cybera

The clouds, they are a-changin’. The Defense Information Systems Agency may have lost its status — always controversial and contested — as gatekeeper between the rest of the Defense Department and commercial providers of cloud computing. But Pentagon CIO Terry Halvorsen‘s decision to let other defense entities acquire cloud services on their own still leaves DISA a vital role, agency officials told the press today.

With fewer acquisition responsibilities for the cloud, they said, DISA can now focus on making it secure. What’s more, DISA’s new Joint Regional Security Stacks (JRSS) will let them not only improve security but tailor it to specific service and agency needs. It’s another sign the military is moving away from a “one network to rule them all” approach to something more flexible and decentralized.

“The services will potentially do the acquisition, DISA focuses much more keenly on the security aspects of it,” said David Mihelcic, the agency’s chief technology officer.

Dave Mihelcic, chief technology officer at the Defense Information Systems Agency (DISA).

Dave Mihelcic, chief technology officer at the Defense Information Systems Agency (DISA).

The final memo detailing the DoD CIO’s decision, announced last month, is still a few days from release. But “Halvorsen has highlighted DISA maintaining their responsibility for reviewing the security approaches for everyone who goes into the commercial cloud,” said Mark Orndorff, DISA’s chief information assurance officer. “We’ve still going to be maintaining the security requirements. [It’s] still DISA’s responsibility to say a specific commercial cloud provider meets [those] security requirements.”

Further, said Orndorff, “we’re maintaining the cloud access point,” the crucial connection that (in theory) lets internal Defense Department networks use cloud providers without letting a bad guy who’s hacked the cloud slip into DoD. And, along with Cyber Command, a new DISA Joint Force Headquarters (JFHQ) will play a crucial role in day-to-day defense.

The “sea change,” Mihelcic said, is that the armed services and defense agencies don’t have to go through DISA’s “cloud broker” to acquire cloud services — as long as what they’re acquiring has met DISA security standards, that is.

“We are not the gatekeepers,” said Alan Lewis, DISA’s vice director for enterprise information services. “The objective of Mr. Halverson was to introduce greater agility into the process so the agencies and the MILDEPS [military departments] could acquire services more rapidly.” (Halvorsen had said last month that DoD was not moving fast enough).

If anyone’s a gatekeeper now, it will be Halvorsen himself. “Everyone coming forward with a new requirement will have to [submit] a business case analysis that will have to be reviewed by the DOD CIO,” Lewis said. “It won’t be DISA.”

 

Mark Orndorff, DISA's chief of information assurance.

Mark Orndorff, DISA’s chief of information assurance.

Tailoring Security, Bringing In The Navy

Even in its security role, DISA is emphasizing how well it can adapt to meet different agencies’ needs, rather than imposing a centralized standard system. The heart of the DISA approach is what’s called the Joint Regional Security Stacks (JRSS), intended to replace hundreds of internet connections with a small number of well-guarded gateways. But while organizations that join up with JRSS will lose their own proprietary link to the internet, they won’t be forced to submit to some one-size-fits-all model. “Even though JRSS is a joint system,” Orndoff emphasized, “it’s designed specifically to allow the services to configure and operate and maintain [it] within their areas of responsibility.”

While some functions will need to be physically consolidated in or near DISA-run data centers, JRSS will also allow far-flung “communities of interest” to create virtual enclaves tailored to their specific security needs. Military medical facilities worldwide, for example, need to share data on the military’s constantly moving population, but they also need special privacy protection for that patient data — something other parts of the military don’t have to deal with. With JRSS, said Mihelcic, “we can much more quickly implement customized or specialized security services for a community of interest that might be distributed across multiple DoD posts, camps, and stations.”

The first JRSS went fully operational in September, channeling both Army and Air Force traffic at Joint Base San Antonio. 10 more stacks in the continental US are planned, along with two in Europe and an undetermined number in the Pacific.

Notably, however, the Navy and Marines — whose CIO Halvorsen was before becoming DoD’s — are not yet scheduled to get JRSS, although “we’re actively working the timeline,” Orndorff said.

“One thing to highlight is the Navy and Marine Corps had already implemented a regional security stack solution…. so they already have the capabilities that we are building out for the Army and the Air Force,” he said. “There’s not the same gap to address or the same urgency to bring them on.”

“What we are currently considering is an approach where the existing Navy and Marine Corps gateways fold in under the JRSS” so DISA’s network defenders can see what’s going on in the Navy Department system without interfering with its functioning, said Orndorff. It’s a three-step process, he said: “[1] leverage the Navy investments for the time being; [2] get the improved situational awareness as soon as possible; [3] integrate at the appropriate time.”

When’s “appropriate”? Whenever Navy cyber officials decide their existing system needs an update anyway, said Orndorff. Given the current budget crunch, that might be some time.