Security Implications in Air Force Guidance on Cloud Migrations

Published: August 26, 2015

USAFCloud ComputingCybersecurityDEFENSEDISAPolicy and Legislation

The U.S. Air Force SAF/CIO A6 Information Dominance office has issued new guidance around the migration of Air Force (AF) software application to cloud environments – whether commercial or DoD-provisioned – which has security and potentially financial implications for cloud service providers (CSP.)

The guidance was recently posted to the Web site for the Secretary of the Air Force (SAC) CIO A6 for Information Dominance. The site hosts a wealth of documents that provide visibility into the strategy, vision, mission, policies, and initiatives underway that impact the AF’s information enterprise.

The Guidance Memorandum for Air Force Instruction 33-115 Cloud Computing Services is composed of six elements (or attachments, as the guidance refers to them):

  1. Roles and Responsibilities – An enumerated outline of the various actions and obligations for mission stakeholders impacted by this guidance, including the SAF/CIO A6, application owners, Air Force Life Cycle Management Center (AFLCMC), and other stakeholders.

  2. Additional Cloud Requirements – A list of requirements to reduce risk, protect specific high-risk data sets, and incorporate the mission needs of other USAF stakeholders that must be met by all USAF applications and systems moving to a commercial cloud.

  3. Migration Process Maps – Application migration process flow diagrams for both commercial cloud and MilCloud or Core Data Center (CDC) application migrations. Each covers process flows and dependencies for approvals, authorizing officials, the Managed Service Office (MSO), the SAF/CIO A6 office, the application owner, and the Program Executive Office (PEO).

  4. Commercial Cloud Issues Matrix – An “issues matrix” that outlines the additional legal, policy and compliance issues that Contracting Officers, Program Managers, and legal counsel must ensure are incorporated into the requirements for all USAF applications that are migrating to the commercial cloud. The guidance allows that these issues may be addressed through FAR or DFAR clauses, the Performance Work Statement (PWS), or a service level agreement (SLA) in the contract.

  5. Cloud Air Force Base Container – A diagram of the “Cloud Air Force Base” which depicts the building of a container in an Infrastructure as a Service (IaaS) environment, creating a USAF platform for network management and application services.

  6. Policy & Guidance Reference – A list of links to additional policy and guidance documents like the DoD Cloud Computing Security Review Guide (SRG), NIST publications, and other USAF documentation mentioned in the new guidance.

Security Implications

Item (attachment) #2 above on Additional Cloud Requirements to reduce risk, protect specific high-risk data sets, and incorporate the mission needs of other USAF stakeholders entails additional security requirements for commercial cloud migrations, especially for AF applications that process sensitive data that falls within the areas of National Security Systems (NSS), mission essential, critical infrastructure (military or civilian), deployment and troop movement, sensitive PII and other sensitive data. If these applications are to be hosted in an off premise environment the guidance requires they must:

  • Use a DISA-approved Cloud Access Point (CAP) and have application Computer Network Defense Service Provider (CNDSP).
  • Be in an environment that is physically separated from non-Federal government entities unless the environment meets the Air Force Office of Special Investigations (AFOSI) requirements for logical separation.
  • Be procured under a direct contractual relationship between the AF and the vendor that has operation configuration and control of the cloud environment. (Applies where the contract is over the simplified acquisition threshold.)

To provide specific security architecture the cloud will be treated as if it were another USAF base. In this “Cloud Air Force Base” model (see #5) all CNDSP roles performed will continue to be performed by the same organizations in the cloud.

Item #4 above, the Commercial Cloud Issues Matrix that outlines the additional legal, policy and compliance issues to be addressed in these contracts has several security elements that impact all externally-provided cloud services, including:

  • FISMA and DoD cybersecurity policy compliance is required by CSPs hosting government data and so these CSPs must comply with FISMA and subsequent DoD cybersecurity policies.
  • Physical access by DoD personnel to a CSP’s data center for FISMA inspections and audits, etc.
  • CSP personnel with access to DoD data, etc. must meet background check, eligibility requirements and other HSPD-12 criteria. Further, CSP personnel must sign a non-disclosure agreement that would legally prevent them from disclosing non-public government information.
  • FedRAMP Continuous Monitoring reports produced by the CSP and provide to FedRAMP PMO and/or the FedRAMP 3PAO.
  • A CSP-provided incident response and reporting plan by which they will handle data breaches and communicate such incidents to US-CERT within the required time frame. Further CSPs are required to conduct a Privacy Impact Assessment (PIA) on all its IT systems to analyze how information in identifiable form is handled and to ensure that its handling conforms to applicable legal, regulatory, and policy requirements for privacy.
  • Routine and regular maintenance are required, including patches on the CSP environment to prevent intrusions.
  • Manage classified information spillage incidents according to procedures in Committee on National Security Systems Instruction (CNSSI) 1001.
  • Due diligence to use genuine hardware and software products that are free of malware.

Most of these security provisions are not unexpected or new, yet they do add overhead to a CSP’s operations that may pose a barrier to entry except for those providers who have the resources available to make the investment to meet them. CSPs looking to bid on AF and other DoD contracts for cloud services should expect these and other requirements to appear in the details of RFPs and SLAs. If they don’t, bidders may do well to ask why not.

The complexity of the application migration process as depicted in the guidance (#3 above) shows how complex a process this is and implies how difficult and time-consuming it may be for some applications to make the jump. This may temper expectations among industry providers as to how soon they may see cloud business come their way, but it also provides visibility into potential points of opportunity to help the AF and others at DoD in preparing their applications for the move to the cloud.