Commercial cloud companies may be able to provide their services to the Department of Defense at higher security levels within the next year, according to a major DoD cloud vendor.
DoD ranks its impact levels for cloud security from 1 through 6 with 1 as the least sensitive. Under current regulations, commercial providers can only assist missions at levels 1 and 2. More sensitive data must reside in the department’s privately owned cloud, milCloud.
“We are inches away from connecting the first level 3+ platform,” Mark Fox, DoD sales executive for Amazon Web Services, said at the AWS Government Symposium in Washington on June 25.
Fox also suggested that AWS may even be safer than milCloud. Like other commercial providers, AWS has been subject to extensive security controls through the General Services Administration’s federal cloud approval program, FedRAMP.
“I’m not sure milCloud has been through that. I don’t know if I’ll win that argument,” he said.
Impact levels 3 and 4 will soon be treated like 1 and 2 with respect to introducing commercial providers, Fox said. He expects to see various pilots kicking off throughout the rest of the fiscal year. With regard to level 5, those missions will likely remain in milCloud for at least another six months to a year following level 3 and 4 commercial integration.
“DoD is going to tread very carefully,” he said. “We CSPs (cloud service providers) have to earn the right.”
Paraphrasing DoD Chief Information Officer Terry Halvorsen, Fox said: “It’s not a question of are we or aren’t we. It’s a question of how we’re going to do it.”
Amazon [AMZN] is the largest cloud provider in the world with customers across the private and public sectors. The company has worked extensively with the Navy, which saw cost decreases every quarter during its partial transition to the cloud, according to Halvorsen, who previously served as Navy CIO.
The Navy has been out front on bringing cloud to the military. Fox said the service’s standards for issues such as classified data spillage could become a foundation for the rest of the department, if others are willing to forego their own standards.
“That model that started in the Navy is becoming the DoD model,” he said.
For a component within DoD looking to adopt the cloud, the mission owner must first go to the Defense Information Systems Agency’s (DISA) website and fill out a request. DISA then provides feedback on the security level and what providers are available. This process typically takes several weeks.
“It is the end mission owner’s decision to classify its level–DISA is just giving some input,” Fox said.
As the designated cloud broker for DoD, DISA will eventually also assist in contracts, onboarding of the cloud platform and mission operations. Its role in later steps of the process is still being developed for levels 1 and 2, with 3 and 4 to follow.