This week, the Defense Information Systems Agency released the Department of Defense’s new Cloud Computing Security Requirements Guide, which is meant to help cloud service providers looking to be included in the Department of Defense Cloud Service Catalog. It also defines policies, requirements, and architecture for Department of Defense cloud usage, and provides a basis the department can use to assess cloud providers’ security posture.
A draft of the Cloud Computing Security Requirements Guide (SRG) was released back in December, but acting Department of Defense (DoD) CIO Terry Halvorsen then later changed a rule allowing the department to procure commercial cloud services without having to go through the Defense Information Systems Agency (DISA).
“The [Cloud Computing Security Requirements Guide] is designed to ensure that [the Department of Defense] can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk,” said Mark Orndorff, the Defense Information Systems Agency’s Risk Management Executive, in a statement.
DISA oversees much of how the Pentagon spends its IT budget, which is gradually shifting away from custom cloud platforms to commercial ones. One of the main challenges of establishing a cloud framework is creating a secure network that can direct sensitive information exclusively to those who need to know, while also allowing the massive agency to function on a daily basis.
The guidelines provide security requirements that commercial cloud service providers must meet if they’d like to be considered for future DoD cloud service contracts.
There’s already a growing list of public cloud vendors, which includes Amazon Web Services, Microsoft Azure, and Google Platform, that are authorized to offer government agencies cloud services.
However, this version may not be the final one; it could be updated in the near future, as indicated by a memo Orndorff released in January.
“Consistent implementation and operation of these requirements assures mission execution, provides sensitive data protection, increases mission effectiveness, and ultimately results in the outcomes and operational efficiencies the DoD seeks,” the SRG says, in a clear message to cloud service providers in the government market.