Home » cyber security » DoD CIO Clearing Red Tape

DoD CIO Clearing Red Tape

For most of our Department of Defense (DoD) clients, the challenge in obtaining an authority to operate (ATO) boils down to money. Pure and simple, cyber security costs are expanding every day…well beyond what most program managers (PMs) have accounted for in budget forecasts. Vulnerabilities can hit in many ways — with the most expensive being an end of life (EOL) flaw due to subpar hardware and/or operating systems. This is where the Federal Risk Authorization and Management Program (FedRAMP) and cloud service providers (CSPs) come in.

The FedRAMP process brings the DoD information system owners an opportunity to obtain services from CSPs. And now, thanks to the DoD Office of the Chief Information Officer, potentially even faster with enhanced cyber security guidance. A memorandum released by the DoD CIO in December 2014 aims to solve challenges with FedRAMP via a serious overhaul.

  1. It canceled previous guidance naming the Defense Information Systems Agency (DISA) as the enterprise cloud service broker and grants DoD CIOs authority to directly acquire cloud services via the business case analysis (BCA).
  2. Instead, DISA will approve a DoD Provisional Authorization (PA) for DoD unclassified data or missions called “Sensitive Data.” These PAs are based on a CSP using the DoD Cloud Computing Security Requirements Guide (SRG) V1, R1.
  3. Exception requests to requirements go through DoD Information Networks (DODIN) Waiver Process for Sensitive Data systems.

The DoD components will use the Enterprise IT BCA (.mil users can find it here, under “Hot Items”) and submit it to their chief information officer’s office to evaluate the readiness of DoD Information Systems for use of CSP services.

The BCA updates aid in an apples-to-apples cost comparison for IT assets and now require:

  1. Performance measures (baseline, target and goal)
  2. Operational impact
  3. Financial costs and savings projections (Based on the approved methodology economic viability tool)

The table below summarizes changes to roles and responsibilities of each stakeholder involved with FedRAMP and DoD cloud services.

Who should care about change?


Component Chief Information Officers in the Army, Air Force, Navy and Marines
  • Update to BCA requirements.
  • New matchmaker responsibility for CSP and DoD Sensitive Data IS’s.
Defense Information Systems Agency (DISA)
  • New responsibility to grant DoD provisional authorization to Cloud Access Point (CAP).
Department of Defense CIOs
  • New responsibility to approve BCA.
  • Increased knowledge of DoD IT portfolio and cyber security status.
DoD Component Program Management Office for Sensitive Data Systems
  • Must register in DITPR and report FISMA status with appropriate component CIO entry.
  • Retain primary responsibility for end-to-end cyber security defense, regardless of location.
  • Update CONOPS and business strategies reflecting the cloud environment.
  • Must address the contractual risks and issues associated with cloud services identified in the DoD cloud computing Issues matrix.
  • Report via Select and Native Programming Data Input System- Information Technology (SNaP-IT) as directed by the DoD CIO in the annual IT budget for each cloud computing service.
  • Develop defense procurement and acquisition policy contract language to address the issues, guidance and requirements in DFARS Case 20 13-D024, Contracting for Cloud Services.
Cloud Service Providers
  • Use SRG to receive DoD PA.
  • Required to connect via CAP for DoD sensitive data systems.
  • Participation in CONOPS/Biz Strategy updates for customers.
Joint Authorization Board (JAB)
  • FedRAMP continues as the minimum-security baseline for DoD publicly releasable information systems.
Third-Party Assessment Organizations (3PAOs)
  • Requirement to verify cloud SRG requirements during audits.
  •  More than $40 Billion in potential savings.

There are numerous benefits of the change, but these three are standouts:

  1. Keeping authority and responsibility of cyber security ownership closer to the information owner (component CIO).
  2. A measured, risk-minded approach to bringing DoD information securely and efficiently to the cloud.
  3. Save money in the short, medium and long term.

The memorandum is built on lessons learned by the FedRAMP community in the past two years and within the DoD Information Assurance arena over the course of several decades. The DoD component CIOs have better insight to their information system mission needs. Handing them the responsibility of selecting CSPs makes sense from a cyber security defense standpoint. DISA maintains its role as a leader within the community for security requirements and the basic starting point for all cyber security discussions. The move creates potential for agility within DoD IT – a nimbleness that’s needed to keep pace with the rapidly changing cyber security landscape.

As they used to say in the Air Force, “Work smarter, not harder.” The DoD purchasing cloud services provides access to the IT industries best available resources. It will allow PMOs to consider drastic architecture changes utilizing the plethora of IaaS, PaaS or SaaS frameworks designed by the people who understand it best. The long-term savings could be beyond what any budget forecaster has imagined. The DoD should be commended on pursuing a strategy for long-term national security through the opportunity for fiscal responsibility.


About Ryan Johnson

Ryan proudly served in the Air Force (3C2X1) then moved onto the zany rice bowl battles of the DoD contracting world for over a decade. His idealist belief that government can be efficient is said with a level of truthiness only matched by Stephen Colbert’s 2006 Roast of George W. Bush. As a Lunarline Cyber Security Engineer he tends to solve problems by applying his limitless powers of having an empty head. He’s been called a force multiplier by colleagues, likely due to his unmatched skill at bringing coffee and donuts to meetings. His love of technology goes from 0 to 1 with cyber security being the bible to exploration. He can be reached at ryan.johnson@lunarline.com