The Defense Information Systems Agency (DISA) released new cloud security guidance Tuesday, Jan. 13, effectively codifying how Defense Department agencies will use commercial cloud products.
Special Report: The Future of DoD Cloud
Download: Cloud Computing Security Requirements Guide
The new guidelines — a response to a policy released by DoD Office of the CIO in December — specify what can be placed in public clouds, what needs to be contained within a virtual environment and what data must be kept on physically separate networks.
More: New DoD cloud security requirements
The base level allows agencies to put information on public clouds that are either openly viewable or discoverable through FOIA.
A mid-grade security level provides restricted access to sensitive information through a virtual cloud environment that requires a secure connection to DoD networks, through the use of common access cards (CACs) or other authorized credentials
The highest level deals with national security systems, which will remain on restricted DoD networks, separate from the cloud until further notice.
By outlining how and where data can be stored in a cloud structure, the security guidance gives component agencies a first look at how the commercial cloud policy will be applied.
Special Section: What's Next in DoD Cloud
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
