The Defense Information Systems Agency–DISA–has granted IBM’s SmartCloud for Government a 12-month Department of Defense Provisional Authorization for systems hosting data at Impact Level 5–IL5. The move makes IBM’s Infrastructure-as-a-Service–IaaS–the latest cloud service available to Federal agencies for the highest level of unclassified information.
IL5 covers highly sensitive information on the DoD’s Non-classified IP Router Network–NIPRNet–including national security systems, according to DISA’s ascending scale of impact levels. It’s one level below the highest level, IL6, for classified information on the Secret Internet Protocol Router Network–SIPRNet.
Security has been one potential pothole in the DoD’s push for accelerated adoption of commercial cloud services, a push that includes plans to soon award a multibillion dollar contract for its Joint Enterprise Defense Infrastructure–JEDI. The 10-year deal, estimated to be worth as much as $10 billion, would be complementary to other cloud efforts by DoD services and component organizations. Department officials have said they expect its coverage of security levels to take a phased approach. “Long-term, it’s going to go up to Level 5, but it’s going to take several iterations,” DoD Acting CIO Essye Miller told reporters at an industry day in March.
DoD has long touted the advantages of cloud computing which include lower costs, faster upgrade paths, and better information sharing, but has struggled with balancing the necessary security requirements with the desire for quick adoption. The department’s original Cloud Security Model was deemed too demanding and costly for vendors. Only a few of the vendors had received authorization, even for lower security levels. DoD replaced it several years ago with the Cloud Computing Security Requirements Guide, which is more in line with the Federal Risk and Authorization Management Program–FedRAMP–used by civilian Federal agencies. Since then, dozens of vendors’ products have received authorization to operate at various impact levels, though only a relative few have qualified at Level 5.
According to DISA’s DoD Cloud Services Catalog as of March 28, IL5 authorized providers include services from IBM, Microsoft, Oracle, AWS, and DISA itself, for its milCloud–government-run–and milCloud 2.0–commercial, from CSRA/GDIT–offerings. Because provisions are typically for a set amount of time, the list can change. IBM, for instance, noted that its recent authorization extended a previous authorization.
Only AWS has IL6 authorization for its Secret Commercial Cloud Services Environment–SC2S–an IaaS covering unclassified, sensitive, secret, and top-secret information.
Under DISA’s model, Level 2–which combined the former levels 1 and 2–covers publicly available information, including some unclassified information not deemed to be mission-critical. Level 4–formerly levels 3 and 4–covers low-impact Controlled Unclassified Information–CUI–protected by law from unauthorized disclosure and considered to be mission critical.
Level 5 applies to CUI that requires a higher level of protection and supports unclassified National Security Systems. Level 6 covers information classified up to the Secret level, including national security information. Levels 5 and 6 both require that the information be kept in a separate physical environment that can’t be reached via a virtual cloud.
DoD’s push to the cloud eventually could depend on more vendors achieving authorizations to operate at higher impact levels.