The DoD is working on an enhanced security standard for Defense networks, according to a recent article from Federal News Radio. These standards will be higher than the so-called low to moderate baseline behind FedRAMP on the civilian side of things.
FNR quotes FedRAMP Program Director Maria Roat as saying that only 12 percent of agencies told the GAO they needed higher levels of information assurance for non-classified information. Most of those came from DHS and the DoD:
“There’s more interest in that high baseline, in particular. I’ve had discussions with [DHS] National Protections and Programs Directorate, really looking at what are those systems around critical infrastructure that have high requirements, as opposed to other agencies that might have high availability only for that requirement, and with what NIST is doing around the cloud framework, looking at what’s that high baseline for the cloud,” she said. “So there is a lot of discussion going on around the cloud. I don’t have that good number yet of what it should be.”
Low to moderate may not sound very impressive, but agencies and vendors on the civilian side are still grappling with the recently passed June 5 deadline requiring agencies to only use cloud services that have been FedRAMP certified. While all of the ramifications of that deadline are not as yet clear, it seems that plain certification will eventually be a prerequisite for cloud service providers who want to service government clients.
Identifying these security baselines on the DoD side is being driven by DISA, according to Kevin Dulany, DoD’s chief of the risk oversight division inside the chief information officer’s office:
“We are looking at the business case of the additional parameters for controlled unclassified information, because we are very conscientious about where our data resides and how it’s protected,” Dulany said. “We are looking at internally doing pilots based on the categorization, based upon the data types, to see what’s the security requirements for those data types, but also is it applicable, is it the right environment to take out to the commercial [cloud], so that’s why we are doing pilots under the auspicious risk executive function.”
Let’s hope DISA doesn’t take too long in deciding what FedRAMP looks like for the DoD. Terminology aside, cloud security could be a rare instance in which civilian agencies, aided greatly by support from DHS, are out in front of the military side of the house.