in reference (a) remain in effect as specified if not impacted otherwise by this memorandum. Reference (d) will be updated periodically and is provided under the authority of DoD Instruction 8500.01 (Cybersecurity) and DoD Instruction 8510.01 (Risk Management Framework for DoD Information Technology).
The DON CIO will maintain visibility of all DON commercial cloud BCAs via read-only access to NAVITAS and the Marine Corps IT Procurement Request Approval System (ITPRAS).
The DON CIO point of contact for this matter is Ms. Susan Shuryn, who can be reached at (703) 695-2005 or firstname.lastname@example.org.
Robert W. Foster