David Bennett, DISA's CIO, is examining how accepting DoD agencies are of using commercial cloud providers for sensitive information. (DISA)
Amazon Web Services on Aug. 21 announced that it has achieved approval under the Defense Department’s cloud security model to operate commercial cloud services for the department’s sensitive, higher-security data management.
The provision authorization grants AWS the opportunity to provide cloud services at impact levels 3 through 5 under DoD’s security model, a stricter version of criteria than the baseline requirements under the Federal Risk and Authorization Management Program, or FedRAMP. Levels 3 through 5 deal with sensitive, for-official-use-only, unclassified data and applications. AWS is one of four providers already authorized for levels 1 and 2.
AWS’ announcement comes as officials at DoD are preparing to launch five pilot programs aimed at demonstrating the use of commercial cloud services for the higher-sensitivity requirements of impact levels 3 through 5. Officials have said the initial criteria that prospective cloud providers must meet may be too stringent, and their hope is that the cloud pilots will help them reevaluate their benchmarks.
Officials also are looking to the cloud pilots to assess defense agencies’ tolerance for risk in the use of commercial cloud services, as well as to improve cloud security and operations.
“There is lots of coordination going on ... to prove out how you do levels 3 through 5, and whether the safeguards will be adequate and really test out the controls to ensure we understand how it’ll work going forward and what the risk is to the data in those environments,” said DISA CIO Dave Bennett. .