DISA offers preview of new cloud security standards

Recently, the Department of Defense revealed that it will soon embrace a new approach to cloud integration. Specifically, the DOD announced  it will take steps to increase the autonomy of military organizations as they pursue their own cloud initiatives. In the past, the Defense Information Systems Agency instead acted as a leader and broker of cloud services, determining which cloud-based solutions were secure enough for the DOD to implement while contracting the services themselves for DOD organizations. With this policy change, DISA's authority in the realm of cloud integration will be diminished significantly.

However, that does not mean that DISA is no longer important in this area. As the Armed Forces Communications and Electronics Association's Signal Online magazine noted, DISA will continue to offer guidance and recommendations for DOD organizations' cloud integration strategies. And as the news source reported, DISA recently released a draft of its proposed security guidelines for the coming year.

DISA recommendations
The DISA recommendations, known as its Cloud Computing Security Requirements Guide (SRG), serves a similar role to the Federal Risk and Authorization Management Program (FedRAMP). As Signal Online pointed out, though, the DOD has much more stringent cybersecurity requirements than most federal agencies. Consequently, the SRG goes above and beyond FedRAMP, ensuring that all approved cloud service providers can deliver superior, reliable security. Any vendor that cannot meet SRG requirements will not be authorized to provide services to DOD organizations.

As the SRG made clear, this latest edition is not a major departure from earlier versions. Instead, the new SRG builds upon and clarifies these previous guidelines in an effort to address changes in both the cloud computing world and DOD itself.

Among other issues, the SRG offers more detailed guidelines regarding different impact levels and security objectives. These guidelines determine the different levels of minimum security needed for DOD's sensitive data, with cloud security impact level 3 through 6 requiring that information be stored in specifically designated government-only cloud environments. 

Critically, the new DISA SRG acknowledges that a greater portion of the DOD's total data and other assets can be safely stored in public cloud environments. These solutions are typically less costly and more efficient than private cloud deployments, but do not offer the same level of security. By embracing a hybrid cloud approach, DOD organizations can maximize accessibility and performance while minimizing expenses and without compromising cybersecurity. The new SRG makes achieving a hybrid deployment more viable for those DOD groups for which this is the best choice.

Management matters
As mentioned above, the single biggest development regarding DISA and its guidelines is the fact that DOD groups will now be free to exert a greater amount of choice and autonomy when considering cloud integration strategies.  

This does not mean, however, that it will be a simple matter for these organizations to pursue the best available cloud deployments in the coming year.  Selecting, deploying, maintaining and upgrading a cloud environment is still an extremely complex endeavor, especially when organizations decide to embrace a hybrid approach. Considering the sensitivity of much of the information handled by DOD groups, cybersecurity is clearly imperative, further complicating these efforts. The DISA SRG standards can help DOD groups select their cloud services, but these organizations are on their own when it comes to implementing them.

However, this does not have to be the case. DOD organizations, and federal agencies in general, can and should consider partnering with third-party cloud integration specialists. These firms can offer guidance and expertise through every stage of cloud use, leading to superior security and efficiency, as well as peace of mind for decision-makers.