Navy Looks to Commercial Cloud Services

The latest memorandum updates previous guidance for acquiring commercial cloud services in the Department of the Navy. It also cancels previous guidance issued in June 2013 and all direction concerning cloud pilots and services issued in July 2013.  

Navy Requirements for Commercial Cloud Services

According to the new guidance, commercial cloud services under consideration must meet the following requirements and processes:

• Cloud Service Providers (CSPs) are evaluated using either the DoD’s Enterprise IT Business Case Analysis (BCA) template or the Navy’s Enterprise IT Abbreviated Business Case Analysis template, which accompanied the memo. DISA-provided cloud services must be included as one of the alternatives considered alongside commercial providers.
• CSPs must receive Federal Risk Authorization and Management Program (FedRAMP) authorization as the minimum security baseline.
• FedRAMP compliant CSPs may host applications or systems that contain Non-Controlled Unclassified Information (Impact Level 2) that is publicly releasable. The Navy deems these information systems and applications as prime candidates for commercial cloud services due to the low attendant risk.
• CSPs hosting Controlled Unclassified Information (CUI) (Impact Level 4) requires a DISA-issued Provisional Authorization (PA) in addition to FedRAMP authorization, provided the CSP meets the requirements. The PA will describe the types of information and systems that may be hosted but the Navy or Marine Corps must accept the risk for the system or application being hosted in a commercial cloud environment.
• Commercial cloud services hosting CUI must be connected to customers through a cloud access point (CAP) provided by either DISA or another DoD Component and approved by the DoD CIO.
• While updated DFARS contract language to address the issues, guidance and requirements for the Contracting for Cloud Services is under development, Navy mission owners with approved BCAs are to use the existing interim language provided in the Defense Procurement and Acquisition Policy (DPAP). (See the guidance for the specific subpart reference.)  
• Navy entities that use commercial cloud services are responsible for the cyberspace defense of all hosted information and systems and for ensuring that end-to-end DoD security requirements are met. To that end, collaboration and information sharing among the Navy, DISA and the CSP is required.

The new guidance includes the following enclosures:

• Cloud Services Supplemental Guidance – Includes the requirement that CSPs be identified and included in the Navy’s FISMA reporting and that the Navy will use the DISA Connection Approval Office for connections to CSP environments that have security Impact Levels 4-6.
• Revised Information Impact Levels (table) – Defines the potential impact of an event resulting in the loss of confidentiality, integrity, or availability of data, systems, or networks.
• DON Enterprise IT Abbreviated BCA – A 10-page template for the BCA mentioned above that assesses the various elements that justify the use of the commercial cloud services to address the Navy’s needs.

The Cloud Services Supplemental Guidance included with the memo mentions a forthcoming Navy managed service model “to facilitate assessment, employment, and sustainment of authorized commercial cloud offerings by system and application owners” to be issued later, but it does not give a time frame.