For more than two years, the Defense Department has had procedures in place that, at least on paper, allow its sensitive data be housed in commercial cloud computing facilities. But migrations to the cloud have been relatively few and far between for anything besides public, unclassified data.
That’s partially because for impact levels 4 and above, not only do providers have to earn authorizations that go above-and-beyond the governmentwide FedRAMP process, any data they process also has to make its way through a DoD-provided Cloud Access Point (CAP).
The department is taking a fresh look at that latter point, saying its current CAP policies may be creating an unnecessary roadblock to DoD’s cloud ambitions. As of now, there are only two access points in existence – one run by the Defense Information Systems Agency and one by the Navy.
Dr. John Zangardi, the department’s acting chief information officer said he’s asked his office to revisit the policy with an eye toward letting commercial cloud vendors provide a CAP-like capability on their own.
Sponsored Content – Download our Executive Briefing to learn how agency and industry experts are hoping to reduce insider threats.
“It’s my job to ensure the most effective IT support to the warfighter and to make best use of resources, so the question to my staff is, ‘How can we do CAP better?” he said last week at the Defense Cyber Operations Summit in Baltimore, Md. “Specifically, can it be provided as a service? It’s a significant question, but if it is resolved, it should open opportunities for services and components to move more quickly to commercial cloud providers.”
DoD’s current policy on access points is laid out in the security requirements guide (SRG) it published in April 2015 and last updated in March of this year. It requires all network traffic that’s making its way between DoD systems and a commercial cloud provider to pass through…