Erle Marion is the commercial hosting lead for Data Center Application & Optimization in the office of the Program Executive Office for Enterprise Information Systems, and Susan Shuryn, is the cloud computing lead in the office of the Department of the Navy Chief Information Officer.
The Defense Department focused in earnest on how to best leverage cloud computing as a result of the issuance of the Federal Cloud Computing Strategy, published in February 2011 by Vivek Kundra, the Chief Information Officer of the United States from March 2009 to August 2011.
The Defense Information Systems Agency (DISA) produced various draft regulations over the following three years. However, in January of 2015 DISA released a Cloud Computing Security Requirements Guide (SRG), which was intended to be a living reference for both cloud consumers and cloud service providers (CSPs). DISA also began approving commercial cloud service offerings that met the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline for cloud computing, stating that they were authorized for cloud services containing publicly releasable DoD data.
These two efforts paved the way for Defense Department agencies to acquire commercial cloud services quicker and more easily while still ensuring cyber security provisioning is included in the process. DISA now publishes an Authorized DoD Cloud Services Catalog on their web site with a current listing of all providers authorized to date.
The latest SRG sets the security requirements for information up to and including Secret and sets standards for what systems or information can be hosted in a commercial cloud computing environment and what data should hosted in a physically separated environment. It also revises the security impact levels of DoD data (see Figure 1).
CHIPS asked Ms. Shuryn and Mr. Marion to discuss Navy cloud computing and data center consolidation in April.
Q: Can you provide the background on why the Data Center and Application Optimization (DCAO) office was established and its mission?
Mr. Marion: If you go back to the January-March 2013 CHIPS interview with the former SPAWAR Director for the DCAO, John Pope, you can read the reasons the Navy stood up the DCAO; fundamentally, the reasons have not changed.
Generally, the Navy is continuing with the DCAO’s original purpose, which was to consolidate data centers because it is cost-effective and more secure. It made sense to team data center consolidation with cloud because the Navy is following the government-wide mandate to reduce data centers and move to cloud services [Office of Management and Budget (OMB) Federal Data Center Consolidation Initiative (FDCCI)]. In fact, we have been looking at our data center consolidation list to see which applications that we’ve already targeted for consolidation might belong in the cloud environment.
We expect there will be energy savings and data optimization by moving to more efficient, modern delivery systems. Initial cloud service offerings were only available in Navy-hosted data centers; options have now grown to include commercial off-premise offerings.
Ms. Shuryn: The Navy’s piloting efforts for migration into a cloud environment began with data that was publically available (i.e., on public facing websites), which has the least risk. Now the Navy is piloting more sensitive data that will traverse securely through a cloud access point (CAP) between DoD networks and commercial providers.
Q: I have read that the DCAO is running the Navy’s “Cloud Store.” Does this mean that Navy commands can come to the DCAO for assistance in setting up their applications in Amazon Web Services, the Navy’s current cloud provider?
Mr. Marion: Yes, we (DCAO) are the front door. What we are calling “version 1.0” of the Cloud Store includes one provider, Amazon Web Services (AWS), using an existing contract the Navy’s Space and Naval Warfare Systems Command already holds with AWS. If commands (our customers) would like to use AWS, they are supposed to come to us. The intent of the “store” concept is to simplify the process for contracting and security approval, which was decentralized and somewhat confusing to application owners.
When a customer comes to the Cloud Store, we use an industry-based process to evaluate the request and determine the appropriate hosting solution. Our approach is cloud first. If a customer wants to use cloud services, we facilitate that, but the final hosting environment decision is with consideration of the entire Navy Data Center Portfolio.
If the application is unable to be moved into the cloud, it could be for several reasons. First, the data may be too sensitive to go into a commercial space. This is based on the DoD-defined Data Impact Levels [2, 4, 5 and 6; see Figure 1], which provide guidance for sensitivity and risk associated with DoD data.
Second, it could be for technical reasons; for example, if the application moves a lot of data back and forth between the DoD networks and a commercial host in the transport architecture. In commercial offerings, you pay for what you use, so in certain cases, moving to a cloud environment could be cost-prohibitive.
Ms. Shuryn: Version 1.0 of the store offers an Infrastructure-as-a-Service (IaaS) cloud offering with AWS. IaaS is one of three cloud service models, featuring greater application element management by the customer (versus by the cloud service provider). Platform as a Service (PaaS) and Software as a Service (SaaS) are two additional models; each increasingly builds on IaaS regarding the level of service management by the cloud service provider (SaaS having the highest). As the process matures, the Navy will be able to leverage more offerings and service models.
Q: Are there any prerequisites for an application or service to be transitioned to AWS?
Mr. Marion: There are a few. A system or application has to be x86-based and fit Impact Levels 2 and 4 (see Figure 1), which is all that our current AWS contract is authorized to host. If a system is an Impact Level 5 and/or a National Security System or application, we are unable to accommodate that in the cloud offering today.
Ms. Shuryn: Also, commands still need an ATO, an Authority to Operate, just as they do in current operational environments.
Q: The Navy has already used its AWS contract to move 800 to 900 public-facing websites to the cloud and has instituted policies requiring that other systems that host public data must transition to cloud services. Why has this policy been mandated?
Mr. Marion: The number is now 1,067 public-facing sites currently hosted by the Navy Public Portal, which resides in AWS. DCAO is the program manager for the Public Portal. These sites were previously hosted on Navy Forces Online by DISA. A couple of things led to the move from DISA to commercial. First, there was a desire by the Navy to move into a commercial space with as little risk as possible. Technically, it was the end of life for SharePoint 2007, and the Navy wanted to get to 2010 or better, so the Navy decided to build in the cloud.
Ms. Shuryn: Cost was certainly a factor. The Navy decided to grab that low hanging fruit with the least risk (publicly releasable data) and to standardize within the Portal. DISA was also terminating some of the services it had provided, so it was the best value solution for the Navy.
Q: Has the transition been successful? Are there cost-savings in this approach?
Ms. Shuryn: Yes, site sponsors and end users seemed to be happy with the SECNAV portal, which was moved into AWS first, so we kept going from there.
Mr. Marion: I would say the transition was successful, with over 1,000 sites moved. There has been a spectrum of responses, but overall site performance and availability have increased.
For example, BUPERS and the Navy Personnel Command transitioned into the Portal in May 2015; since then the downtime has been just three hours and 40 minutes, which is more than 99 percent availability.
There are cost-savings, but we are still evaluating the data. In terms of infrastructure cost, one example is that an Echelon 2 command was paying tens of thousands of dollars per year to host multiple sites. The same level of service now costs a couple hundred dollars a month.
Q: I understand that the Navy’s strategy for version 2.0 of the Cloud Store is for a multiple-vendor framework to offer additional cloud products. When will version 2.0 be “open” for business?
Mr. Marion: A Request for Proposal (RFP) was recently released and we expect to award by July of this year. The intent is to have multiple commercial cloud providers on contract and pre-approved to handle applications. We have to accredit the vendors’ service offerings with the NAO (Navy Authorizing Official) before we can add these services to our catalog. We are planning on being ready to offer the new services/offerings in the January 2017 timeframe.
Q: Where does the Navy stand now on its CAP architecture and migrating Level 2, 4 and 5 data applications to the cloud?
Mr. Marion: We have four Level 2 applications operating in the cloud right now. They are hosted in the AWS Level 2 environment, which does not require CAP connectivity.
CAP connectivity is required for Level 4 and above data. The Navy is working very hard to get several Level 4 applications operating in the cloud. It is also important to remember that while the current CAP architecture is authorized up to Level 5 data, the current AWS service offering is only authorized to Level 4. We consider our existing CAP architecture an interim solution, with limited use to enable Navy’s ability to connect to DoD authorized cloud service providers as they become available. Planning and implementation of a Navy Enterprise CAP architecture is being led by PEO EIS PMW 205.
Ms. Shuryn: We have more work to do with the CAPs to continue improving the management of sensitive data going to and from a commercial space, and we are staying aligned with DoD guidance, including soon to be published CAP requirements. We are also working on identifying Level 5 requirements that are not covered under Level 4.
Mr. Marion: While there is some Navy demand for Level 5 cloud application hosting, it is much smaller than for Level 4.
Q: Is the Navy satisfied with the operation and cybersecurity in a cloud environment?
Ms. Shuryn: Vendors have to work in alignment with DoD regulations and guidelines, and must conform to the FedRAMP authorization as a minimum. For Level 4 and above, they must meet all FedRAMP requirements and additional DoD-specific requirements to receive authorization; this includes all the transport architecture that goes with it. As indicated earlier, the CAP will provide protection for the DoD network and the transfer of DoD data.
Q: The first CAP is on the East Coast, but the Navy expects to have interfaces that can serve fleet concentration areas in the western U.S. within the next several months. Is your office responsible for identifying and setting up the CAPs where they are needed?
Mr. Marion: PEO EIS is responsible for establishing the CAPs. CAPs include the facility and equipment where DoD connectivity meets the CSP, as well as Navy transport and computer network defense resources. We call the facility where CSPs and DoD meet the “cloud peering point.” We have one operational peering point on the East Coast. We are working to stand up a second peering point by late 2016 that can serve fleet concentration areas in the western U.S.
In our current CAP architecture, peering points connect to the Navy Enterprise Data Center in Charleston, South Carolina, and then to the DoDIN (DoD Information Network). The CAPs are functional connectors.
Q: DISA just released a request for information for the next iteration of its MilCloud for what it is calling On-Site Managed Services (OMS). Can you discuss the benefits the Navy has in choosing its own acquisition strategy and running its own services rather than going through DISA and using MilCloud?
Ms. Shuryn: In accordance with the DoD memo of December 2014, those seeking to migrate to the cloud are required to develop a BCA (Business Case Analysis) in which MilCloud is one of several options assessed. In some cases, MilCould may be the better option due to technical requirements. We look at cost savings on a case by case basis.
Mr. Marion: I concur. We focus on our customer’s requirements, and through our process we seek to put our customers in the right place based on both cost and performance.
Q: How does the Navy’s cloud strategy affect the Navy Marine Corps Intranet (NMCI) and Next Generation Enterprise Network (NGEN) contract?
Mr. Marion: PMW 205 is considering a cloud strategy for the NGEN follow-on contract. PEO EIS is in the early steps. Cloud is a path to less expensive ways to deliver services. It is not just for hosting applications or data, but can be used for other things like delivery specific productivity services. When you add in data center consolidation, it can deliver a better business solution. We are looking at what cloud computing can allow us to do to enable service delivery across enterprise IT.
Ms. Shuryn: There are five essential characteristics of cloud computing [on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service] that we will assess the need for and work through our existing processes.
Q: Can you discuss the Navy’s long-term vision for cloud services and data center consolidation?
Mr. Marion: We plan to reduce to a minimum the number of data centers that are a combination of Navy on premise, government owned/commercially operated (GO/CO) and commercially owned /commercially operated (CO/CO) sites. We expect the breakdown will be 25 percent government data center hosted and 75 percent commercial cloud hosted.