Before an agency in the US Department of Defense (DoD) can use a cloud application in production, the agency must first grant it an Authority to Operate (ATO). Before granting an ATO, the agency’s security team needs to make sure that the cloud application is compliant with the security controls at Impact Level (IL) 2, 4, 5, or 6 specified in the DoD Cloud Computing Security Requirements Guide (SRG). After the ATO is granted, the Defense Information System Agency (DISA) or another DoD agency needs to grant an authority to connect the cloud application to DoD networks NIPRNet (for IL4/5) or SIPRNet (for IL6) through a DISA-approved Boundary Cloud Access Point (BCAP).
“IL4/5/6 compliant” means that all of the security controls specified in the SRG have been implemented for a particular cloud application. Some of the controls are implemented by a Cloud Service Provider (CSP) and some are implemented by the DoD agency themselves. If the agency procures a Software-as-a-Service (SaaS) offering that has a DISA Provisional Authorization (PA), then most of the controls are implemented by the CSP, and usually, only 5-20% of the controls are left to the agency. If the agency procures a DISA-authorized Infrastructure- or Platform-as-a-Service offering (IaaS or PaaS) and deploys an application on it (by far the most common approach), the agency is responsible for implementing and maintaining the 60-80% of the controls that are above the IaaS or PaaS level.
DoD Agency Problem
DoD mission owners would like to reduce the work of their security teams both initially and for ongoing compliance, so they would prefer to procure SaaS solutions that have a DISA PA. Unfortunately, only an extremely small percentage of applications used by the DoD have a DISA SaaS PA at IL4 or IL5 (much less IL6); the process takes many years and millions of dollars. So for most application functionality, a DoD mission owner is often left with no other option than to deploy the application they need on a DISA-authorized IaaS or PaaS and to dedicate resources to implement and maintain the 60-80% of security controls that are at the application level.
Project Hosts Solutions
Project Hosts has two solutions to address this problem.
Project Hosts has developed a General Support System (GSS) PaaS on top of Microsoft Azure that handles 80% of the DoD controls for any application deployed on Azure that ties into the GSS. The Project Hosts PaaS has DISA PAs at IL2 and IL4 and is one of only 8 offerings that have been granted a DISA PA at IL5. But Project Hosts takes it a step further. When a DoD agency (or a software vendor chosen by the agency) works with Project Hosts to deploy an application on Azure and tie it into the GSS, Project Hosts also implements and manages the application-level controls above the GSS, taking that burden off the agency. To show the agency’s security department how the controls are implemented, Project Hosts creates an application-level System Security Plan (SSP) and provides documented evidence of control implementation. Since the GSS is already connected through the DISA BCAP, the authorization-to-connect process is also much faster. The GSS allows an agency to be up and running in 3-4 months using any application they want in the cloud with all of the evidence and documentation they require to grant it an ATO at IL2, 4, or 5. To get a copy of the Project Hosts DoD application Onboarding Guide that describes each detailed step in the process of onboarding a new cloud application, please email firstname.lastname@example.org.
DoD IL5 SaaS Authorization
Project Hosts has developed a turnkey process for software vendors and CSPs that allows them to get a DoD IL5 SaaS authorization for their solution in about 8 months. We become the CSP’s outsourced cloud management and compliance department, tying an Azure deployment of their solution into our GSS so that they immediately inherit 80% compliance, then putting in place and documenting the remaining application-level controls. We help the CSP obtain a DoD agency sponsor, contract with 3PAO assessors to audit the CSP solution and manage the whole DISA authorization process. In 8 months, the CSPs SaaS solution has a DISA PA and is listed as such on DISA sites. The whole process is far less expensive than do-it-yourself alternatives due to (i) 3PAO-tested documentation templates, (ii) highly discounted 3PAO pricing since they do so many audits with us, (iii) a very expedited DISA process.