DoD CIO Hosts a Collaboration Session with Industry on Cloud Security

On Wednesday, July 12th, the Acting Department of Defense Chief Information Officer (DoD CIO), Dr. John Zangardi, hosted a collaboration session with industry at the Pentagon to explore the best way forward to secure non-public DoD data in the commercial cloud.

As the Principal Staff Assistant and Senior Advisor to the Secretary of Defense for information technology and cybersecurity, the DoD CIO is focused on providing the most effective and efficient support to the mission and the warfighter. Securely moving DoD data more quickly into the commercial cloud is critical to that.

The Deputy Secretary of Defense, Robert Work, stopped by the meeting and thanked all of its participants. "We definitely want to move in this direction," he said about the commercial cloud. "We are just trying to figure out the best way to do it."

From Dr. Zangardi's leadership team, Ms. Essye Miller, the Department's Senior Information Security Officer and Deputy CIO for Cybersecurity, and Mr. Randy Conway, the Deputy CIO of Information Enterprise, spearheaded the roundtable discussion.

Five Level 4 and 5 cloud service providers for DoD joined the conversation. From the Department, leads from the DoD CIO, the National Security Agency, U.S. Cyber Command, Joint Forces Headquarters - DoD Information Networks, the Defense Information Systems Agency, Army, Navy, Air Force, and Marine Corps participated.

Dr. Zangardi outlined some of the challenges associated with advancing the Department's approach to cybersecurity in the cloud. "The objective is to deliver commercial capability faster and drive down costs," he said.

He also articulated the "boundary conditions" for moving the Department's non-public data into the cloud: "We need to protect the [DoD Information Network, or DoDIN], and we need to make sure that our data is secure in the commercial cloud."

The conversation covered the cybersecurity services that DoD provides for its data in the commercial cloud, and which of these could potentially be performed by a vendor. The line between what must be done by the government due to operational and other needs, and what could be done by industry was a subject of active debate.

The best way to share information between the government and industry was also a topic for discussion. For the cloud vendors in the room, having informal conversations and reaching mutual understandings are better than receiving unilateral directives or one-way contracting language.

"This was a tough discussion, but it's great you are challenging our way of thinking," Ms. Miller told the industry participants. "It's evident we have more work to do." The DoD CIO plans to host a follow up meeting later this summer about commercial cloud security, to include Cloud Access Point (CAP) as a Service.