A Department of Defense Chief Information Officer memo published Dec. 15, 2014, significantly changed DoD CIO guidance on the acquisition and use of commercial cloud computing services. Per the memo, components may now acquire cloud services directly, without going through the Defense Information Systems Agency (DISA), if a business case analysis demonstrates that doing so results in better value. Components remain responsible for determining what data and missions are appropriate for hosting in commercial cloud services.
The memo, "Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services," also details how the Federal Risk Authorization and Management Program (FedRAMP) will serve as the minimum security baseline for all DoD cloud services. Per current policy, components may host unclassified DoD information that has been publicly released on FedRAMP approved cloud services. Sensitive data may only be hosted by cloud service providers that have appropriate provisional authority issued by DISA and must be connected to a commercial cloud environment through a DoD approved Cloud Access Point (CAP).
The DON is currently beginning commercial cloud pilots, which will assist in resolving important issues prior to implementation, such as determination of what systems and data are appropriate for hosting in commercial cloud spaces, and devising standard processes and rule sets for system owners and cloud service providers to follow. However, stakeholders are committed to finding resolutions as soon as possible. The DON CIO will provide further guidance on cloud services usage as lessons learned from pilots are incorporated into solutions and overall process details are worked out.
Updates enacted by this memo will be more thoroughly covered during a cloud computing session at the DON IT Conference, scheduled for Feb. 10-12 in San Diego, California.