The Defense Information Systems Agency and Department of Defense released an updated set of requirements for putting sensitive data in the cloud in 2015. Now, almost a year later, DISA has approved the first cloud vendor to handle level 5 controlled unclassified information.
IBM announced on Feb. 11 that the company was granted a conditional authority to operate (C-ATO) a level 5 data center at the Navy's Allegany Ballistics Lab in West Virginia.
"IBM is the first cloud provider with a direct connection to the DoD's internal network known as the Nonsecure Internet Protocol Router Network (NIPRNet)," the company said in a statement. "The authorization granted by DISA will enable other DoD agencies the opportunity ultimately to streamline their authorizations by leveraging the thorough process DISA followed."
According to the DoD security requirements guide issued last year, level 5 networks handle data that could have consequences for national security if compromised, forcing IT managers to maintain a physically separate environment not connected to a virtual cloud. Earlier this year, DoD CIO Terry Halvorsen said he was working to streamline cloud security requirements.
The IBM solution DISA picked for ABL will let the lab scale up cloud resources to supplement its on-premise networks as needed without opening the systems to outside security threats.
"Department of Defense agencies have the opportunity to embrace commercial cloud best practices and technology with the security of a government-owned facility," said Sam Gordy, general manager for IBM Federal. "It will also provide DoD agencies with an ideal option to launch workloads in a hybrid cloud that can be easily integrated with their on-premise systems."
While the DISA SRG is targeted to DoD components, Gordy suggested IBM's hybrid model can be applied to civilian agencies that work with similarly sensitive information.
"DoD is serving as a strong model to other cabinet level agencies in the federal government," he said.
Halvorsen shares that vision, understanding that agencies across the government are watching what the Pentagon does in cloud data to see if the moves can fit their needs and help them save money and realize efficiencies, too.
"All of you want your data to be secure too…if we can raise that national bar together, we can do [cloud] much more effectively and much more efficiently," Halvorsen told hundreds of attendees at his office's industry day in Washington last year. "What's really the right level of security for things like financial data or personnel data? If we get those answers right, that's way beyond just what we can use at DoD."
Measuring security and savings, however, hasn't come easy to DoD. In December the DoD Inspector General issued a report criticizing some of the CIO office's cloud operations.
"DoD cannot determine whether it achieves actual cost savings or benefits from adopting cloud-computing services," a Dec. 28 audit report states. "In addition, without knowing what data DoD components place on the cloud, DoD may not effectively identify and monitor cloud computing security risks."
DoD officials disagreed with the IG report, and while they're working to improve their cloud metrics and standardization, the department clearly is moving forward with the level 5-certification announcement, and with broader plans for integrating industry cloud offerings.
"This designation is great news for the state of West Virginia and recognizes the high standards upheld at the Allegany Ballistics Laboratory," said Sen. Shelley Moore Capito, R-W.V., a member of the Senate Appropriations Committee. "This facility plays a critical role in our national defense and this designation will enable our defense agencies to securely incorporate the best advanced practices in commercial cloud computing."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.