Sunday, February 18, 2018
Home » Government » DoD Updates Government Security Requirements for Cloud, But What Does That Really Mean?
Photo by Master Sgt. Ken Hammond, U.S. Air Force.

DoD Updates Government Security Requirements for Cloud, But What Does That Really Mean?

IT officials from the Department of Defense (DoD) have released an update to the Cloud Computing Security Requirements Guide (CC SRG), which establishes security requirements and other criteria for commercial and non-Defense Department cloud providers to operate within DoD. These kinds of updates are not uncommon. In fact, they are encouraged through an interesting use of a DevOps type methodology – as the DoD explains:

DoD Cloud computing policy and the CC SRG is constantly evolving based on lessons learned with respect to the authorization of Cloud Service Offerings and their use by DoD Components. As such the CC SRG is following an “Agile Policy Development” strategy and will be updated quickly when necessary.

The DoD offers a continuous public review option and accepts comments on the current version of the CC SRG at all times, moving to update the document quickly and regularly to address the constantly changing concerns of an evolving technology like public and private cloud infrastructure. The most recent update includes administrative changes and corrections and some expanded guidance on previously instated requirements, with the main focus on the updates being to clarify standards set in version one and alleviate confusion and any potential inaccuracy.

If you are interested, you can read through the entire CC SRG revision history online.

What is particularly interesting here is the DoD’s acknowledgment that management of cloud environments is constantly evolving, security requirements and best practices need to be iterative, and updates need to be made regularly to ensure relevancy. It’s also important to note that the CC SRG is only one of many government policies put in place to help government agencies securely and effectively implement cloud infrastructures. There are also guidelines like NIST SP 800-37 Risk Management, NIST 800-53, FISMA and FedRAMP to consider. All of these provide a knowledge base for cloud computing security authorization processes and security requirements for government agencies.

What the DoD’s updates to the CC SRG should reinforce for agencies is that they need to have a clear cloud strategy in place in order to ensure compliance and success in the cloud. Determining the best implementation of these guidelines for your needs is difficult in and of itself. Add to that the ongoing management and updates required to keep up with ever-evolving guidelines and an IT team can find itself struggling.

By partnering with systems integrators and software vendors, or working directly with a managed service provider, like Datapipe, government agencies can more easily develop a long-term cloud strategy to architect, deploy, and manage high-security and high-performance cloud and hosted solutions, and stay on top of evolving government policies and guidelines.

For example, Microsoft Azure recently announced new accreditation for their Government Cloud, Amazon AWS has an isolated AWS region designed to host sensitive data and regulated workloads called AWS GovCloud, and you can learn more about our new Federal Community Cloud Platform (FCCP), which meets all FISMA controls and FedRAMP requirements, and all of our specific government cloud solutions on the Datapipe Government Solutions section of our site.

About Brian Burns

Brian Burns
Mr. Burns brings eighteen years of hands-on experience in Cloud/Web Hosting thought leadership. He has been interviewed and published by many industry-leading organizations for his innovative thoughts on the cloud services industry and how cloud service providers can continue to provide innovative solutions to the United States Federal Government.

Check Also

Datapipe Government Cloud Receives FedRAMP Revision 4 Controls Certification

A few weeks ago, we announced that the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) has certified Datapipe Government Cloud for 800-53 Revision 4 controls. The FedRAMP Revision 4 controls place an increased emphasis on privacy and automation, and boast improved effectiveness over Revision 3 controls. Receiving this FedRAMP certification through the JAB requires continuous monitoring and annual reassessments to ensure that security controls are being met.