The Defense Information Systems Agency has implemented a provisional authorization process for commercial cloud platforms in an effort to help Defense Department mission owners determine whether to leverage DISA’s assessment or subject a provisionally authorized cloud service to additional tests.
DISA said Monday the Pentagon’s cloud assessment process usually runs for three months and uses the Federal Risk and Authorization Program to evaluate and authorize cloud services as well as impact levels to assess a cloud service provider’s platform.
A PA for cloud platforms at impact level 2 covers non-mission critical unclassified data, while a PA at impact levels 4 through 6 covers cloud services designed to manage unclassified controlled data.
“Subsequently obtaining a DoD cloud provisional authorization at impact level 4 requires meeting about 10 percent more controls than the 325 FedRAMP controls,” said Gordon Bass, chief of the assessment and certification branch at DISA.
DISA noted that CSPs could leverage a PA to compete for cloud contracts across DoD, which has issued PAs to 59 commercial cloud services.
Mission owners can use the DoD PA as a basis on whether to issue an authority to operate or interim authority to test to a cloud service, according to DISA.
“This is how mission partners gain economies – by not having to start at the beginning every time they assess a cloud service offering,” Bass added.