The Defense Information Systems Agency (DISA) granted a Department of Defense (DoD) Provisional Authorization (PA) to 23 cloud service offerings on March 26 to host department mission data up to Impact Level 2, DISA said on Monday.
The PA acts as the initial approval of the cloud service provider’s cloud service offering package by DISA that a DoD customer or mission owner can leverage to grant an Authority to Operate (ATO) for the acquisition ad use of the cloud service, offering at the defined impact level. This is done by combining the PA information with the customer’s assessment of the additional controls needed for their specific mission system/application, DISA said.
A DoD PA does not constitute endorsement by the department or DISA of the suitability of the cloud service offering for any particular requirements. It also does not replace or remove the requirement for the mission owner to issue an ATO for their implementation of the cloud service offering.
“The granting of these provisional authorizations is an important step in our strategy to drive cost down by moving more of our mission data to the cloud,” Terry Halvorsen, Chief Information Officer of the Department of Defense, said in a statement.
Impact levels are defined by the sensitivity and risk associated with the data, which was used to establish the minimum protection and controls required. There are four impact levels: two, four, five, and six. Mandated protections increase with each successive level and level six is for data classified as secret.
Level two is for non-controlled unclassified information including all data cleared for public release, some department private unclassified information not designated as critical mission data but that requires a minimal level of access control.
The cloud service providers had to demonstrate compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. Beforehand, each provider was granted either a FedRAMP Joint Authorization Board (JAB) PA or a FedRAMP Agency ATO.
The cloud service offerings granted provisional authorization include companies like Amazon [AMZN], AT&T [T] IBM [IBM], Lockheed Martin [LMT], Microsoft [MSFT], the Oracle Corporation [ORCL], Salesforce [CRM], and Verizon [VZ]. Offerings also come from the Office of management and Budget (OMB), the Department of the Treasury, and the Department of Agriculture.