fbpx Skip to content

U.S. Department of Defense sets its cloud security guidelines

Transformation Network

By pwsadmin | May 15, 2021

The Achilles heel of every transformative business model is their reliance on ever increasing amounts of data that need to be transported quickly across wide area networks and processed at edge computing end points. To meet this expected demand, the global telecommunications industry is rapidly moving toward a future in which networks must have the…

Essential Characteristics of Cloud Computing as Digital Transformation

By pwsadmin | May 15, 2021

Hybrid IT blends traditional datacenters, managed service providers, and cloud service providers to deliver the necessary mix of information technology services. This IT consumption model enables a composable infrastructure which describes a framework whose physical compute, storage, and network fabric resources are treated as services. Resources are logically pooled so that administrators no longer need…

Transformation Innovation

By pwsadmin | May 15, 2021

4 Factors Driving Digital Transformation ROI The critical assessment factors for cloud ROI risk probability are the following:      Infrastructure utilization Speed of migration to cloud Ability to scale business/mission processes Quality delivered by the new cloud-based process  These four factors directly drive digital transformation ROI because they affect revenue, cost, and the time required to…

Transformation Frameworks

By pwsadmin | May 15, 2021

Digital transformation necessitates changes in an organization’s operational processes. According to Harvard, a focus on operations can lead to business process optimization and entirely new revenue streams. Three common routes for this are the following:      Robotic process automation (RPA) which uses artificial intelligence to automate routine activities      Remote worker enablement that uses workspace virtualization and…

Transformation Infrastructure

By pwsadmin | September 26, 2020

Hybrid IT enables a composable infrastructure which describes a framework whose physical compute, storage, and network fabric resources are treated as services. Resources are logically pooled so that administrators need to physically configure hardware to support a specific software application, which describes the function of a composable architecture. This type of transformative infrastructure is foundational…

Essential Characteristics of Cloud Computing as Digital Transformation

By pwsadmin | September 25, 2020

A survey of 2,000 executives conducted by Cognizant in 2016 identified the top five ways digital transformations generate value:      Accelerating speed to market      Strengthening competitive positioning      Boosting revenue growth      Raising employee productivity      Expanding the ability to acquire, engage, and retain customers   Digital transformation is also a cultural change. Cloud Computing as Digital Transformation Since cloud…

Embrace Transformation

By pwsadmin | September 22, 2020

From a business perspective, differentiating business processes and quality customer service are central to overall success. Business leaders must therefore clearly identify and measure how information technology contributes to the value of every key business process. They must also know how to most cost effectively use IT when the task is merely the management of…

Computer Vision Advances Zero-Defect Manufacturing

By pwsadmin | July 25, 2020

by Kevin L. Jackson Electronics manufacturers operate in a challenging environment. It’s hard enough to keep up with the ever-accelerating rate of change in the industry. Now customers want increasingly specialized product variations in less time and of higher quality. Meeting this demand for increased product variation can seriously impact the bottom line. Such variability increases…

Real-Time Analytics Power the Roadway of the Future

By pwsadmin | July 25, 2020

By Kevin L. Jackson The complexities of citywide traffic are pushing the limits of existing transportation management systems. Outdated infrastructure is based on proprietary, single-purpose subsystems, making it costly to acquire, operate, and maintain. And current roadways are simply not prepared for the future of autonomous vehicles. Enter the SPaT Challenge, an initiative encouraging cities and…

Thriving on the Edge: Developing CSP Edge Computing Strategy

By pwsadmin | March 6, 2020

Communications Service Providers (CSPs) are facing significant business model challenges. Referred to generally as edge computing, the possibilities introduced by the blending of 5G networks and distributed cloud computing technologies are redefining how CSPs operate, partner, and drive revenue. A new Ericsson Digital whitepaper entitled, “Edge computing and deployment strategies for communication service providers,” addresses these challenges…

Those watching federal cloud security in the defense space were pleased to learn the Defense DOD Cloud Computing Security Requirements Guide (v1) (SRG) last month. This 152-page document outlines the security requirements that Department of Defense (DOD) mission owners must adhere to when procuring cloud-based services. While the document is very thorough and is required reading if you currently, or intend to provide, cloud-based services to the DOD, I wanted to cover some of the things that stood out to me.

Information Systems Agency (DISA) released the

CSPs are not compliant, but their offerings can be. The requirements guide makes it clear that there is a distinction between a Cloud Service Offering (CSO) and the Cloud Service Provider (CSP). A CSP can have multiple CSOs, all with different security postures.

This has always been the case. However, by making this distinction, DISA has reduced some areas of common confusion. This distinction should also make it clear that utilizing a compliant infrastructure as a service (IaaS) or platform as a service (PaaS) at a CSP does not make the resulting offering compliant. The CSO itself has to be fully evaluated for the Federal Risk and Authorization Management Program (FedRAMP) compliance.

Compliance responsibility is on the prime CSP. Expanding on the last point I made: Everything you put in a CSP environment is not automatically compliant. The SRG states that, “While the CSP’s overall service offering may be inheriting controls and compliance from a third party, the prime CSP is ultimately responsible for complete compliance” (p. 3). This language gives me the sense that if mission owners want to work with a federal integrator (prime contractor) to move an application to a FedRAMP-compliant or soon-to-be-FedRAMP-compliant platform or infrastructure — and that integrator will be performing Operations and Maintenance (O&M) — they will also be responsible for the compliance of the solution and the underpinning platform or infrastructure services from a commercial cloud service provider.

In essence, the solution enabler becomes the prime CSP. This is perhaps an important nuance that may have important ramifications for the integrator and those who provide what DISA dubs commercial cloud service providers. Keep in mind that the SRG also recognizes the existence of DOD-owned and operated CSPs.

FedRAMP + controls. Because DOD systems are categorized differently from other federal government systems, the SRG lists additional security controls and enhancements that are necessary to implement for DOD systems. These controls are over and above the FedRAMP moderate baseline, and as such are called, “plus” controls. The SRG has dealt with privacy and security requirements as “overlays” to all of the FedRAMP and FedRAMP plus baseline controls.

Expanded CSP roles and responsibilities. (Appendix C-1). The SRG denotes that it is the CSP’s responsibility to provide Computer Network Defense (CND) services (all tiers) for its infrastructure and service offerings. CSPs must be willing to provide their own CND services and to be able and willing to contract for more advanced security services as required by a mission owner. Here again, a prime CSP must be willing and able to provide complete compliance, including Computer Network Defense Service Provider (CNDSP) services.

A few takeaways

While this is not an adequate summary of the SRG, this long-awaited guide has provided some clarification around DOD’s expectations from Integrators, CSPs, and DOD mission owners. The DOD has clearly laid out for Integrators and CSPs the expectations for inclusion into the DISA Cloud Service Catalog. It will be interesting to see how and if the definition of a prime CSP evolves and how the industry and government alike adapt to that distinction.

My initial reaction to the SRG is that it limits the playing field of prime CSPs that are able to comply with these requirements today. For small integrators trying to migrate applications to the cloud on behalf of the federal government, it makes the proposition riskier. For example, if small integrators move something to an Amazon Web Services or Microsoft IaaS solution, they are now responsible for the security of the application and that underlying environment. The way this is currently written, I believe that integrators will have to decide whether or not they will take the risk to take responsibility for the application and the underlying environment.

(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.)

Bookmark and Share

Cloud Musings

( Thank you. If you enjoyed this article, get free updates by email or RSS – © Copyright Kevin L. Jackson 2012)

Follow me at https://Twitter.com/Kevin_Jackson
Posted in

G C Network

Leave a Comment





Crate

Purchase Crate

Shipping and discount codes are added at checkout.

Checkout
Scroll To Top