DISA took its time with its latest cloud security guide
The Defense Information Systems Agency has issued a long-awaited update to its cloud security guide, further refining the process by which DISA plans to assess cloud service providers beyond the guidelines laid out in the Federal Risk and Authorization Management Program, or FedRAMP.
DISA has taken more than a year to provide refinements to the guide, which was initially released in January 2015. Among the changes are further revisions that differentiate the six impact levels to help evaluate how sensitive a given set of data is.
Additionally, the new version of the guide clarifies how cloud service providers are assessed beyond FedRAMP, including enhancements to FedRAMP Plus, while also making tweaks to privacy protocols.
“The new version fittingly represents the evolution we are going through to refine our processes and better position the department to enable secure options to migrate systems and data to the cloud,” said DISA CIO John Hickey.
The guide was also released with a published revision history, showing how the document has evolved over the past year. An Excel spread, referred to as a “comment matrix” has also been included to allow further feedback.
“This on-going public comment period will allow our mission partners to offer changes as they become necessary,” said Robert Vietmeyer, associate director for cloud computing and agile development in the enterprise capabilities directorate at the DOD CIO’s office. “This is in direct support of the DOD CIO’s vision of ‘agile policy development.’”
The memo, revision history and comment matrix can be found on DISA’s website.
Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.