Department of Defense Use of Commercial Cloud Computing Capabilities and Services
Institute for Defense Analyses Alexandria United States
Pagination or Media Count:
This papers addresses requests made by both the U.S. House Armed Services Committee and the U.S. Senate Armed Services Committee for independent assessments of the Department of Defense DoD approach to using commercial cloud computing. As of 2015, the Department of Defense DoD is taking action to offer a wider selection of commercially owned and operated cloud services to DoD mission owners. DoD has instituted a process to evaluate and issue Provisional Authorizations for cloud service offerings, based on the security controls that the provider implements and the sensitivity level of the data that it intends to host. The timing of DoDs move towards the commercial cloud is reasonable given the risk and assurance requirements of many of its missions. However, the Department could offer better guidance about the risks of cloud computing and what mission owners should consider as they mitigate or avoid those risks. We also recommend that DoD consider allowing its Defense Industrial Base partners to participate in high-sensitivity community cloud infrastructure, thereby increasing the efficiency and utility of those systems.