Cloud option a trickier choice for DOD field units
- By Sara Friedman
Unlike most agencies whose employees work in office, the Army's global workforce has unique technology requirements.
For soldiers in the field, a cloud environment may not be the best solution, according to Thomas Sasala, director of the Army Architecture Integration Center.
“They are core employees and high-level targets for the enemy,” he said. “If the information in their units is not encrypted and gets captured and compromised, that could … put those people in danger.”
“My ask to you in the industry is that you consider the tactical users -- the people working and operating in a contested environment,” Sasala told attendees at a recent Washington Technology Defense Contracting event.
Kevin Dulany, chief of the DOD’s Risk Management Framework Division and deputy CIO for cybersecurity, echoed that need and offered a specific opportunity to the more than two hundred industry and federal employees in attendance at the event. DOD's industry Information Day on June 23, he said, is a prime opportunity to discuss how best to square cloud services acquisition with the recently revised Defense Federal Acquisition Regulation Supplement.
All cloud service providers who want to work with DOD customers must be compliant with DFARS requirements at the end of the year. During the May 12 event, Microsoft Azure General Manager Tom Keane announced that his company's platform is the first to comply with DFARS.
“We are looking for information that gives the perspective for troops who are not deployed in a garrison environment,” Dulany said. “We want to see how your capabilities can support forces deployed in not so nice neighborhoods.”
Given the globe-spanning and decentralized nature of military systems, Sasala said, traditional perimeter-based security simply isn't sufficient. Field operations are not behind the typical “hard wall” used to secure enterprise systems, Sasala explained.
“Our enterprise is very much like an M&M that has been out in the sun for a while,” he said. “If you crack it open, lot of stuff oozes out.”
Agencies and cloud service providers also must acknowledge that systems are easier for attackers to penetrate with phishing emails and links that can attack the enterprise infrastructure rather than with a top-down attack of the network itself, he said, adding: "The fight is not at the network level anymore. It is at the application."
The threat to DOD information systems security is “real,” Sasala stressed. “It is not about compliance or checking boxes," he said, and agencies must honestly assess the mission needs and acceptable risk levels for each program.
John Connor, IT security specialist with National Institute of Standards and Technology’s Office Information Systems Management, agreed with Sasala that cloud technologies should be tailored to fit each agency’s needs.
“Just because systems can be the in cloud doesn’t mean that they should be in the cloud,” Connor said. “We need to decide whether it is worth it for each agency.”
Connor said the cloud calculus for defense agencies doesn’t really change due to the number of employees on the battlefield, but the priorities can change depending on the users and their access methods.
“Securing our government data and people out there in the field doesn’t change, but it does depend on how we are approaching and fulfilling the requirements that are necessary because the technology needs are going to change,” he said.
Sasala also said cost savings along are rarely reason enough to move to the cloud, and urged DOD employees and industry stakeholders to consider the indirect expenses when weighing their options.
“There are always going to be indirect costs to get the technology to the people who are utilizing it in the field,” Sasala said. “It’s hard for us when doing spreadsheets to determine how much it is going to cost us to significantly change our systems.”
Across DOD, Dulany said, he sees budget cuts across the agency spurring a shift to “an enterprise architecture structure.”
“We want business owners to enable DOD processes through shared properties using the same cost models that everyone else uses,” he said. “You are starting to see more of the enterprise architecture and records architecture process enable the bigger picture initiatives in addition to smaller projects.”
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.