Security Concerns Hold Up DISA’s Commercial Cloud Procurement

Published: January 29, 2014

Cloud ComputingCybersecurityDEFENSEDISAJoint Information Environment (JIE)

AFCEA DC recently held a luncheon with several officials from the Defense Information Systems Agency (DISA). The big topic of discussion was the status of DISA’s commercial cloud computing procurement. Details discussed by the panel have potentially serious implications for the type of acquisition that DISA carries out and for the requirements that it puts in the solicitation.

On a recent snowy Tuesday while many of us were stuck in the house due to the weather and even the federal government was closed, AFCEA DC held its January Monthly Luncheon with several officials from the Defense Information Systems Agency (DISA).  The big topic at the luncheon was the status of DISA’s commercial cloud computing procurement.  Toward the end of the last fiscal year DISA delayed the release of the cloud solicitation to reassess the demand for cloud services within the Department of Defense.  Public details on what was being reassessed were not available until this AFCEA luncheon and as the panel made clear the list of subjects under consideration is extensive.

Dave Mihelcic, the agency’s Chief Technology Officer, informed industry that properly addressing security requirements is a big hurdle for DISA.  Basically, the agency doubts a one-size-fits-all approach to the cloud acquisition will work.  DISA will instead tailor the prospective contracts to suit all six levels of security requirements outlined in its recently announced cloud security model.  Tony Montemarano, DISA’s Director of Strategic Planning and Information, added that the small number of available Federal Risk and Authorization Management Program (FedRAMP) compliant commercial solutions was further complicating the acquisition.  The problem is too few companies currently meet DISA’s security needs, creating a choke point that hampers the agency’s ability to procure the solutions it requires.

Then there is the requirement imposed by U.S. Cyber Command that the agency be able to understand exactly what's happening if/when there's an anomaly in the cloud provider’s network and determine a fix as quickly as possible.  As Montemarano noted, there is concern about the impact on day-to-day network operations of taking data and computing capacity that's currently housed within the military and placing it in outside servers that the department's cyber workforce might not have complete visibility into.

The speakers added several other concerns, including the need to develop criteria for identifying applications that are commercial cloud eligible and reforming cumbersome policy barriers that severely slow the pace of migrating applications to the cloud.  These concerns, while serious, took a back seat to the far more complicated security requirements.

Major Takeaways

The panelists’ comments contained several potentially important implications for the DoD’s use of commercial cloud solutions.

  • First, security requirements for handling data at 6 different levels of classification, and for using different service delivery types (SaaS, PaaS, and IaaS), are seriously complicating the acquisition.  The contract(s) put into place must provide DoD customers with flexible solutions that accommodate varying levels of need.  To me this says that the commercial cloud program will either be carved into multiple procurements competed separately based on data classification levels or be implemented as a single acquisition with multiple vendors selected to provide services in different functional areas (for lack of a better term) by data classification level.  Both options scream multiple award IDIQ contract.
  • Second, DISA is seriously considering following the approach the CIA took when it hired a single cloud provider to provide an infrastructure walled off from the Internet.  This strikes me as the option the agency will eventually choose.  I think this because it is the simplest way forward and because the DoD has shown a growing tendency in recent years to leverage the experience of the Intelligence Community when it comes to implementing new technologies.  The similarity of the Joint Information Environment (JIE) and the ICITE initiatives comes to mind here.
  • Third, as expected, FedRAMP compliance will be absolutely required for vendors to win contracts.  The recently announced June deadline for FedRAMP compliance makes more sense now, doesn’t it?
  • Fourth, the command and control requirement created by U.S. Cyber Command hints that DISA will require continuous monitoring of cloud provided services.  This means that all cloud systems will need to be interoperable with the JIE and accessible by the Acropolis analytics cloud that the agency just stood up.
  • Fifth, the panel stated that applications selected for commercial clouds will be migrated during technical refresh cycles.  For what it’s worth, this is exactly the process being used to refresh hardware for the JIE.

As we can see, these implications could have serious repercussions for the type of acquisition that DISA carries out and for the requirements that it puts in the solicitation.  Not the least of these implications is cost.  The FedRAMP requirement alone ensures that being a cloud provider for the federal government just got more expensive, suggesting vendors need to weigh their path forward carefully in this increasingly difficult fiscal environment.