With respect to Cloud Computing, “Mission” refers to the
information systems and function for which a DoD entity
acquires or uses a Cloud Service.
The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The Department of Defense adopted the NIST definition of Cloud.
Cloud computing services can deliver more efficient IT than traditional acquisition approaches. Therefore, program managers will acquire DoD or non-DoD (i.e., commercial or Federal) cloud computing services when the business case analysis determines that the approach meets affordability and security requirements. Furthermore, program managers will ensure that cloud services are implemented in accordance with DISA provided Cloud Computing Security Requirements Guidance; and will only use cloud services that have been issued both a DoD Provision Authorization by DISA and an Authority to Operate by the Component’s Authorizing Official. In addition, non-DoD cloud services used for sensitive data must be connected to customers through a Boundary Cloud Access Point that has been approved by the DoD CIO. Program managers report cloud service funding investments through the submission of the Office of Management of Budget (OMB) Exhibit 53 in accordance with OMB Circular A-11.
The DoD Chief Information Officer’s memo from December 2014 identified 5 activities when acquiring cloud services
- Perform an IT business case analysis
- Apply the DoD Cloud Computing Security Requirements Guide
- Use commercial cloud services that have a DoD Provisional Authorization and obtain a Component Authority to Operate
- Use an approved DoD Boundary Cloud Access Point (BCAP) and Cyber Security Service Provider (CSSP) to protect sensitive data
- Apply the Defense Federal Acquisition Regulation Supplement Interim Rule to commercial cloud contracts