The Defense Department is in talks with heads of cloud service providers on how to streamline cloud security requirements in a rulebook the Defense Information Systems Agency issued in 2015, Federal News Radio reported Thursday.
DoD’s Cloud Security Requirements Guide offers information on security controls that should be adopted by cloud vendors in order to process or host defense data at several security levels.
“We have not made a decision that we will redo the SRG, but I think we are taking into consideration feedback from our industry partners on where we need to adjust,” said Essye Miller, deputy chief information officer for cybersecurity at DoD.
Miller told reporters the DoD CIO’s office conducted two separate meetings with cloud service vendors in the last two months in order to determine how to make security requirements less prescriptive and specific.
“The discussion was really, truly to the point: What are those things that industry can provide for us and where do we need to adjust, not only in terms of requirements, but to shift our language from specifically what we’re looking for in terms of solutions to expected outcomes,” she added.
DoD’s move to simplify cloud security rules came a month after Deputy Defense Secretary Patrick Shanahan issued a memo that details the agency’s plan to form a new steering group that will work to develop and oversee the implementation of a strategy to advance the adoption of commercial cloud platforms and services.