FORT GEORGE G. MEADE, Md -- The Defense Information Systems Agency granted a Department of Defense Provisional Authorization (PA) March 26 to 23 cloud service offerings to host DoD mission data up to Impact Level 2 in a cloud environment.
A DoD PA serves as the foundation for the authorization process when using a Cloud Service Offering. Mission Owning Authorization Officials can leverage the PA, coupling this information with their assessment of the additional controls needed for their specific mission system/application, in determining overall mission risk before issuing an authority to operate (ATO).
DoD defines impact levels based on the sensitivity and risk associated with the data, which was used to establish the minimum protection and controls required. There are four impact levels: 2, 4, 5 and 6, with mandated protections increasing with each successive level. Impact Level 6 is for data classified as Secret.
Impact Level 2 is for Non-Controlled Unclassified Information which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control.
These cloud service providers demonstrated compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and each was previously granted either a FedRAMP Joint Authorization Board (JAB) Provisional Authorization (PA) or a FedRAMP Agency authority to operate (ATO).
"The granting of these provisional authorizations is an important step in our strategy to drive cost down by moving more of our mission data to the cloud," said Terry Halvorsen, DOD Chief Information Officer.
Go to http://www.disa.mil/News/PressResources/2015/Commercial-Cloud-Service for the list of cloud service offerings that were granted DoD Pas.
More information on each offering can be found at: https://www.fedramp.gov/marketplace/compliant-systems
A DoD PA is an initial approval of the cloud service provider’s cloud service offering package by DISA that a DoD customer or Mission Owner can leverage to grant an Authority to Operate for the acquisition and use of the cloud service offering at the defined impact level. A DoD PA does not constitute endorsement by DISA or DoD of the suitability of the cloud service offering for any particular requirement, nor does it replace or eliminate the requirement for the Mission Owner to issue an ATO for their implementation of the cloud service offering.