Amazon Web Services won provisional authority to operate cloud computing services for the Department of Defense, permitting AWS to handle unclassified data under the DOD's Cloud Security Model (CSM).
The authorization reopens the DOD market for the company's cloud-based computing services, which had been shut out of new deals since 2012 because the DOD required service providers to have a security certification. The authorization covers five service offerings: Elastic Compute Cloud, Simple Storage Services, Virtual Private Cloud, Elastic Block Store, and Identity and Access Management.
"There is a huge demand for the services in DOD," said Teresa Carlson, AWS vice president of worldwide public sector. US Navy CIO Terry Halvorsen, for instance, recently said the Navy intends to move the department's unclassified, publicly available data to a commercially provided cloud.
AWS is the second cloud service provider to receive the authority to operate at the initial low-impact levels. Autonomic Resources received it in 2013 for its Autonomic Resources Cloud Platform.
[FedRAMP provides a minimum cloud security standard for the DoD. Read why Defense CIO Takai Believes Why FedRAMP Helps Everyone.]
The Defense Information Systems Agency (DISA) was named the department's cloud service broker in 2012 and tasked with developing a cloud security model for DOD unclassified and classified missions through the Secret level. Missions classified above Secret are not included in the model.
Acquisition of cloud services by DOD agencies now must go through the DISA brokerage, and only authorized providers can be used. Those agencies already using cloud services before the edict were allowed to continue using them. AWS was permitted to work with existing DOD customers but could not sign up additional customers until the authorization to operate was granted.
The DOD has designated different tiers or impact levels, depending on the type of information being stored or hosted in the cloud and the potential impact of that information being compromised. DOD agencies work with the DISA to determine the impact level of the workload being moved to the cloud. Levels 1 and 2 cover low-risk unclassified data that is publicly releasable or controlled. Those were the first levels for which DISA requirements were issued. Requirements for levels 3-5 were released this month. Carlson said AWS is pursuing authorization for the higher-impact levels.
The DISA cloud security model recognizes the equivalency of some government cloud security standards and programs in order to minimize the time and effort required for certification. These other programs include:
- Committee on National Security Systems Instruction (CNSSI) 1253 Controls
- Ongoing Assessment
- DOD Command and Control and Network Operations Integration
- Architectural Integration
- Policy, Guidance, and Operational Constraints
FedRAMP, the Federal Risk and Authorization Management Program, is a government program to certify cloud service providers at a baseline level of security under the Federal Information Security Management Act. FedRAMP allows agencies to use or build on cloud services that have been FedRAMP certified, so that each agency does not have to start from scratch in certifying each computing platform being used. Both Autonomic and AWS leveraged their FedRAMP certifications and documented the additional 20 controls needed for DOD authorization to perform work at impact levels 1 and 2.
Amazon's authorization covers all of the company's infrastructure regions in the continental United States, including its US East and US West regions, as well as its GovCloud. Though GovCloud is a dedicated government cloud, some federal customers use the other clouds for noncritical workloads.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.