Contracting mechanisms are proving just as much of a roadblock to the Department of Defense’s planned implementation of cloud computing as security has been, according to Air Force’s chief technology and chief information officer.
DoD has appointed the Defense Information Systems Agency (DISA) as its “cloud broker”–meaning that DISA will help pair the military and other Pentagon programs with cloud service providers and ensure security protocols are followed. Two years since taking on its brokerage role, DISA has yet to establish guidelines for projects needing multiple providers and assigning liability for data breaches.
“We underestimated how much work it was going to be,” Air Force CTO and CIO Frank Konieczny said at MeriTalk’s Cloud Computing Brainstorm on Thursday in Washington.
Konieczny estimated that DoD manages 3,000-5,000 applications that may have slight variations across military bases. These applications must be streamlined to move to the cloud effectively. The task is so overwhelming that DoD will need to hire separate contractors for system integration in addition to hiring the cloud service provider. DISA is unsure of how to assign these complex contracts: does the cloud service provider contract the system integrator or vice versa? Does the cloud service provider or does the system integrator accept the risk for protecting the information as it is moved?
Civilian agencies have also grappled with the question of risk, but any commercial provider that partners with DoD will see cyber attacks on its systems increase, Konieczny said. Due to the sensitive nature of its information, DoD needs the contractual right to intervene in the company’s network should an attack take place–which may be problematic to providers unaccustomed to working with the department.
“CYBERCOM has to be able to come in and take over any incidents that occur,” he said.
Furthermore, Konieczny said various software licenses across DoD will further complicate the process. Moving the software to the cloud will make it difficult to track licenses and may change the terms of service.
“It may be too complex,” he said. “The workload would get ridiculous after a while.”
Such contractual issues have have called into question whether the cost and effort of the project may outweigh the scalable efficiency benefits of cloud.
“It takes a while to get to the point where we can justify the movement of anything into the cloud infrastructure,” Konieczny said.
Still, he is hopeful that 2014 will see DISA stood up as the functioning cloud broker for the department. DISA has been making progress on additional security controls for cloud service providers, building off of the process for civilian agencies called FedRAMP.
The Pentagon will most likely choose DoD-only private clouds, even for unclassified information. Konieczny said there is a model in place for classified information in the cloud, but the plan is to finish the unclassified cloud move first.