In a recent article in Government Cloud Insider article, Kris Osborn reported that the Department of Defense had launched a new effort to accelerate the migration to the cloud and the Department wants to leverage commercial sector IT innovations. A memo from Deputy Defense Secretary Patrick Shanahan established the departmentwide developmental program and created a new Cloud Executive Steering Group (CESG) that will deliver industry best practices and solutions against an accelerated timeline. The program has two phases, starting with a contract to acquire cloud services followed by an effort to operationalize technical innovation.
There are many perceived barriers to cloud migration including a sense that anything cloud is less secure, an unwillingness to release control. However, there are drivers that make the migration inevitable. In reality, the most challenging hurdle for agencies is obtaining Authorities to Operate (ATO). The Civilian Departments and Agencies are required to be compliant with the appropriate level (security compliant) of FedRAMP. The NIST Risk Management Framework (RMF) informs the DoD, and the IC on the necessary controls and policies to obtain ATOs. The fact is FedRAMP contains the applicable RMF controls and policies.
The Software Defined Perimeter (SDP), as developed by the Cloud Security Alliance, is a framework that is consistent with the NIST RMF and when implemented accounts for over 60% of the FedRAMP and RMF requirements and significantly reduces the time frame required to obtain ATOs (as validated by the ICSM + NIST Cybersecurity Framework). Waverley Labs developed an SDP (PantherR™) implementation that makes critical assets invisible, provides strong multiple-factor identification and authorization, and provides FIPS Pub 140-2, Level 4 compliant transport.
The benefits are manifold: SDP is elegant in its simplicity and supportability, it is very scalable, it supports the segregation of multiple Departments, Agencies, and Coalition Partners to assure secure sharing of data based on a need-to-know model. SDP requires no development only implementation specific to the requirements of the governing body responsible for implementation.