The Defense Department is able to check and ensure the security of any commercial cloud technology prior to purchase and deployment by DoD organizations through the Federal Risk and Authorization Management Program, Christina McGhee writes in an FCW piece published Wednesday.
According to Mcghee, FedRAMP offers a standardized method for agencies to approve and monitor cloud computing products from third-party providers.
DoD personnel previously monitored an information system’s risk posture throughout its life cycle by applying the information assurance certification and accreditation system, she writes.
Former Pentagon chief information officer Teri Takai appointed the Defense Information Systems Agency to serve as the Pentagon’s enterprise cloud broker in June 2012 and ordered that agency to only allow FedRAMP-certified services.
McGhee says DISA now uses a cloud security assessment model that is aligned with the FedRAMP initiative and providers who do not undergo DISA’s evaluation must apply for a waiver with the DoD CIO.
DISA requires cloud technology and service providers seeking provisional authorization to document and implement additional controls for defense systems, according to McGhee.