New DISA guidelines clarify DOD cloud integration plans

For some time now, the federal government has made clear its enthusiasm for cloud integration efforts. Beyond the overarching "cloud-first" policy that mandates agencies turn initially to cloud options when considering new IT services, numerous department leaders stated their intention to increase their use of cloud services for a wide range of applications.

The Department of Defense is no exception to this trend. While it is true that the DOD and other agencies with national security interests must be far more cautious when embracing cloud services and all other technologies, it is by now clear that intelligence and military organizations can safely take advantage of cloud resources, so long as such adoption is part of a cautious, well-considered strategy.

With that in mind, the DOD's Defense Information Systems Agency recently released its latest cloud security guidelines. As Federal Times reported, this document offers significant insight and clarification as to how the DOD will approach cloud integration in the near future.

Cloud security concerns
Cloud security has always been a major issue for organizations interested in the technology, and this is particularly critical for the DOD and other groups that possess incredibly sensitive information. 

DISA is tasked with developing policies that determine what data and assets DOD agencies can move into cloud environments and how well-protected those cloud solutions must be to meet security standards. The latest guidelines in this area demonstrate a greater willingness to use cloud solutions for DOD resources. 

For example, Federal Times noted that the most recent DISA rules allow the DOD to store openly viewable information and any data attainable via a Freedom of Information Act request on public clouds. Information that requires mid-level security will be accessible through virtual cloud environments, although these will only be usable through secure connections to DOD networks.

The most sensitive, national security-related DOD information will remain in restricted, on-premise networks, according to Federal Times. 

There are a number of implications to be found in these guidelines. For one thing, DISA's rules now more closely resemble those of the Federal Risk and Authorization Management Program, as a separate Federal Times report made clear. While the most sensitive DOD information must still meet stricter standards – remaining out of the cloud altogether in the most extreme cases – the DOD's posture toward cloud adoption is poised to become more similar to the federal government as a whole's approach to cloud integration.

This is important, as it opens up many new opportunities for DOD agencies interested in increasing their use of cloud services. Many cloud vendors have already gone through the FedRAMP approval process, proving that their offerings meet the security and reliability standards demanded of that program. Now that DISA guidelines are rather similar, this means that the number of potential vendors to partner with has increased, allowing DOD groups to enjoy greater freedom when making their cloud decisions, rather than being limited to a select few service providers that have received DOD approval.

Making the right choice
However, while these new policies will potentially significantly improve the DOD's potential to benefit from cloud solutions, they also create certain new challenges. Most notably, expanding cloud use will demand that DOD agencies take more responsibility for evaluating their cloud options and implementing these solutions.

To this end, third-party consulting can prove crucial. DOD agencies that work with experienced, proven cloud integration specialists will be better able to meet their cloud goals while ensuring that DISA security standards are complied with at all times.