Defense agency CIOs now have more power to buy cloud services under a new memo that gives component agencies authority to act as their own brokers, rather than going through the Defense Information Systems Agency.
Acting DoD CIO Terry Halvorsen has said he wants to speed up the cloud acquisition process among the department's many component agencies and military branches. The move to federate responsibility for the process is intended to do just that, while maintaining a level of security necessary for defense operations.
There will still be oversight, as agencies must complete a Business Case Analysis (BCA) prior to each acquisition using the guidelines set forth in an October DoD memo. Both the component agency CIO and DoD CIO must sign off on the BCA before the purchase is finalized.
MORE:
What's Next in DoD Cloud — An Online Multimedia Report
RELATED
Cloud providers wonder what DoD's strategy shift holds for them
IG: DoD failed to execute cloud policy
Minimum security standards will follow the Federal Risk Authorization and Management Program (FedRAMP). DoD is working on a policy guide for sensitive unclassified data expected to be released Jan. 7. The security guide will require cloud providers to submit evidence to DISA that their services can handle sensitive information securely. If a product meets the security requirements, DISA will issue a provisional authorization.
Component agency CIOs will then use the BCA and information in the provisional authorization to make decisions on cloud purchases.
"This is a great outcome," said Carmen Krueger, senior vice president and general manager for cloud operations at SAP National Security Services (SAP NS2). "The Department of Defense is a very large organization and the services have historically had some level of autonomy in information technology choices but with that key umbrella of security protocols that they have to follow."
Krueger noted the provisional authorizations will work in much the same way that civilian cloud providers use authority to operate accreditation. Like an ATO, provisional authorization will give component agencies assurance that the provider meets the baseline requirements without having to duplicate the process at each agency.
At the same time, Krueger believes giving more authority to the component CIOs will lead to better mission-oriented results.
"Innovation, which is part of the value proposition of the cloud, really will be better achieved if those component services have a little bit more intimacy with how they're picking those cloud service providers," she said.
The new policy does not address interoperability between networks, though SAP NS2 President and CEO Mark Testoni suggested that will be part of the ongoing conversations.
"There's two sides to risk," Testoni said. "We always think of the risk of failed procurement or risk of non-standard implementation. But there's also a risk of not being able to deploy modern technologies fast enough to leverage them and we tend to forget that piece ... this will allow for a balance of risk."
Like Krueger, Testoni was confident the DoD components will be able to adapt to the new policy.
"The Department of Defense is built on the principles of centralized control and decentralized execution, whether it's on the battlefield or inside the supporting elements," he said.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
