A Framework for Secure, Mission-Ready Cloud Solutions
By John Nemoto, VP, CGI Federal Inc
In the past year or so, the U.S. Department of Defense (DoD) has made a number of changes to make it easier for DoD agencies to buy cloud services, including accepting some additional risk for less mission-critical data.
The Defense Information Systems Agency (DISA) and the DoD Chief Information Officer also have published a cloud security requirements guide (SRG) to provide more standardized definitions across the Department to facilitate cloud adoption.
A recent news release stated, “As DISA advances cloud capabilities for the Department of Defense (DOD), it embraces the opportunities to use commercial cloud solutions to reduce operational costs, release available resources, enhance standardization, and increase agility and responsiveness to the changing needs of mission partners.” While there is a sense of momentum and excitement across the DoD about moving to the cloud, the emerging model of doing so faces numerous challenges, such as:
• Lack of a unified model for deploying continuous monitoring across hybrid cloud environments
• Authorization processes that are not easily replicated across commercial cloud services providers (CSPs)
• Fragmented and non-standard security reporting processes between organizations and CSPs
• Lack of risk awareness and single-pane-of-glass-visibility for stakeholders
• Barriers for mission owners to adopt innovative services and technologies from CSPs
• Cybersecurity approached as an “add on” and not embedded into cloud solutions
• Inefficient compliance reporting model that results in “sprawl” across CSPs and agencies
Based on our experience as a CSP with provisional authority to operate from both the Federal Risk Management Authorization Program (FedRAMP) and DISA, CGI has developed a framework for enabling secure cloud solutions for DoD mission owners. This framework is based on continuous, repeatable, agnostic, transparent, evolving and secure attributes:
Through such a security framework, DoD agencies and other government organizations can build a comprehensive layer of defense designed to secure their cloud-based IT portfolios.
CGI offers a unique combination of cloud and cybersecurity expertise, along with our CGI Unify360 hybrid IT management suite and CGI AssureIQ risk-based approach to continuous monitoring, to support our federal government clients’ move to the cloud.
As the Hybrid IT and Modernization Practice Lead within CGI Federal’s Emerging Technologies Practice, John manages a team developing innovative solutions for hybrid IT management for federal, commercial, and global clients.