Bill proposes cloud security standards for DOD
Put forth by Rep. Niki Tsongas, D-Mass., and Rep. Derek Kilmer, D-Wash., The Defense Cloud Security Act would require the DOD to set clear, identifiable standards to improve the reliability of cloud security within the federal government. As a first step in this direction, the CIO of the DOD and the U.S. comptroller general would be tasked with assessing the DOD's cloud security requirements, as well as the potential utility cloud integration has to offer for the department.
This assessment would also include best practices for optimizing the effectiveness and benefits of the cloud within the DOD.
Michael Hartigan, a spokesperson for Rep. Tsongas, emphasized the need for greater cloud computing within the DOD as a cost-cutting measure.
"Storing benign information on internal DOD servers is an increasingly large expense, particularly given the widespread availability of secure, fast, reliable and affordable storage services utilized in the private sector," said Hartigan. "Advancements in cloud data storage by commercial sector vendors have enabled other federal government agencies to store data at a fraction of the cost of physical data centers."
Rep. Tsongas struck a similar note when announcing the proposed legislation.
"This legislation will allow DOD to take full advantage of the cloud services and best practices from both the government and commercial sector, which will, in turn, decrease costs, increase accessibility and allow for a more secure system overall," said Rep. Tsongas, Gov Info Security reported.
Currently, however, the DOD is prevented from taking full advantage of cloud computing because of both its extreme security standards and the lack of approved vendors. Katie Enos, an aide to Rep. Tsongas, told NextGov that without legislation to establish DOD cloud standards, vendors have no way of determining whether or not they are qualified to provide services to the department.
Currently, vendors must meet FedRAMP standards to satisfy basic military security requirements to become an approved cloud hosting service provider. The Pentagon also imposes additional requirements. These latter requirements are not clear to many vendors, a congressional aide told NextGov. The proposed legislation aims to clarify these regulations. Currently, there are 16 approved federal and DOD commercial cloud providers. Starting on June 5, the cloud first mandate will take effect, requiring all new federal systems to be placed in one of these authorized commercial cloud providers.
Charlie Benway, director of the Advanced Cyber Security Center, told the news source that many in the cloud computing industry believe the DOD has moved too slowly to establish security standards. In such a view, this legislation is long overdue, and will allow for greater competition for federal contracts among cloud service providers.