Video

Video by Dave Pope

DoD Cloud Computing

Air Force Research Laboratory

March 3, 2022 | 4:56

Welcome!
My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer.
This is number 11 in the Blue Cyber Series. It's called “DoD Cloud Computing.”
The place to begin when talking about DoD cloud computing is a look at the DFARS clause 252-239-7010 cloud computing services. This DFARS applies when a cloud solution is being used to process data on the DoD’s behalf or the DoD is contracting with a cloud service provider to host or process data in a cloud. Whatever cloud you choose, this DFARS requires that you ensure:
that the cloud service provider meets all the requirements of the DoD cloud computing security requirements guide,
that they use government related data only to manage the operational environment that supports government data
and that your cloud service provider complies with cyber requirements for incident reporting and damage assessment
At the FEDRAMP website, you will find a list of the DoD approved cloud service providers. You may choose one of those or another cloud service provider but whatever cloud service provider you choose, they will need to comply with the DoD cloud computing security requirements guide, which can be found on the Internet and in the reference section at the end of this presentation.
One of the key features of the cloud environment that you choose will be the impact level for which DoD has approved that cloud service provider. An impact level of two is to handle information with sensitivity of public or non critical mission information and the security controls there are those of FEDRAMP moderate. However, if you're going to be protecting controlled unclassified information, you'll want to choose a cloud service provider with an impact level of four or five.
Another cloud computing concept to tackle is cloud computing as a service.
You can see by this model that there are many different possibilities when it comes to cloud computing as a service and there are different levels of management responsibilities depending upon which one you choose. Regardless of which one you choose, the protection of Department of Defense data and information remains your responsibility.
Enterprise cloud is a multi-cloud and multi-vendor ecosystem with three different cloud offerings. Let's take a look at each one.
The first cloud environment to talk about is the Defense Enterprise Office Solution or DEOS. DEOS is an enterprise commercial cloud environment supporting the DoD strategy to acquire and implement enterprise applications and services for joint use across the Department of Defense.
The second DoD cloud environment to talk about is milCloud 2.0. milCloud 2.0 has many benefits. It is secure: dozens of inherited critical security controls that it has are not available in the commercial cloud; it is easy to use, customers can buy cloud services in as few as 48 hours; and it is affordable as compute, storage, and network cloud services are priced at commercial parity.

The third DoD cloud computing environment to talk about is Cloud One. Cloud One is a multi-hybrid cloud environment with DoD centrally funded hosting that utilizes both Amazon Web Services and Microsoft Azure to host the Air Force’s enterprise general purpose applications. Cloud One provides a plethora of services that will accelerate the accreditation process, ensuring continuous compliance with security controls and facilitate rapid future deployment of capabilities.
The key to security in the cloud environment is continuous monitoring. You can see in this diagram that Cloud One creates the infrastructure layer for the security stack, which includes Platform One and your application.
Thank you for joining me today. My name is Kelley Kiernan and there are more talks like this one on the Blue Cyber Education Series website. That website is hosted on the Department of the Air Force Chief Information Security Officer website. And a reminder that this talk is not a substitute for reading the FAR and DFARS in your small business contract. So long.