Department of Defense Use of Commercial Cloud Computing Capabilities and Services

November, 2015
IDA document: P-5287
FFRDC: Systems and Analyses Center
Division: Information Technology and Systems Division
Laura A. Odell, Ryan R. Wagner, Tristan J. Weir See more authors
This paper addresses requests made by both the U.S. House Armed Services Committee and the U.S. Senate Armed Services Committee for independent assessments of the Department of Defense (DoD) approach to using commercial cloud computing. As of 2015, the Department of Defense (DoD) is taking action to offer a wider selection of commercially owned and operated cloud services to DoD mission owners. DoD has instituted a process to evaluate and issue Provisional Authorizations for cloud service offerings, based on the security controls that the provider implements and the sensitivity level of the data that it intends to host. The timing of DoD’s move towards the commercial cloud is reasonable given the risk and assurance requirements of many of its missions. However, the Department could offer better guidance about the risks of cloud computing and what mission owners should consider as they mitigate or avoid those risks. We also recommend that DoD consider allowing its Defense Industrial Base partners to participate in high-sensitivity community cloud infrastructure, thereby increasing the efficiency and utility of those systems.