DOD’s move to commercial cloud requires ‘revamp’ of risk management framework

In the current framework, there are more than 600 security controls, burdening the process of bringing an application online.
Essye Miller at the 2016 Security Through Innovation Summit. (FedScoop)

As the Defense Department considers a new enterprisewide cloud strategy, it’s imperative that the department also “revamps” its risk management framework to fully take advantage of such a modern computing environment, its acting CIO said.

“In an environment where we’re looking to move to the cloud, we’re looking to take advantage of enterprise capabilities, I should be able to provision a system on the network and it not take me a year and thousands of dollars to get there,” CIO Essye Miller said Tuesday at an AFCEA DC event. “That’s on us.”

But in the current framework, developed by the National Institute of Standards and Technology, there are more than 600 security controls, burdening the process of bringing an application online, especially in an environment with such sensitive information, like the Pentagon, she said. DOD adopted NIST’s risk management framework in 2014, replacing the prior DOD Information Assurance Certification and Accreditation Process (DIACAP).

The original intent, Miller explained, was “system owners going out and choosing the controls that [work with] their system. That is not how we work. That still leaves us in a very checklist compliance-oriented environment.”


She continued, “We’ve got to shift the force to something a bit more flexible so that we can get the systems that we need to the users, to the warfighters, in a much quicker fashion on the network and certified” while still being cognizant of the risk.

The Pentagon is on the cusp of a move to adopt commercial, enterprisewide cloud services. The department is developing a strategy for the move and sometime this summer plans to solicit a contract, all under the program called the Joint Enterprise Defense Infrastructure, or JEDI.

Like Deputy Secretary Patrick Shanahan explained to FedScoop recently, Miller said this forward-thinking move to adopt commercial cloud is all part of a bigger plan for the department.

“It’s about moving to an environment where we have an opportunity for harvesting rich data, for machine learning, for artificial intelligence” and more, she said

“We really are shifting the way we do business — more shared services, more enterprise services,” Miller said. “Understanding that the requirements that we have across the department are not necessarily unique to a service or an agency. How do we get the department to the same level and operating in the same way where applicable?”


Indeed, shared services across the greater DOD enterprise plays a large part in the ultimate plan, particularly the back-end business support systems that are common to the different services and agencies.

Things like financial operations and human resources “go through all of the functional areas, and each one of us has our own capability,” Miller said, explaining the unnecessary redundancy in that. “The intent is to go to enterprise shared services… and a shift to commercial cloud, where applicable, can help us with that.”

Therefore, as functional units can focus less on the back-office business and more on things like readiness, lethality and deterrence, the plan is to look to the commercial sector to develop the technologies needed to maintain the department’s competitive edge globally.

“How do we get ourselves out of the thinking that we have to make or modify everything we buy?” Miller said. “How do we move to an environment where I’m relying on our commercial partners to give us the capabilities that we need out of the box? That challenged us to look at our capabilities a bit.”

Latest Podcasts