Until now, the Defense Department has trailed considerably behind civilian agencies when it comes to taking advantage of new commercial cloud capabilities, namely because of stringent procurement and security rules. But that's about to change.
Pentagon leaders last month announced new procurement rules that empower DoD agencies to buy cloud services more quickly and easily. And this month, tight security rules that effectively closed off the option of using public cloud services in most cases were loosened.
Experts say the changes will set in motion a flurry of projects across the Defense Department to migrate networks, data and applications to the cloud.
"I think there is some genuine, real excitement about going to the cloud in the DoD," said Gregory Garcia, executive director of the Army Information Technology Agency.
Initial forays into the cloud are likely to be uncoordinated and small in scale. Once the cloud concept proves successful with those early endeavors, more ambitious enterprise-scale projects will likely follow, experts like Garcia say.
"As we build success stories of those early adopters, we'll see more people embrace that idea," Garcia said. "Five years from now, I think it's going to be all in the cloud."
The first key policy change announced in November by acting DoD CIO Terry Halvorsen aimed to speed up and expand the department's procurement of cloud services by removing the Defense Information Systems Agency (DISA) as the department's sole cloud broker, thereby empowering all DoD agencies to buy cloud services on their own.
And earlier this month, DISA loosened security restrictions on certain classes of data that previously were off-limits to commercial cloud service providers. The new guidelines spell out how and where DoD data can reside, setting the stage for how component agencies will purchase cloud services.
page break
The result is a new security requirements regime that is more willing to accept some increased risk for less mission-critical data, said Mark Orndorff, mission assurance executive for DISA.
"Where is that right balance point that will allow us to get the full benefits of commercial cloud providers while doing that with the right level of security?" Orndorff said. "This is an opportunity to get the agility, economic and technical advantages from commercial cloud and do that without putting the department at risk by leveraging the virtual separation capabilities that commercial cloud providers have, up to a level of sensitivity."
In a nutshell, DoD data now will fall into one of three levels of security, based upon the impact there would be on DoD operations if that data were compromised.
For example, public-facing data, websites and information discoverable through FOIA could reside on a public cloud. A higher level of security would cover controlled unclassified information, which can be kept separate on virtual servers but require logging in to a secure DoD connection. The highest level of security is reserved for unclassified and classified national security data, which must be housed on physically separate servers.
Garcia said the policy changes are sure to ignite many cloud ventures, but he added, "I think the economic question and the security question are going to really drive people to make that assessment."
The Pentagon appears open to the possibility of further relaxing security requirements in the future, if warranted.
"We are very open minded to it, but we want to do due diligence to assess: What is the risk, what are the mitigations and how do we want to press forward," Orndorff said. "We just want to spend more time before we decide if that's a goal."
In time, as more DoD services are managed by commercial cloud providers, agencies could move to single, enterprise contracts for all their cloud needs, experts say. But, early on, the varied missions within DoD components and different security requirements likely will force agencies to look at their cloud needs one application and network at a time.
"This will be piecemeal, at least at first," said Stu Fleagle, vice president of government solutions for Carpathia. "It will probably be much more limited before it's wholesale and enterprisewide."
Where does DoD begin?
Steven Kousen, vice president of cloud strategy and integration services at Unisys, said the earliest initiatives likely will focus on "things that are already virtualized and make sense."
"If that's public data, they'll solicit for that sort of data. Other areas they know are sensitive but unclassified — those things can be moved," Kousen added.
Another factor likely determining what moves to the cloud first will be technical compatibility with cloud service providers' infrastructure. So, for example, Fleagle of Carpathia noted that the .mil domain was built on VMware technology, making DoD websites an easy first choice for migration as many cloud systems are built on the same stack.
Chris Spina, government cloud specialist with VMware, agrees. "Having cloud service provider networks that are all using the same core stack will make it easier," he said. "If [a DoD application] is running VM on-prem today, it will be easier to move on a cloud with VMware."
In addition to setting the right balance between security and economics in their cloud plans, DoD executives will need to address another issue: what to do with their networks, data and applications once their cloud services contracts expire.
"That question has to be asked," Garcia said. "Is it portable from a cloud to a cloud? There are many constraints in getting it there, but there are also many, many constraints in getting it out of there."
Despite the challenges, all parties are expecting a much faster transition to the cloud for DoD agencies under the new guidelines.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
