Bill Pushes Cloud Computing for DoDWould Require Spelling Out Security Standards
Two members of Congress have introduced legislation that's designed to help pave the way for the Department of Defense to make greater use of cloud computing providers to save money - as long as specific security requirements are met.
Rep. Niki Tsongas, D-Mass., and Rep. Derek Kilmer, D-Wash., introduced the Department of Defense Cloud Security Act, which would require the U.S. comptroller general and the CIO of DoD to assess the cloud security requirements of the Defense Department.
The bill would require a full evaluation of the overall security and potential capabilities of the current DoD cloud system; a determination of best practices related to cloud security by both public and private entities to establish security requirements for the DoD; and an examination of the potential for commercial cloud providers to host DoD information systems, the sponsors say.
Michael Hartigan, a spokesperson for Rep. Tsongas, says the legislation would push the DoD to take advantage of secure cloud capabilities being developed by commercial vendors and "learn best practices from other federal government agencies, including the intelligence community, that have already begun to do the same."
He notes the intelligence community is already taking advantage of cloud services to store and share unclassified documents.
"Storing benign information on internal DoD servers is an increasingly large expense, particularly given the widespread availability of secure, fast, reliable and affordable storage services utilized in the private sector," Hartigan says. "Advancements in cloud data storage by commercial sector vendors have enabled other federal government agencies to store data at a fraction of the cost of physical data centers."
In announcing the bill, Rep. Tsongas said: "The DoD must more effectively take advantage of technological advancements, such as cloud technology, but do so in a safe, efficient way. This legislation will allow DoD to take full advantage of the cloud services and best practices from both the government and commercial sector, which will, in turn, decrease costs, increase accessibility and allow for a more secure system overall."
DoD needs to make changes in its technology procurement process to take full advantage of cloud computing, says Allan Friedman, a research scientist at the Cyber Security Policy Research Institute in the School of Engineering and Applied Sciences at George Washington University, where he works on cybersecurity policy issues.
"The [process] makes it difficult to demand features that aren't well-tested and well-understood by the contracting community," he says. "This is not a unique problem to cloud security. This is a problem that relates to every aspect of DoD and federal IT purchasing/acquisition."
Friedman says the bill addresses a very real issue. "Both for public cloud architectures and for private, we do need easy, quick ways of thinking about it from a security perspective as a purchaser," he says. "Purchasing for the Defense Department is notoriously difficult."
DoD's Risk Mitigation Efforts
On March 12, DoD CIO Teresa Takai issued an instruction for the department to transition from the DoD Information Assurance Certification and Accreditation Process, commonly known by the acronym DIACAP, to NIST's risk management framework as outlined in Special Publication 800-37 (see: DoD Switching to New Risk Framework).
Eugene Spafford, a Purdue University computer science professor who's a nationally known information security expert, says DoD's adoption of the NIST risk management framework should standardize risk management practices across the government, resulting in more efficient purchasing and configuration of IT wares.
The adoption of the framework helps facilitate implementation of the Federal Risk and Authorization Management Program, known as FedRAMP, which allows agencies to use the security vetting by other government agencies of providers' cloud computing services. As part of the instruction issued by Takai, the move to the risk management framework promotes cybersecurity reciprocity that's an essential element in developing the department's information enterprise. "Applied appropriately, reciprocity reduces redundant testing, assessing and documentation and the associated costs in time and resources," the addendum to the instruction states.