For most of our Department of Defense (DoD) clients, the challenge in obtaining an authority to operate (ATO) boils down to money. Pure and simple, cyber security costs are expanding every day…well beyond what most program managers (PMs) have accounted for in budget forecasts. Vulnerabilities can hit in many ways — with the most expensive being an end of life (EOL) flaw due to subpar hardware and/or operating systems. This is where the Federal Risk Authorization and Management Program (FedRAMP) and cloud service providers (CSPs) come in.
The FedRAMP process brings the DoD information system owners an opportunity to obtain services from CSPs. And now, thanks to the DoD Office of the Chief Information Officer, potentially even faster with enhanced cyber security guidance. A memorandum released by the DoD CIO in December 2014 aims to solve challenges with FedRAMP via a serious overhaul.
- It canceled previous guidance naming the Defense Information Systems Agency (DISA) as the enterprise cloud service broker and grants DoD CIOs authority to directly acquire cloud services via the business case analysis (BCA).
- Instead, DISA will approve a DoD Provisional Authorization (PA) for DoD unclassified data or missions called “Sensitive Data.” These PAs are based on a CSP using the DoD Cloud Computing Security Requirements Guide (SRG) V1, R1.
- Exception requests to requirements go through DoD Information Networks (DODIN) Waiver Process for Sensitive Data systems.
The DoD components will use the Enterprise IT BCA (.mil users can find it here, under “Hot Items”) and submit it to their chief information officer’s office to evaluate the readiness of DoD Information Systems for use of CSP services.
The BCA updates aid in an apples-to-apples cost comparison for IT assets and now require:
- Performance measures (baseline, target and goal)
- Operational impact
- Financial costs and savings projections (Based on the approved methodology economic viability tool)
The table below summarizes changes to roles and responsibilities of each stakeholder involved with FedRAMP and DoD cloud services.
Who should care about change?
|Component Chief Information Officers in the Army, Air Force, Navy and Marines||
|Defense Information Systems Agency (DISA)||
|Department of Defense CIOs||
|DoD Component Program Management Office for Sensitive Data Systems||
|Cloud Service Providers||
|Joint Authorization Board (JAB)||
|Third-Party Assessment Organizations (3PAOs)||
There are numerous benefits of the change, but these three are standouts:
- Keeping authority and responsibility of cyber security ownership closer to the information owner (component CIO).
- A measured, risk-minded approach to bringing DoD information securely and efficiently to the cloud.
- Save money in the short, medium and long term.
The memorandum is built on lessons learned by the FedRAMP community in the past two years and within the DoD Information Assurance arena over the course of several decades. The DoD component CIOs have better insight to their information system mission needs. Handing them the responsibility of selecting CSPs makes sense from a cyber security defense standpoint. DISA maintains its role as a leader within the community for security requirements and the basic starting point for all cyber security discussions. The move creates potential for agility within DoD IT – a nimbleness that’s needed to keep pace with the rapidly changing cyber security landscape.
As they used to say in the Air Force, “Work smarter, not harder.” The DoD purchasing cloud services provides access to the IT industries best available resources. It will allow PMOs to consider drastic architecture changes utilizing the plethora of IaaS, PaaS or SaaS frameworks designed by the people who understand it best. The long-term savings could be beyond what any budget forecaster has imagined. The DoD should be commended on pursuing a strategy for long-term national security through the opportunity for fiscal responsibility.