The Defense Department wants to accelerate its cloud adoption.
Frustrated with the slow pace of migration, Pentagon officials are in active talks with cloud providers to revise, or even completely replace, internal rules for cloud security.
The DoD is one example of a federal agency trying in recent years to jumpstart its cloud adoption, as cloud computing continues to play larger role in Uncle Sam’s broader IT portfolio. But while federal agencies have been steadily adopting cloud computing, in particular migrating websites and email accounts rapidly, they have been less willing to move sensitive data over for security concerns.
In particular, Pentagon officials say stringent security guidelines put in place in 2015 with various protocols cloud providers have created a “bottleneck” for the department’s cloud strategy. Those rules — called the Cloud Security Requirements Guide — specify security protocols for isolating sensitive, classified and highly classified data.
DoD is now looking at making its security demands less specific or maybe relying on protections cloud providers can build to meet the department’s security needs. To do that, the department has held two sessions in the last several months with cloud providers to discuss how the agency might modernize its cloud strategy, according to Federal News Radio.
“The discussion was really, truly to the point: What are those things that industry can provide for us and where do we need to adjust, not only in terms of requirements, but to shift our language from specifically what we’re looking for in terms of solutions to expected outcomes,” Essye Miller, DoD’s deputy chief information officer for cybersecurity, told reporters on a conference call earlier this month.
Pentagon officials say it’s not clear yet what kind of changes they’ll make to internal cloud security rules, but the push to move cloud adoption is coming from the top.
Deputy Defense Secretary Patrick Shanahan issued a memo in September calling on the department to fast track its move to the cloud. That directive, Miller said, has added more urgency to the push to make the department’s cloud rules less cumbersome.
“We have not made a decision that we will redo the SRG, but I think we are taking into consideration feedback from our industry partners on where we need to adjust,” Miller said. “Some of it will be based on the requirement. As we see more capabilities to rationalize our infrastructure, this won’t be a cookie cutter-type answer. We need to wind up in a posture such that we’ve got the spectrum covered.”