The Defense Department is drafting plans that will give the military services the authority to contract for their own cloud services using a soon-to-be-developed common business case analysis template, the Pentagon’s acting Chief Information Officer Terry Halvorsen confirmed Tuesday.
Speaking during the first of a planned series of quarterly roundtables with reporters, Halvorsen said the department will issue a memorandum by the end of October stripping the Defense Information Systems Agency of its role as the Pentagon’s central cloud services broker in an effort to speed up the department’s move to the cloud.
“We have not moved out into the cloud fast enough. One of the things we’re going to change to give us more opportunities to move faster is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency,” Halvorsen said. DISA, however, will remain involved in the process as the approval authority for security plans that each of the departments propose, and each of the departments will have to provide those plans to DISA and the CIO office so the Pentagon can maintain visibility into the services running across its networks as well as the financial performance of the cloud contracts.
The single business case analysis template — known as a BCA — is a play taken right out of Halvorsen’s playbook when he was the CIO at the Department of the Navy. In 2011, then Navy CIO Halvorsen issued a memorandum requiring all Navy components to use a standard BCA template for all IT investments valued at more than $1 million. “Its use will ensure consistency, facilitate comparisons of proposed alternatives to the status quo, and clearly define expected costs, benefits, operational impacts, and risks, thereby ensuring the best course of action is taken,” the memo stated.
The new Defense Department policy memo will also require the common BCA to take into account DISA cloud service options currently available through milCloud — DISA’s portfolio of cloud service offerings. According to Halvorsen, although milCloud exceeds the security requirements set forth by the Federal Risk and Authorization Management program, known as FedRAMP, there are other benefits associated with moving to the commercial cloud that the Defense Department has not taken advantage of fully.
“MilCloud is more like a private cloud. It is our most thoroughly tested in terms of its security and other requirements of any cloud option that we have,” Halvorsen said. “The reason that we won’t always just default to milCloud is [because] we can get better costing by going to commercial solutions when they make sense. MilCloud is more like a private cloud. I think you’ll see increased spending on cloud services.”
DOD currently uses FedRAMP for approving cloud services, but there are certain systems in the military where the FedRAMP standards do not meet DOD’s security requirements. “In those cases, I have to go above the FedRAMP process. But where we can, we’re committed to taking what I’ll call the out-of-the-box FedRAMP standards and applying them with DOD,” Halvorsen said. “We are writing a policy to clarify for the DOD what systems would fall into the category where we will have to use the higher level of security.”
Halvorsen is carefully watching the progress of two ongoing cloud pilot projects, both of which were awarded to Amazon Web Services earlier this year. “Amazon is right now the only vendor that is initially approved for level 3 and 4 data,” said Halvorsen, referring to DOD’s five level cloud security model. There are other vendors approved for levels 1 and 2, and some that are close to reaching the highest levels of approval, he said.
“One of the things we’re testing is the premise that this is going to be less expensive,” Halvorsen said, referring to the Amazon pilots. “But the key thing that we’re all searching for is it mission successful?”
And that includes achieving a minimum security standard. It is important that the Pentagon be able to measure the level of security and understand what level of risk they are accepting. The pilots will also help streamline the security waiver process, which still takes too long, according to Halvorsen.
This November, Halvorsen plans to begin deployment of mobile capabilities to combatant commanders around the world that will operate on the Pentagon’s secret-level network, known as the Secret Internet Protocol Routing Network, or SIPRNet. And while he could not detail the specific capabilities of the phones for security reasons, Halvorsen said at a high level the phones would need to work across the world, come in a form factor as small as a smart phone “and operate at the right cost level.”
The second phase involves delivering a nonsecure capability that lets users work in two environments, a work environment and a personal environment. “We’ve started to put those out, based on the Blackberry Z3,” Halvorsen said. “While I am happy with all of the progress that we’ve made, I’m not yet happy with where we have driven the price today. It’s at a price where I’m comfortable putting it out but we have more work to do to drive the cost of that down.” Follow @DanielVerton