The Defense Information Systems Agency (DISA) released the Department of Defense’s new Cloud Computing Security Requirements Guide this week. The Service Requirements Guide (SRG) is meant to assist cloud service providers in looking to be included in the Department of Defense (DoD) Cloud Service Catalog.
The SRG (PDF) also provides a basis for the department to asses a providers “security posture,” and defines policies, requirements, and architectures for DoD cloud use.
A draft was released for industry and public comment in December, just before acting DoD CIO Terry Halvorsen changed a rule to allow the department to procure commercial cloud services without going through DISA, FCW reports. That move was foreshadowed in September when Halvorsen announced a DoD database consolidation project.
“The SRG is designed to ensure that DOD can attain the full economic and technical advantages of using the commercial cloud without putting the departments data and missions at risk,” said DISA Risk Management Executive Mark Orndorff in a statement.
Orndorff also issued a memo earlier this week (PDF) which indicates the version released by DISA may be followed by updates pending further research into some industry comments.
The SRG applies to missions with “secret” or lower classification, and takes the place of the previous Cloud Security Model used by the DoD.
“Consistent implementation and operation of these requirements assures mission execution, provides sensitive data protection, increases mission effectiveness, and ultimately results in the outcomes and operational efficiencies the DoD seeks,” the SRG says, in a clear message to cloud service providers in the government market.
It remains to be seen if the follow through will be stronger than in the past.