The Defense Information Systems Agency is reexamining its established rules for the security review of commercial cloud systems that it vets for the Defense Department, Federal News Radio reported Thursday.
Jared Serbu reports that DISA is revisiting the guidelines set in December, which were based on the Federal Risk Authorization Management Program and included additional DoD-specific controls.
Serbu notes that only five commercial cloud vendors have so far been certified while DISA officials have ceded that the whole process may have been too complicated.
“We think we’ve made the process too hard, and we may have set the criteria too high,” said Mark Orndorff, program executive officer for assurance at DISA.
“Going into some major change like this, I think it’s human nature to be on the conservative side until you get your feet wet, but now we’re asking where we can drive in some additional efficiencies and where we can accept a little bit more risk as we go forward with the cloud security model.”
Orndorff pointed out that the agency also intends to address DoD’s concerns about moving data at impact levels 3 to 5 to the cloud, while the department is already mostly open to migrate data at impact levels 1 and 2.
“We also have some questions we need to clarify in terms of how we get situational awareness on what’s happening in the commercial cloud so that we don’t create a blind spot,” he noted.
DISA Chief Information Officer David Bennett added that the agency is also planning to leverage the DoD’s Joint Regional Security Stacks to monitor the security of sensitive information in the cloud.
“It’s sort of a multi-pronged attack to leverage technology and capability that’s out there in the commercial sector, and then to combine that with what we already have within DoD to provide you a full suite of options based on what risk you’re willing to assume based on the data that’s hosted within your application,” explained Bennett.