Vous êtes sur la page 1sur 44

DepartmentofDefense ChiefInformationOfficer

CloudComputingStrategy
July2012

Thispageintentionallyleftblank

EXECUTIVESUMMARY
Inthecurrentpolitical,economic,andtechnologicallandscape,informationtechnology(IT)is expectedtoprovideextensiveandeverincreasingcapabilitieswhileconsumingfewer resources.Withtheincreaseofbothstatesponsoredandindependentcyberthreats,the DepartmentofDefense(DoD)isrecognizingthegrowingimportanceofleadingastrongand securepresenceincyberspace.Concurrently,globalfinancialeventsaredrivinganeedfor continuedbudgetaryconstraintsandstricterfinancialoversight.Asaresult,theDepartment musttransformthewayinwhichitacquires,operates,andmanagesitsITinordertorealize increasedefficiency,effectiveness,andsecurity. TheDepartmenthasbegunthistransformationbyestablishingasetofinitiativesthatare aimedatachievingimprovedmissioneffectivenessandcybersecurityinareengineered informationinfrastructure.TheresultofthisneweffortwillbetheJointInformation Environment,orJIE.TheJointInformationEnvironmentisarobustandresiliententerprisethat deliversfaster,betterinformedcollaborationanddecisionsenabledbysecure,seamlessaccess toinformationregardlessofcomputingdeviceorlocation. TheDoDEnterpriseCloudEnvironmentisakeycomponenttoenabletheDepartmentto achieveJIEgoals.TheDoDCloudComputingStrategyintroducesanapproachtomovethe Departmentfromthecurrentstateofaduplicative,cumbersome,andcostlysetofapplication silostoanendstatewhichisanagile,secure,andcosteffectiveserviceenvironmentthatcan rapidlyrespondtochangingmissionneeds.TheDoDChiefInformationOfficer(CIO)is committedtoacceleratingtheadoptionofcloudcomputingwithintheDepartmentandto providingasecure,resilientEnterpriseCloudEnvironmentthroughanalignmentwith DepartmentwideITefficiencyinitiatives,federaldatacenterconsolidationandcloud computingefforts.Detailedcloudcomputingimplementationplanninghasbeenongoingand informstheJIEprojectedplanofactionsandmilestonesinCapabilitiesEngineering,Operation andGovernanceefforts.

DoDCloudComputingGoal

Implement cloud computing as the meanstodeliverthemostinnovative, efficient, and secure information and IT services in support of the Departments mission, anywhere, anytime,onanyauthorizeddevice.

Increasedmissioneffectivenessandoperational efficienciesarekeybenefitsthatcanbeachievedwith cloudcomputing.Cloudcomputingwillenablethe DepartmenttoconsolidateandsharecommodityIT functionsresultinginamoreefficientuseofresources. CloudservicescanenhanceWarfightermobility throughdeviceandlocationindependencewhile providingondemandsecureglobalaccesstomission

E1

dataandenterpriseservices.Cloudplatformsandservicescanprovideincreasedopportunity forrapidapplicationdevelopmentandreuseofapplicationsacquiredbyotherorganizations. TheDepartmenthasspecificcloudcomputingchallengesthatrequirecarefuladoption considerations,especiallyinareasofcybersecurity,continuityofoperations,information assurance(IA),cybersecurity,andresilience.Additionalchallengesincludeserviceacquisition andfundingsustainment,datamigrationandmanagement,andovercomingnetwork dependenceatthetacticaledge(disconnected,intermittentandlowbandwidth(DIL)users). Tohelpmeetthesechallenges,theDepartmentisleveragingtheFederalRiskandAuthorization ManagementProgram(FedRAMP).FedRAMPwillestablishastandardapproachtoassessand authorizecloudcomputingservices,anddefinerequirementsforthecontinuousauditingand monitoringofcloudcomputingproviders.Inaddition,DoDCIOiscurrentlyupdatingthe DepartmentsInformationAssurance(IA)policiesandinstructions,aligningIAcontrolsand processeswiththoseusedacrosstheFederalGovernment.TheDepartmentistakingacautious approachasitworkstofullyunderstandthechallengesandestablishtheappropriaterisk mitigations. TheDoDCIOisacceleratingandsynchronizingeffortsthatcreateenterprisewidecapabilities andserviceswhileeliminatingtheunnecessaryduplicationofcapabilities.Currently,the Componentsareconsolidatingtheirdatacentersandnetworkinfrastructure.Bydesignatinga fewdatacentersasCoreComponentscanbuildincloudinfrastructurethatbeginsthe processofcreatingaDoDEnterpriseCloudEnvironment.Thisprocesswillincludenetworkre designandconsolidation,policyandprocesschanges,andtheadoptionofenterprisestandards thatenableinteroperabilityacrossnetworksandbetweendatacenters.TheDoDEnterprise CloudEnvironmentwillincludeseparateimplementationsanddataexchangesonNonsecure InternetProtocolRouterNetwork(NIPRNet),SecureInternetProtocolRouterNetwork (SIPRNet),andTopSecretSensitiveCompartmentalizedInformation(TSSCI)securitydomains. ThisenvironmentwillbecloselyalignedwithIntelligenceCommunityledinitiatives,and supportinformationsharingwithDoDtraditionalandnontraditionalpartnersonJoint WorldwideIntelligenceCommunicationsSystem(JWICS),andothernetworks. InadditiontoenterprisecloudservicesprovidedDepartmentwide,Componentswillbe encouragedtouseorprovidecloudservicesofferedbyotherComponents,otherentitiesinthe FederalGovernment,missionpartnersandcommercialvendorsthatmeettheirspecificmission requirements.AllcloudservicesmustcomplywithDepartmentIA,cybersecurity,continuity, andotherpolicies.TheDepartmentwillleveragecommerciallyofferedcloudservicesthatoffer thesameoragreaterlevelofprotectionnecessaryforDoDmissionandinformationassets. NewguidanceisbeingdevelopedthatwillestablishanEnterpriseCloudServiceBrokerto managetheuse,performance,andsynchronizeddeliveryofcloudserviceofferingswithinthe E2

Department,fromotherFederal,andcommercialproviders.TheBrokerwillmakeiteasier, safer,andmoreproductiveforDoDconsumerstodiscover,access,andintegratecloudservices tosupporttheirmission. TheDepartmenthasidentifiedfourconcurrentstepsthatenableaphasedimplementationof theDoDEnterpriseCloudEnvironment: Step1: FosterAdoptionofCloudComputing EstablishajointgovernancestructuretodrivethetransitiontotheDoDEnterprise CloudEnvironment AdoptanEnterpriseFirstapproachthatwillaccomplishaculturalshifttofacilitate theadoptionandevolutionofcloudcomputing ReformDoDITfinancial,acquisition,andcontractingpolicyandpracticesthatwill improveagilityandreducecosts Implementacloudcomputingoutreachandawarenesscampaigntogatherinput fromthemajorstakeholders,expandthebaseofconsumersandproviders,and increasevisibilityofavailablecloudservicesthroughouttheFederalGovernment Step2: OptimizeDatacenterConsolidation Consolidateandvirtualizelegacyapplicationsanddata Step3: EstablishtheDoDEnterpriseCloudInfrastructure Incorporatecorecloudinfrastructureintodatacenterconsolidation OptimizethedeliveryofmultiprovidercloudservicesthroughaCloudService Broker DrivecontinuousserviceinnovationusingAgile,aproductfocused,iterative developmentmodel Drivesecureinformationsharingbyexploitingcloudinnovation Step4: DeliverCloudServices ContinuetodeliverDoDEnterprisecloudservices Leverageexternallyprovidedcloudservices,i.e.,commercialservices,toexpand cloudofferingsbeyondthoseofferedwithintheDepartment TheDoDCIOwillestablishajointenterprisecloudcomputinggovernancestructuretodrivethe policyandprocesschangesnecessarytotransitiontotheDoDEnterpriseCloudEnvironment andoverseetheimplementationoftheDoDEnterpriseCloudStrategy.Toachievethecloud computinggoal,allbarrierstoconsolidationandtransitionmustbeaddressedwithoutmajor delay.DoDCIOwillbethefinaldecisionauthorityandwillprovideoversightforComponent executionofdatacenterconsolidationandcloudservices,exercisingappropriategovernanceto ensureanefficientorchestrationofchange.

E3

TableofContents
Introduction....................................................................................................................................1 CloudComputingDefined...........................................................................................................2 FederalandDoDMandatesDrivingCloudComputingAdoption...............................................3 BenefitsDoDCanDeriveFromCloudComputing......................................................................4 AchievingDoDITObjectivesThroughCloudComputing...........................................................4 ChallengestheDepartmentFacesMovingtoaCloudComputingEnvironment.......................6 TransitioningtotheDoDEnterpriseCloudEnvironment...............................................................8 Step1:FosterAdoptionofCloudComputing...........................................................................10 GoverntheDoDEnterpriseCloudEnvironment..................................................................11 AdoptanEnterpriseFirstApproach.....................................................................................12 ReformDoDITFinancial,Acquisition,andContractingPolicyandPractices.......................12 ImplementaCloudComputingOutreachandAwarenessCampaign..................................14 Step2:OptimizeDataCenterConsolidation............................................................................15 ConsolidateandVirtualizeLegacyApplicationsandData....................................................15 Step3:EstablishtheDoDEnterpriseCloudInfrastructure......................................................16 IncorporateCoreCloudInfrastructureintoDatacenterConsolidation..............................17 . OptimizetheDeliveryofMultiproviderCloudServicesviaCloudServiceBrokerage........18 UseAgileApproachestoDriveContinuousServiceInnovation...........................................19 ExploitCloudInnovationtoDriveSecureInformationSharing............................................20 OperationalDataFunctionsandInformationalDataServices.............................................20 Step4:DeliverCloudServices..................................................................................................22 ContinuetoDeliverDoDsEnterpriseCloudServices..........................................................22 LeverageExternallyProvidedCloudServices.......................................................................23 NextSteps.....................................................................................................................................26 Conclusion.....................................................................................................................................27 AcronymList................................................................................................................................A1 References...................................................................................................................................B1 CloudrelatedTerms....................................................................................................................C1

iv

Figure1:DoDEnterpriseCloudEnvironment ..............................................................................10 . Figure2:ConsolidatedCoreDatacenterswillFormtheBasisoftheEnterpriseCloud Infrastructure................................................................................................................................18 Figure3:ExampleServicesAvailabletoCloudConsumers.........................................................C4

Introduction
AsbusinessandmissiondependencyonInformationTechnology(IT)grewwithintheDoD, duplicative,costlyandcomplexITinfrastructureswerebuiltbyComponentstoexecutetheir missionsandruntheirbusinesses.Thedevelopment,operation,andmanagementofthese resourcesarelargelyinefficient,costingtimeandmoneythatcouldbeapplieddirectlytowards achievingstrategicinitiatives.AccordingtoaDefenseScienceBoardanalysisof32major automatedinformationsystemacquisitions,theaveragetimetodeliveraninitialDoDprogram capabilityis91monthsoncefundingisapproved.Thisistwotothreetimestheaverage industryITrefreshcycletime,makingitdifficulttokeeppacewithuserneedsandtechnology evolution.ContinuedtechnologymaturationhasenabledcommoditizationofcertainIT functions(email,serverhosting,collaboration,etc.),andimprovednetworkperformancenow allowsITorganizationstospecializeinofferingthesecommoditizedITfunctionsasserviceson thenetwork. TheDepartmentmusttakeadvantageofthecommoditizedITfunctionsandtransformtheway inwhichitacquires,operates,andmanagesitsITinordertorealizeincreasedefficiency, effectiveness,andsecurity.TheDepartmenthasbegunthistransformationbyestablishinga setofinitiativesthatareaimedatachievingimprovedmissioneffectivenessandcybersecurity inareengineeredinformationinfrastructure.TheresultofthisneweffortwillbetheJoint InformationEnvironment,orJIE.TheJIEisarobustandresiliententerprisethatdeliversfaster, betterinformedcollaborationanddecisionsenabledbysecure,seamlessaccesstoinformation regardlessofcomputingdeviceorlocation. TheDoDEnterpriseCloudEnvironmentisakeycomponenttoenabletheDepartmentto achieveJIEgoals.TheDoDCIOiscommittedtoacceleratingandsynchronizingeffortsto eliminateunnecessaryduplicationofcapabilitieswithEnterprisewideservices,while establishingEnterprisesecuritymechanismstoensuresecureconnectionandaccesscontrol acrossmissionpartnerandnetworkboundaries.TheDoDEnterpriseCloudEnvironmentwill facilitateconsolidatingandoptimizingtheDepartmentsITinfrastructure,includingdata centersandnetworkoperations,andstandardizingITplatformsthatensureasecurecyber environmentandleverageAgiledevelopment.TheDepartmentwillalsoadoptcommercial cloudcomputingsolutionstothegreatestextentpossibleinsupportoftheDepartments mission.DetailedCloudComputingimplementationplanninghasbeenongoingandinforms theJIEprojectedplanofactionsandmilestonesinCapabilitiesEngineering,Operationand Governanceefforts.

TheFederalCloudComputingStrategy(SeeAppendixB,(ReferenceA))characterizescloud computingasa: profoundeconomicandtechnicalshift(with)greatpotentialtoreducethecostof federalInformationTechnology(IT)systemswhileimprovingITcapabilitiesand stimulatinginnovationinITsolutions. TheDoDCloudComputingStrategylaysthegroundwork,consistentwiththeFederalCloud ComputingStrategy,foracceleratingcloudadoptionintheDepartment.Itisintendedtofoster asubstantivediscussionastheDepartmenttransitionstoitsEnterpriseCloudEnvironment.

DoDCloudComputingGoal
Implementcloudcomputingasthemeanstodeliverthemostinnovative, efficient,andsecureinformationandITservicesinsupportofthe Departmentsmission,anywhere,anytime,onanyauthorizeddevice.

CloudComputingDefined
TheNationalInstituteofStandardsandTechnology(NIST)definescloudcomputingas: Amodelforenablingubiquitous,convenient,ondemandnetworkaccesstoashared poolofconfigurablecomputingresources(e.g.,networks,servers,storage,applications, andservices)thatcanberapidlyprovisionedandreleasedwithminimalmanagement effortorserviceproviderinteraction. ThedetailsoftheNISTcloudcomputingdefinitionsprovideasimpleandunambiguous taxonomyofthreeservicemodelsavailabletocloudconsumersthatarethecoreofcloud computing:SoftwareasaService(SaaS),PlatformasaService(PaaS),andInfrastructureasa Service(IaaS).DetaileddefinitionsofthesethreemodelsappearinAppendixC,alongwith othertermstypicallyassociatedwithcloudcomputing,suchasdeliverymodelsand characteristics. WhilethetraditionalITdeliverymodelisfocusedonthedevelopment,maintenanceand operationofcomputinghardwareandsoftware,thecloudcomputingmodelfocuseson providingITasaservice.Underthecloudcomputingmodel,thereareserviceprovidersand serviceconsumers.Serviceprovidersspecializeinperformingspecifictasksorfunctionsfor serviceconsumers.Theserviceprovidersandserviceconsumersinteractwithoneanotherover anInternetProtocol(IP)basednetwork.

FederalandDoDMandatesDrivingCloudComputingAdoption
TheFederalGovernmentintendstoacceleratethepaceatwhichitwillrealizethevalueof cloudcomputingbyrequiringagenciestoevaluatesafe,securecloudcomputingoptionsbefore makinganynewITinvestments.InalignmentwithFederalandDepartmentwideITefficiency mandates,theDoDiscommittedtocloudcomputing,andtoprovidingasecure,resilient EnterpriseCloudEnvironment.Specificmandatesinclude: 2012NationalDefenseAuthorizationAct(NDAA)(PublicLaw11281):Thefiscal2012 NDAA(SeeAppendixB,(ReferenceB)) mandatesthatDoDCIOsubmitaPerformance PlanthatincludesastrategytoaddressmigrationofDefensedataandgovernment providedservicesfromDepartmentownedandoperateddatacenterstocloud computingservicesgenerallyavailablewithintheprivatesectorthatprovideabetter capabilityatalowercostwiththesameorgreaterdegreeofsecurityandutilizationof privatesectormanagedsecurityservicesfordatacentersandcloudcomputing services. SecretaryofDefense(SecDef)EfficienciesInitiative:TheSecDefannouncedaDoDwide efficienciesinitiative(SeeAppendixB,(ReferenceC))tomoveAmericasdefense institutionstowardamoreefficient,effective,andcostconsciouswayofdoing business.ThisinitiativedirectedtheconsolidationofITinfrastructuretoachieve savingsinacquisition,sustainment,andmanpowercoststoimproveDoDsabilityto executeitsmissionswhiledefendingitsnetworksagainstgrowingcyberthreats. OfficeofManagementandBudget(OMB)directedFederalDatacenterConsolidation Initiative(FDCCI):TheFDCCI(SeeAppendixB,(ReferenceD))directedareductionin datacenterstobeachievedprimarilythroughtheuseofvirtualizationtechniquesand leveragingcloudcomputing. FederalCIO25PointImplementationPlantoReformFederalInformationTechnology Management:The25pointplan(SeeAppendixB,(ReferenceE))specifiesthatAgencies mustfocusonconsolidatingexistingdatacenters,reducingtheneedforinfrastructure growthbyimplementingaCloudFirstpolicyforservices,andincreasingtheuseof availablecloudandsharedservices. FederalRiskandAuthorizationManagementProgram(FedRAMP):FedRAMP(See AppendixB,(ReferenceF))providesjoint"provisional"authorizationsandcontinuous securitymonitoringservicesapplicabletoExecutivedepartmentsandagencies procuringcommercialandnoncommercialcloudservicesthatareprovidedby informationsystemsthatsupporttheoperationsandassetsofthedepartmentsand agencies,includingsystemsprovidedormanagedbyotherdepartmentsoragencies, contractors,orothersources.

DoDITEnterpriseStrategyandRoadmap(ITESR):TheITESR(SeeAppendix B,(ReferenceG))presentstheDoDCIOsplanforachievingthegoalsoftheSecDefs EfficiencyInitiativeandthemandatesofOMBsFDCCIand25PointImplementation Plan.

BenefitsDoDCanDeriveFromCloudComputing
Table2oftheFederalCloudComputingStrategy(SeeAppendixB,(ReferenceA))summarized threeareasofcloudcomputing,reproducedinTable1,below. Table1:Cloudbenefits:Efficiency,Agility,Innovation
Efficiency CloudBenefits CurrentEnvironment

Lowassetutilization(serverutilization< Improvedassetutilization(serverutilization>60 30%typical) 70%) Fragmenteddemandandduplicative Aggregateddemandandacceleratedsystem systems consolidation(e.g.,FederalDatacenterConsolidation initiative) Difficulttomanagesystems Improvedproductivityinapplicationdevelopment, applicationmanagement,network,andenduser devices Agility CloudBenefits CurrentEnvironment PurchaseasaServicefromtrustedcloudproviders Yearsrequiredtobuilddatacentersfor newservices Nearinstantaneousincreasesandreductionsin Monthsrequiredtoincreasecapacityof capacity existingservices Moreresponsivetourgentagencyneeds Innovation CloudBenefits CurrentEnvironment Shiftfocusfromassetownershiptoservice management Tapintoprivatesectorinnovation Encouragesentrepreneurialculture Betterlinkedtoemergingtechnologies(e.g.,devices) Burdenedbyassetmanagement Decoupledfromprivatesector innovationengines Riskaverseculture

AchievingDoDITObjectivesThroughCloudComputing
ThedesiredoutcomesofDoDsadoptionanduseofcloudcomputingwillincludereducedcosts andincreasedITservicedeliveryefficiencies,increasedmissioneffectiveness,andenhanced cybersecurity.Theseresults,listedbelow,alignwiththebenefitsidentifiedbytheFederal CloudComputingStrategy:Efficiency,Agility,andInnovation.

ReducedCosts/IncreasedOperationalEfficiencies o Consolidatingsystems,whichreducesthephysicalandenergyfootprint,the operational,maintenance,andmanagementresources,andthenumberof facilities o Usingapayasyougopricingmodelforservicesondemandratherthan procuringentiresolutions o LeveragingexistingDoDcloudcomputingdevelopmentenvironmentstoreduce softwaredevelopmentcosts IncreasedMissionEffectiveness o Enablingaccesstocriticalinformation o Leveragingthehighavailabilityandredundancyofcloudcomputing architecturestoimproveoptionsfordisasterrecoveryandcontinuityof operations o EnhancingWarfightermobilityandproductivitythroughdeviceandlocation independence,andprovisionofondemand,yetsecure,globalaccessto enterpriseservices o Increasing,orscalingup,thenumberofsupportedusersasmissionneedssurge, optimizingcapabilitiesforthejointforce o Enablingdatatobecaptured,stored,andpublishedalmostsimultaneously, decreasingthetimenecessarytomakedataavailabletousers o Enablingtheabilitytocreateandexploitmassivelylargedatasets,searchlarge datasetsquickly,andcombinedatasetsfromdifferentsystemstoallowcross systemdatasearchandexploitation Cybersecurity o LeveragingeffortssuchasFedRAMPthathelpstandardizeandstreamline CertificationandAccreditation(C&A)processesforcommercialandFederal Governmentcloudproviders,allowingapprovedITcapabilitiestobemore readilysharedacrosstheDepartment o MovingfromaframeworkoftraditionalsystemfocusedC&Awithperiodic assessmentstocontinualreauthorizationthroughimplementationofcontinuous monitoring o Movingtostandardizedandsimplifiedidentityandaccessmanagement(IdAM) o Reducingnetworkseamsthroughnetworkanddatacenterconsolidationand implementationofastandardizedinfrastructure

ChallengestheDepartmentFacesMovingtoaCloudComputing Environment
MostDoDsystemshavebeendesignedtooperateinaprotectedenvironmentwithdedicated infrastructure,andthoughcloudcomputingcontinuestodemonstratesignificantbenefits, challengesremain.TheDepartmentmustbecarefulnottojeopardizeitsmissionbytradingthe confidentiality,integrity,andavailabilityofDoDinformationfordesiredbenefits.The DepartmentwillensureadherencetotheNationalContinuityPolicy(SeeAppendixB, (ReferenceH))thatrequirescommunications/ITcapabilitiestomaintaindataavailabilityand resiliencetosustainComponentmissionessentialfunctions(MEF)andDoDsDepartmental PrimaryMEF(PMEF)insupportofNationalEmergencyFunctions(NEF). Table2identifiesfivebroadcategoriesofchallengesandmitigationactivitiesthatwillhelpthe Departmentmeetthosechallenges.Notethatthesechallengesarenotexclusivetocloud computingandapplytoalllevelsoftheDepartment. Table2:ChallengesMovingtoaCloudComputingEnvironment
GovernanceandCultureChanges Challenge EstablishingandmaintainingaDoDCIOled EnterpriseFirstapproach Sustainingandmanagingtheevolutionofthe EnterpriseCloudEnvironmenttoenableJIE objectives Overcomingculturalroadblocksthatmakeit difficultfortheDepartmentsITcommunityto adoptanEnterpriseFirstapproachandcloud servicesapproach Incentivizingentrepreneurialinnovationinthe faceofcurrentregulatoryDoDpolicyand processmandates Mitigation ExecuteauthoritiesdelegatedtotheDoDCIO toapprove/enforceanEnterpriseFirstcloud approachtoJIEcapabilitiesthroughoutthe Department EstablishDoDCIOledjointgovernanceto overseeComponentcloudrelatedactivities EstablishcomprehensivegovernanceatService CIOlevelstooverseeandguide implementationandexecution Executeacloudawarenesseducation campaign AdoptAgileacquisitionandfunding mechanismstoexploitcloudinnovation

InformationAssurance,Resiliency,andCybersecurity Challenge Mitigation Achievingrealtimevisibilityintoallcloud activitieswhereconsumersdonothave physicalcontrolovertheirsystems,andthe systemscanchangedynamicallyasproviders respondtoemergentcapacityrequirements Implementingcontinuousmonitoring,handling intrusiondetectionandalerts,andproviding diagnosisandresponse Ensuringcommunications/ITcapabilitiesto

ImplementInformationAssurance(IA)controls thatproviderealtimemonitoringto designatedDoDIApersonnelandprovide methodsandproceduresformissionowners torequestresponses Provideacquisitionregulationandcyber defensepoliciestowhichcloudprovidersmust adhereinordertoadequatelysecureand defendDoDinformation

maintaindataavailability,privacy,and resilience Maintainingforensic,recordsmanagement, FreedomofInformationAct(FOIA)reporting, andtwofactorauthenticationwithDoD CommonAccessCards

Implementneworadjustexistingtechnical capabilitiesforoperationwithinthecloud, and,inparticular,providedtoDepartment networkandsystemoperationcenters (NOCs/SOCs) Bolstercriticalinfrastructureprotectionefforts toensurearesilientandsustainablecloud computingenvironment ImplementIdAM,PublicKeyInfrastructure (PKI),andsecuredatataggingDepartment wide Ensureeffectiveacquisitionofcommercial cloudservicesleveragingFederalCIOCouncils, CreatingEffectiveCloudComputingContracts fortheFederalGovernment(SeeAppendix B,(ReferenceI)

NetworkDependenceattheTacticalEdge Challenge

Mitigation

Providingaccesstoreliable,remotelydelivered Deliverservicesasfarforwardaspossible, usingtheleastbandwidthpossiblewhile servicestoWarfightersandsupportpersonnel ensuringofflinecapabilitiesaremaintained operatinginrestrictedtacticalenvironments (highmobility,disconnected,intermittent connectivity,limitedbandwidthandlong latency) Providingadequateprotectiontoensure continuityofoperationsandresiliency ServiceAcquisitionandFundingSustainment Challenge Mitigation Changingfromafocusontheacquisitionof materielsolutionstotheacquisitionand consumptionofcloudservices Establishingfundingmechanismsthatcan rapidlyadapttochangingdemandtosustain thegrowthofwidelyusedservices Reducingoreliminatinginvestmentin underutilizedandunderperformingservices Implementingeffectivechangemanagementin acloudenvironment Ensuringdataownershipandtransportability ofdatafromonecloudprovidertoanother Establishpoliciesandproceduresfor budgeting,funding,acquisition,andcost recoverythatleverageafeeforservice model Useacloudbrokerfunctiontomanagethe use,performance,andsynchronizeddelivery ofcloudserviceofferings Developabudgetstrategytofundinitialcloud investmentsacrosstheDepartment Reduceoreliminateinvestmentin underutilizedandunderperformingservices EstablishandenforceDoDcloudcomputing changemanagementcriteria Ensurecontractingandacquisition mechanismspreservedataintegrityand supportdatatransportability

DataMigration,ManagementandInteroperability Challenge Mitigation Ensuringthatdataandapplicationshostedin thevariouscloudservicescanbediscovered, accessed,stored,used,andprotectedamong variousDoDcomponentsandmissionpartners Providingadequatesecurityservices (monitoringandresponse,IA,etc.)toensure theintegrity,confidentiality,andavailabilityof DoDdatainacloudcomputingenvironment EnsuringthatthehostingofDoDComponent databyacloudserviceproviderissubjectto technicalandcontractualconditionsthat facilitatemigrationofthedatatoanother providerorbacktotheDoDComponent Ensuringdatainteroperabilityandsecure informationsharingwithmultinationaland othermissionpartnersviacloudservices Ensuringdataportabilityandinteroperability EnsuringallcategoriesofControlled UnclassifiedInformation(CUI),toinclude PersonallyIdentifiableInformation(PII), PersonalHealthInformation(PHI), InternationalTrafficinArmsRegulations (ITAR),andContractualInformation,are properlyandadequatelysecured,controlled, andauditedduringtransmission,processing, andstorage Enableintelligentdeliveryofmultisource informationindiverseapplicationformatsby providingseamless,realtimeinformation sharingthatissecure,supportsmultiple platforms,andcombinesnewadvancesin informationprocessinganddataanalysis Enforceuseofriskassessmentsthatconsider exposuretothelegal,lawenforcement,and nationalsecurityrequirementsofthehost country EnsureServiceLevelAgreements(SLAs)are writtentoaddressDoDmissionassuranceand dataconfidentialityandavailability requirements Requireandenforcetheadoptionof enterprisediscoverandsearch,enforcement ofIdAManddatatagging,jointgovernance, andcrossdomainsecuritysolutions Requiretheuseofdataportabilityand interoperabilitystandardsastheyemerge Enforcecompliancewithlawsandregulations regardingCUIdata

TransitioningtotheDoDEnterpriseCloudEnvironment
Thetransitiontocloudcomputingrequiresmovingfromthecurrentstateofduplicative, cumbersome,andcostlyapplicationsilostoanendstatewhichisanagile,secure,andcost effectiveserviceenvironmentthatwillenableComponentstorapidlyconfigureanddeployITto meetchangingmissionneeds.Thetransitionwillnotbeaccomplishedallatonce,butin plannedphases,buildingonthesuccessesandlessonslearnedfromDoDandIndustrycloud initiativesastheyareimplemented. ThevisionfortheDepartmentisamultiproviderEnterpriseCloudEnvironmentthatmeets DoDITobjectives.Programmanagersandapplication/serviceownerswillgenerallynotneedto designthephysicalinfrastructurethathostsandrunstheirsoftwareapplications.Instead,they willberesponsiblefordesigninganddevelopingapplicationsandservicesthatoperatewithin thecomputingenvironmentsofferedbyDoDdatacenterproviders.NewCoredatacenters, andstandardsbasedequipmentdeployedinregionalandtacticaldatacenters,willprovidethe 8

physicalcomputinginfrastructuretodeliverdataandcloudservicestotheuser,regardlessof accesspointorthedevicebeingusedacrosstheGlobalInformationGrid(GIG).Thesedata centerswillhostexistingapplications,provideaviableplatformforthedevelopmentofnew applications,andenablesharedhostedservices. TheDepartmentwillberesponsiblefortheEnterpriseArchitectureandstandardsthatwill guidehowtheDoDcloudisdesigned,operated,andconsumed.TheEnterpriseCloud Environment,inturn,willdrivearchitecturesandstandardsthatextendthefullrangeofIT servicestomobiledevicesandtothetacticaledge.TheEnterpriseCloudEnvironmentwill provideDepartmentwideservicesattheenterpriselevelthatenableimprovedinteroperability, access,dataintegrity,andsecurity.InadditiontoenterpriseservicesprovidedDepartment wide,Componentswillbeencouragedtouseorprovidecloudservicesofferedbyother Components,otherentitiesintheFederalgovernment,missionpartnersandcommercial vendorsthatmeettheirspecificmissionrequirements.Allserviceswillcomplywith DepartmentIA,cybersecurity,continuityandotherpolicies. TheDoDEnterpriseCloudEnvironmentwillsupportnewapplications,accesstolegacy applicationsanddataexchangesonNIPRNet,SIPRNet,andTopSecretSensitive compartmentalizedInformation(TSSCI)securitydomains.Thisenvironmentwillbeclosely alignedwithIntelligenceCommunityinitiativesandwillsupportinformationsharingwithDoD traditionalandnontraditionalpartnersonJWICS,themissionnetwork,andothernetworks. TheDoDCIOwillleadNIPRNetandSIPRNeteffortswhiletheDirectorofNationalIntelligence (DNI)/CIOwillleadTSSCIandabove. Figure1isalogicaldepictionoftheenvisionedDoDEnterpriseCloudEnvironmentendstate.It illustratesthattheDoDEnterpriseCloudisanintegratedenvironmentontheGIG,consistingof DoDComponents,commercialentities,Federalorganizations,andmissionpartners.

AccessatPointofNeed
(Mobile,Work,Deployed,Home)
Secure Communications BetweenNodes GlobalSecure Access&Data CommonC2& RealTimeSA DoDServices&Apps

Deployable EdgeNodes

Commercial Services

Figure1:DoDEnterpriseCloudEnvironment TheDepartmenthasidentifiedfourconcurrentstepsthatenableaphasedimplementationof theDoDEnterpriseCloudEnvironment: Step1. FosterAdoptionofCloudComputingbyestablishingastronggovernancestructurethat hastheauthorityandresponsibilitytodriveanEnterpriseFirstapproachandenableIT financial,acquisition,andcontractingpolicyandpracticereforms. Step2. OptimizeDataCenterConsolidationbyimplementingalimitedsetofstandardized softwareplatformsanddatacentersthatwillenableeffectivemanagementasasingle enterprisewithareducedintrusionsurfaceforcyberthreats. Step3. EstablishtheDoDEnterpriseCloudInfrastructureasthefoundationforrapid participationintheDoDEnterpriseCloudEnvironment. Step4. DeliverCloudServicesusingcommercialserviceprovidersandcontinuingthe developmentandimplementationofDoDcloudservices. Thefollowingsectionsdescribethesestepsingreaterdetail.

Step1:FosterAdoptionofCloudComputing
ITGovernancethatestablishesanEnterpriseFirstapproachtothefunding,acquisition, creation,managementanduseofcloudservices,throughpolicyandprocesschange,is

10

essentialinfosteringadoptionofcloudcomputing.TheDoDCIOwillexecutedelegated authoritiestoapprove/enforceanEnterpriseFirstcloudapproachtoJIEcapabilitiesthroughout theDepartment.TheDoDCIOiscommittedtoworkingwithmajorstakeholders,suchasthe DefenseInformationSystemsAgency(DISA),JointStaff,andMilitaryDepartment(MILDEP) CIOs,toimplementanoutreachandawarenesscampaigntoexpandthebaseofconsumersand providers,andincreasethevisibilityofavailablecloudservicesinotherpartsofthe Government.

GoverntheDoDEnterpriseCloudEnvironment
ComprehensivejointITgovernance,ledbytheDoDCIO,willdrivethechangesnecessaryto transitiontocloudcomputing.Enhancedgovernanceprocessesandpolicyenforcement mechanismswillbeinstitutedtomanagetherapidevolutionofcloudserviceswithinthe Department,maximizingthepotentialvalueofcloudservicesandminimizingtherisks.Strong governancemechanismswillsupportconsistentinterpretationofpolicy,monitorDoD enterprisecloudperformance,andaddresscloudserviceconsumerandproviderissues. DoDCIOledgovernancewillfacilitateanenterpriseapproachtocybersecurity,continuityof operations,IA,resilience,andensurethatDoDsEnterpriseCloudEnvironmentiscompliant withallexistinglawsandregulations.TheDoDEnterpriseCloudEnvironmentwillrequirerigid standardsforhowusersareidentified,transmissionisassured,andresources(persons, organizations,groupsandapplications),aretracked. EffectivegovernanceandcollaborationwithkeyDepartmentleadersandstakeholdersis necessarytoestablishpolicyandorganizationalprocesschangesthatwilltransformthewayIT isacquired,operated,andmanaged.CoordinationwilloccuroutsidetheDepartmentwith stakeholdersfromtheNationalSecurityAgency(NSA)othersintheIntelligenceCommunityand otherFederalpartnersastheyevolvetheirowncloudservices. TransitiontocloudcomputingmayrequireupfrontinvestmentsandrealignmentofplannedIT roadmaps.TheDepartmentwillusebusinesscaseanalysistodeterminebestvaluebetween alternatives,andwilldefineaninvestmentmanagementprocessthatenablestherapid evolutionofenterprisecloudservicesandpreventsnonstandardsbasedITservicesilosfrom proliferatingwithintheEnterpriseCloudEnvironment. TheDepartmentsITgovernancemustensurealignmentofDoDinvestments,includingProgram ObjectiveMemorandum(POM)activities,policies,processesandstandardsthatwillenablea transitiontocloudcomputing.TheDepartmentwillexercisegovernancemechanismsto ensurecloudcomputingoptionsareanalyzedduringthecourseofDoDbudgetandacquisition processesforeachITcapabilitydevelopmentinitiativeincompliancewithOMBguidance(See AppendixB,(ReferenceJ).AComponentsdecisiontomovedatatoacloudcomputingservice 11

willbalancebenefitsandrisk,measuredagainstDoDmissionassuranceanddataconfidentiality requirements.TheseassessmentsandapprovalswillbeconductedinaccordancewithFederal lawsandregulationsgoverningtheprotectionofGovernmentinformation,andDoDIAand informationsecuritypolicies. ComprehensivegovernanceprocesseswillpromoteandenabletheuseofstandardizedSLAs thatfacilitatetheadoptionofsharedservicesandvirtualcomputingresourcesformissionand supportfunctions.SLAsmustdefineperformancewithconsistentandcleartermsand definitionsanddemonstratehowperformancewillbemeasured.Governancewilldefinethe enforcementmechanismsthatshouldbeinplacetoensureSLAsaremet.TheDepartmentwill driveefficienciesbyusingCommercialbusinessmodels,ensuringcompetitionandsettingnew performancestandards,targets,andmetrics,aswellasmonitoringandreportingprogress.

AdoptanEnterpriseFirstApproach
TheEnterpriseFirstapproachisaculturalshifttotransform DoDfromacoalitionofDepartmentsandAgencieswith theirmissionspecificsetsofsystems,processes, governance,andcontrolstoamoreseamless,coordinated,unified,andintegrateddatacentric enterpriseinformationenvironment.TheDepartmentseffortsingeneralwillbedirectedto reducerelianceonnonshareable,dedicatedinfrastructures.Componentswillbeincentivized torelyonshared,virtualizedinfrastructurethroughautilityorcloudcomputingdeliverymodel. LegacyITsystemswillbemigratedtoasharedcomputingcapabilitywhereverpractical. Higherflexibility,lowercosts, improvedqualityofservice AdoptinganEnterpriseFirstapproachwillreducetheacquisitionandmaintenanceof dedicated,programspecificresources.Thedesiredoutcomeisthetransformationofthe DepartmenttoanEnterpriseCloudEnvironmentwithcommonstandards,consolidated cybersecurity,continuityofoperations,IA,resilience,andcentralizedgovernance.

ReformDoDITFinancial,Acquisition,andContractingPolicyandPractices
TodaysdeliveryandoperationofaDoDEnterpriseCloudEnvironment ishamperedbyexistingpoliciesandprocessesthatwereimplemented tosupporttraditionalITacquisition.TheDepartmentstypical acquisitionapproachbasesinvestmentdecisionsonsignificant investigationofcapabilityneeds,requirementsdefinition,analysisofalternatives(AoA),and systemgrowthprojections.Thisworksinanenvironmentwithrelativelyfixedrequirements, knownfutureneeds,andstatictechnology,butdoesnotaccommodateamultiprovidercloud environment.TheDepartmentmustalterthisacquisitionapproachifitexpectstokeeppace withITadvancementsandachievetheefficienciestheseadvancementsrepresent.To accomplishthis,theDepartmentmust: Changetherules andmakeit happen

12

StreamlineKeyDoDProcessestoreduceOperationsandMaintenance(O&M)costsby leveragingeconomiesofscale,andautomatemonitoringandprovisioningtoreducethe humancostofservicedeliveryandassurance. ChangeAcquisitionandContractingModelstoreduceacquisitioncomplexity;shiftthe DoDmindsetfromacquiringandmanagingITassets(materielsolutiondevelopment)to providingandconsumingservices;andsupportnewfunding,contracting,and acquisitionmodelsforagilesolutions. PublishGuidanceandPoliciesthatsupporttransitionto,anduseof,cloudservices. TheDepartmenthasinitiatedeffortstodevelopJIErequirementsforcloudservicesthatcanuse incrementalinvestmentsandfeeforservicemodelsratherthanlargescale,upfront investments.Newandinnovativefundingmechanismsareneededthatcanrapidlyadaptto changingdemandandsustainthegrowthofpopularservices.Servicesalreadydevelopedby theComponentsfortheirusecouldbeextendedandsharedacrosstheDepartment.As efficienciesaregainedthroughdatacenterconsolidation,somesavingsmayresource additionalcrossserviceinvestments.Periodicvalueassessmentswilldriveadditional investmentsanditerativerefinements.Toaccomplishtheneededchange,theDoDCIOwill workwiththefollowingorganizationstoupdaterelatedpoliciesandprocesses: USD(Policy)toupdate: o POMguidanceandthePOMissueprocessforenterprisecloudservices JointStafftomodify: o JointCapabilitiesIntegrationandDevelopmentSystem(JCIDS)/Capabilities RequirementsProcessdocumentation(ChairmanoftheJointChiefsofStaff Instruction(CJCSI))(SeeAppendixB,(ReferenceK)). o InteroperabilityofITandNationalSecuritySystems(NSS)(SeeAppendix B,(ReferenceL)) USD(Acquisition,Technology,andLogistics)tomodifyorestablish: o ProvisionsintheDefenseAcquisitionSystem(DAS)(SeeAppendixB,(Reference M))thatensuretheconsiderationoftheuseofenterprisecloudservicesasa mandatoryelementoftheAoA o BusinessCapabilityLifecycleprocess o Newstandardcontractclausesandanyaccompanyingchangesnecessarytothe DefenseFederalAcquisitionRegulationSupplement(DFARS) USD(Comptroller)/CFOandDCAPEtomodifyorestablish: o Planning,Programming,BudgetingandExecution(PPB&E)(SeeAppendix B,(ReferenceN)) o NewProgramElementandbudgetlineitemresources 13

o IncreasedvisibilitywithinauthoritativeDoDresourcedatabases o Establishnewcontractsandcontractingvehicles DoDComptrollerandCFOto: o RevisePPB&Eregardingenterprisecloudservicesandestablishprovisionsinthe DoDFinancialManagementRegulation o Addressappropriateresourcingmethodologiesandsourcesforfundingcloud servicesandmigrations DCMOtoalignBusinessMissionAreapoliciesandprocedures.

ImplementaCloudComputingOutreachandAwarenessCampaign
Thegreatestimpedimenttothesuccessfuladoptionofcloudcomputingisnottechnologicalin nature,butrather,thesetofculturalroadblocksthatmakeitdifficultfortheDepartmentsIT communitytoadoptanewtechnology.Aswithanysignificantchange,themovetothecloud requiresashiftinmindsettoacceptnewwaysofcreatingsolutionsandaninformedworkforce toenableacceptanceanduseofcloudservices. TheDoDCIOwillimplementacloudcomputingoutreachandawarenesscampaigntogather inputfromthemajorstakeholders,expandthebaseofconsumersandproviders,andincrease visibilityofavailablecloudservicesthroughouttheFederalgovernment.Currentcloudrelated activitieswillprovideinputtothedevelopmentofcloudcomputingplanningand implementationguidance.Specifically,theseactivitieswillinformtheDepartmentonthekey benefitsandchallengesofcloudservices,includingvaluepropositions,securityfeaturesand challenges,samplemitigationstrategies,training,lessonslearned,andcasestudies.This outreachwillinclude: Identifyingbestpracticestoguidestakeholdersintheadoptionandimplementationof cloudservices,includingtheacquisitionandprovisioningprocessandidentifyingand evaluatingassociatedcomplianceandlegalissues Establishingmethodologiestoenableeffectiveassessmentandimplementationofcloud services,includingconsiderationofmaturity,costrecovery,securitycompliance,etc. Identifyingchallengesandrecommendingmitigationstoresolvethem Identifyingmetricsandperformancemeasuresthatdemonstratesuccessfulmigrations anduseofcloudservices Identifyingandassessingnewandevolvingtechnologiesinthemarketplaceand providingfeedbackonthematurityoftheseofferings ProvidingspecificskillstrainingforacquisitionandcontractingspecialistsforagileIT procurements,includingcloudcomputing.ITprogrammanagersmustalsoacquirethe skillsneededtomakeinformeddecisionsregardingexistingandplannedcloudservices

14

Emphasizingindividualandorganizationalresponsibilitytoassessandmanagerisks associatedwithcloudcomputing

Step2:OptimizeDataCenterConsolidation
InAugust2010,theSecretaryofDefensedirectedtheconsolidationofITinfrastructureto achievesavingsinacquisition,sustainment,andmanpowercosts,andtoimprovetheDoD's abilitytoexecuteitsmissionswhiledefendingitsnetworksagainstgrowingcyberthreats.In response,theDepartmenthasidentifiedopportunitiestoconsolidateDoDITinfrastructure throughseveralinitiatives,oneofwhichisdatacenterandserverconsolidation.Asidentified intheJIE,enterprisedatacenterconsolidationinvolvesComponentapplicationsanddata transitioningtoCoredatacentersandtheDoDEnterpriseCloudEnvironment. TheDepartmentwillreducethehardwarefootprintindatacentersbyimplementingserver virtualizationandInfrastructureasaService.Inaddition,DoDwillreducesoftwareredundancy andincreaseinteroperabilitythroughtheimplementationofalimitedsetofstandardized softwareplatformsthatarecontinuouslymonitoredandrespondtoemergingthreats. Optimizingdatacenterconsolidationwillfacilitatestandardizationacrossdatacentersinthe waytheydeliverservicestousersandtheinternalprocessesusedtomanagethebusiness operation.Consolidationwillnotonlyreducethecostofdatacenterinfrastructure,butwill enableeffectivemanagementasasingleenterprisewithareducedintrusionsurfaceforcyber threats.Combiningtheestablishmentofcorecloudinfrastructurewithdatacenter consolidationwillestablishthefederationandstandardizationofCoredatacentersforthe DoD.

ConsolidateandVirtualizeLegacyApplicationsandData
ConsolidatingdatacentersthroughouttheDepartmentintoasmaller,coredatacenter infrastructurewillreducethenumberofdifferenthardwareplatforms,whichwillresultinan eventualsavingsinequipment,facility,andoperationalcosts.Althoughcoredatacentersmay beoperatedbydifferentorganizationswithinDoD,theywillalloperateaccordingtostandard operational,business,andITServiceManagementprocessestoensurethattheyfunctionasa single,logicallyseamlesscomputingenvironmentmeetingallrequirementsforgracefulfail over,disasterrecovery,continuityofoperations,security,resiliency,andloadbalancing. TheconsolidateddatacenterswillbeguidedbytheNISTCloudComputingReference Architecture,andtheNISTCloudComputingStandardsRoadmap.LeveragingtheNIST guidance,aDoDCloudReferenceArchitecturewillincludemodularinfrastructurethatwillscale upfordeploymentwithinlarge,ContinentalUnitedStates(CONUS)datacentersandscale downtooffercontainerizedandsmallfootprintcomputingresourcesinregionalfacilitiesand deployedtacticaledgeenvironments.

15

Throughvirtualization,datacenterswillfocusonhostingexistingapplicationsandprovidinga viableplatformforthedevelopmentofnewapplicationsandsharinghostedservices.The enterprisecloudarchitectureandstandardswillextendthefullrangeofITservicestomobile devicesandtothetacticaledge.Aslegacyapplicationsaremigratedandnewapplicationsare produced,eachwillgainbuiltinfeatures,suchassupportformultidatacenterreplication, followmedatathatautomaticallymovestowhereitisneeded,andintelligentinformation servicesthatleveragenewsanddataavailableacrosstheDepartment. TheDoDITESRidentifiesdatacenter,networkandserverconsolidationfortheGIGcomputing environmentaskeyinitiatives.Throughconsolidationandvirtualization,theDepartmentwill developaDoDenterprisecloudplatformthatmeetsseveralobjectivesoftheDoDITESR includingdeliveringservicestothetacticaledge.Consolidationandvirtualizationwillenable accesstoreliable,remotelydeliveredservicestoWarfightersandwillsupportpersonnel operatinginrestrictedtacticaldisconnected,intermittentandlowbandwidth(DIL) environmentsfromanydevice,anywhereandanytime.Smartreplicationwillensurethat clusteredinformationautomaticallymigratestonearbyresources.Useofthelateststandards forofflinedatastorageandapplicationswillsupportspecifiedmobileanddesktopplatforms. Enduserswillaccessvirtualserversthathavebeenallocatedtoprovideclientsideapplications andservicessupportingmultipleinformationdomainaccess. VirtualDesktopInfrastructure(VDI)initiativeswillreducedesktopcapital,maintenance,and managementcosts.Theseeffortswillreducetimetodelivernewendusercapabilitiesand shortencycletimeforupgradesthroughincreasedautomationefficienciesrequiringless supportandfacilitatingcompliancewithDoDstandardsandpolicy. DoDwillrealizesavingsbykeepinghardware,softwareandoperationsasconsistentand standardizedaspossible,whilealsoreducingthenumberoftools,activitiesandpersonnel neededtoperformthesamebasicfunctions.Aportionofthesavingsthatresultsfrom consolidationandstandardizationcouldgotowardsfundingthedeliveryoftheseservices, eitherattheComponentlevelorattheEnterpriselevel;however,potentialefficienciesmay notbeautomaticallyrealizedwithoutaddedresources.

Step3:EstablishtheDoDEnterpriseCloudInfrastructure
TheDepartmentwillprovideanenterprisecloudinfrastructurethatisresilientandoperates seamlesslybetweenallDoDComponents.Thisenterprisecloudinfrastructurewillbe incorporatedintocoredatacentersandistheenginebehindtheDoDEnterpriseCloud Environment.Anessentialpartofthecloudinfrastructureiscloudservicebrokeragewhich makesiteasier,safer,andmoreproductivetonavigate,integrate,consume,extendand maintaincloudservices,particularlywhentheyspandiverseDepartment,Federaland

16

commercialcloudserviceproviders.Additionally,thecloudinfrastructurefacilitatesAgile methodsandwillprovideatestanddevelopmentenvironmenttoenablerapidservicedelivery. Cloudcomputingcanofferahighlyresilientcomputingenvironmentthatdoesnothaveasingle pointoffailure.Thefailureofonenodeofasysteminacloudenvironmentshouldhaveno impactonoverallinformationavailability,reducingtheriskofperceivabledowntime.TheDoD EnterpriseCloudInfrastructuremustensurethesecurityofdataandinformationbyreducing thecomplexityoftheinformationenvironmentandmakingcertainthatallDoDComputing ServiceProviderenvironmentsoperateattheminimumacceptablestandardsoutlinedwithin currentDoDpolicyandtechnicalguidance.

IncorporateCoreCloudInfrastructureintoDatacenterConsolidation
IncorporatingcloudinfrastructureintoCoredatacenter datacentersprovidesbenefitsbeyondthoseachieved throughdatacenterconsolidationalone.Ascoredata centersareestablished,cloudfunctionssuchasIaaS,SaaS, PaaS,andcontentcachingwillbeadded.CoredatacenterswillmeetExemplardatacenter standardssupportingcloudbasedEnterpriseServicesservingaglobaluserbase.Optimized CoredatacenterswithCloudreadyinfrastructurewillenablesecure,highlyscalable applicationstoberapidlydeveloped,deployed,andcontinuouslyimprovedwhilehostingthose legacyapplicationsandsystemsthatarestillvitaltotheDoDmission. Thefoundationforrapid participationintheDoD enterprisecloudenvironment Figure2illustratesthetransitionfromtodaysenvironmenttoconsolidatedandvirtualized applicationsanddata,andfinallytoacloudinfrastructurethatenablestheDepartmentsmove toacloudcomputingenvironment.

17

CurrentState
LocalSystems
DataCenter

RemoteSystems
DataCenter

Consolidate andvirtualize legacyapplications &datatoreducecostsand make infrastructureDoD Cloud ready

TransitionState

LocalData Center

RemoteData Center

RemoteData Center
Enterprise Services

ImplementanadvancedDoD CloudInfrastructure todeliverEnterprisereadycloudservices


LocalDataCenter RemoteDataCenter RemoteDataCenter

CloudState

Virtual
Hardware Hardware

Virtual
Hardware Hardware

Virtual
Hardware Hardware

DoDCloudApps andServices DoDEnterprise DataEnvironment DoDCloudPlatform


Hardware Hardware Hardware Hardware Hardware Hardware

Figure2:ConsolidatedCoreDataCenterswillFormtheBasisoftheEnterpriseCloud Infrastructure

OptimizetheDeliveryofMultiproviderCloudServicesviaCloudService Brokerage
Tosustainanintegratedandoptimizedmultiprovider cloudenvironment,aCloudServiceBrokerwithbotha technicalandanorganizationalcomponentisneededto managetheuse,performance,andsynchronizeddelivery ofcloudserviceofferingswithintheDepartment,fromotherFederal,andcommercial providers.ThebrokerwillenableDoDorganizationstotailortheavailabilityanddeliveryof cloudservicesbasedontechnicalandmissionrequirements.Forexample,ratherthaneach DoDorganizationmonitoringserviceproviderperformanceandsecuritycontrols,thebroker willbethecentralpointforintegratingthisinformationfromeachoftheprovidersandmaking itavailabletothevariousDoDstakeholders.Movingbeyondtheabilitytomatchpotential consumerswiththebestservicestomeettheirneeds,thebrokerwillprovideanintegratedset ofcapabilitiesthateachDoDorganizationwouldhavehadtodeliver.Someofthese capabilitiesinclude: TheEnterpriseHubforruntime selection,integrationand deliveryofservices

18

EnsuringcompliancewithDoDIArequirementsforencryptionandkeymanagement integrationwithDoDsemergingIdAMservices Enablingintegratedcyberintrusiondetectionandresponse EnablingacommonentryintothecloudtheDoDcloudservicestorefront Providinganintegratedbillingandcontractinginterface ManagingintegratedservicedeliveryfromDoDandcommercialserviceproviders ProvidingintegratedidentityandaccesscontrolsandintegrationwithDoDsemerging IdAMservices Controllingusageandoptimizingcloudworkloaddistribution MaintainingconfigurationcontrolandcomplianceofDoDresourcesdeployedintothe cloud EnsuringthatprovidersmaintainDoDstandardsandarchitecturalcompliance EnablingcontinuousmonitoringandreportingonperformanceofSLAsandIAcontrols Providingacommon,integratedhelpdesk

StartingwithasimpleonlinecatalogofDoDcloudservices,theCloudServiceBrokerfunction willgrowtoenableDoDcustomersandorganizationstotailorthesetofavailableservicesand optimizethecloudperformancebasedontheirtechnicalandmissionrequirements.

UseAgileApproachestoDriveContinuousServiceInnovation
TheeffectivedeliveryofDoDprovidedcloudserviceswillrequire theDepartmenttotransitionfromanacquisitionprocessfocused onacquiringmaterielsolutionstoonefocusedonoperating,and continuallyenhancing,services.UseofAgileprocesseswillenablerapidandcontinuousservice improvementinresponsetochangingmissionneeds.TheDepartmentwillestablisha consolidated,enterprisedevelopmentandtestcloudenvironment,providedbyComponents, toenablecontinuousdeliveryandintegratedDevOps.Thistestanddevelopmentcloud environmentwillenableapplicationsandservicestoruninadistributedenvironment,reducing timetodelivercontenttoclients. Eliminatesobsolescence atthetimeofdelivery "DevOps"isanemergingsetofprinciples,methods,andpracticesforcommunication, collaborationandintegrationbetweensoftwaredevelopment(application/software engineering)andIToperations(systemsadministration/infrastructure)professionals Thisclouddevelopmentandtestenvironmentwill:

19

EnableagiledevelopmentandcontinuousenhancementofDoDprovidedcloud servicesthatwillrapidlyrespondtochanginguserneeds,technologies,andthreats Facilitatetheoptimalmigrationandintegrationoflegacysystemsintothecloud environment Reduceduplicativehardwareandsoftwareexpensesnecessarytosupporta developmentprogram Enabletheprovisionofautomatedassemblyandtestofsoftwaresystems IncorporateadditionaldevelopmentandtestservicesprovidedbyDoDComponentsand commercialproviders Includeanintegratedsetofservicestoincludeautomatedondemandprovisioningof developmentandtestcloudresources Enabletheintegrationofidentitymanagement

ExploitCloudInnovationtoDriveSecureInformationSharing
TheEnterprisecloudinfrastructurewillenableadata centricapproachtothedevelopmentand implementationofcloudservices.Thedeploymentof standardizeddatainterfaceswithinthecloudwillallowusersanywheretoretrieve,scrub,and sanitizedataondemandoveravastarrayofprotocolsandtechnologies.Thecloud infrastructurewillfacilitatemanagingtherapidlyincreasingamountsofdata.Innovativedata cloudserviceswilldeliveractionableinformation.TheDepartmentwillleverageandalignwith ICcloudservices. IncreasedDecisionSuperiority throughdataintensiveanalytics

OperationalDataFunctionsandInformationalDataServices
TheDepartmentistakingadatacentricapproachtocloudservices,andwillsecurelyarchitect forinteroperability.Improvingthequality,accessibility,andusabilityofDoDdatathroughwell definedstandardswillincludetheuseofmachinereadableformatssuchaswebservicesand commonmetadatataggingschemas. TheNISTCloudComputingReferenceArchitectureidentifiestheimportanceofdataand commondatafunctionsaskeyunderpinningsofcloudcomputing.Whilethereference architectureisstillevolving,NISTcurrentlyseparatesdatafunctionsintotwocategories: operationaldatafunctionsandinformationaldataservices. Operationaldatafunctionsincludeactivitiessuchasdatatagging,dataintegrity,datasecurity, dataportability,datatransport,datapresentation,datamaintenance,andfilemanagement. Operationaldatafunctionssupportthemanipulation,extraction,andpresentationof meaningfulresultstoendusers,andareprimarilyusedandmaintainedbythecloudprovider.

20

Informationaldataservicesenabletheaggregationorthemashupofmultipledatasources locatedindatacentersacrosstheglobeintoacorrelatedpurposefuldatasetsupportinga usersmissionneeds.Dataservicescanbedefinedasasetofcomputingservicesexposing informationaldatainawaythatadheretocloudcomputingreferencearchitecturestand aloneorwithinasystemofsystems.Theseservicesareusefultoendusersbecauseofthe standardizedformatandmethodologiesthatallowthemtoaccessandworkseamlesslywith theinformation. NISTcurrentlymapsinformationaldataservicestotheSaaSandPaaSlayers,andoperational dataservicestoSaaS,PaaS,andIaaSlayers. DataasaService(DaaS) BecauseofthehugeimpactthatcloudcomputingcandelivertoimproveDoDdataand informationmanagement,theDoDCloudComputingStrategydivergesfromtheNISTcloud servicemodeldefinitionstouniquelyidentifyDaaSandtheresultingDoDDataCloudaskey concepts.WithintheDoD,DaaSencompassestwoprimaryactivities.Thefirstisthecontinued implementationoftheDoDDataStrategyanddeploymentofstandardizeddatainterfacesthat makeDoDinformationvisibleandaccessibletoallauthorizedusers.Thesecondisthe incorporationofemergingbigdatatechnologiesandapproachestoeffectivelymanage rapidlyincreasingamountsofinformationanddelivernewinsightsandactionableinformation. EmbracingCloudBasedDataTechnologies Whilerelationaldatabasesanddatawarehouseshavedominatedthedataenvironmentforthe pastquartercentury,thesetraditionaltechnologiesareillsuitedtothenewchallengesbeing facedasdatastoragerequirementsbegintoapproachquadrillionsofbytes(petabytes).Asthe volumesofunstructuredandstructureddatasetsproliferate,ourabilitytocaptureand effectivelyprocessthisinformationhasnotkeptpace.Thecomplexitiesofcapture,store, index,andaccessoflargedatastoreshavemadeitdifficultfortheDepartmenttofullyleverage ourincreasingvolumesofdataandinformation. CloudcomputingtechnologiessuchasnoSQLdatabases(e.g.,GooglesBigTableandApaches Hadoop/HBase)andparallelcomputingclustersprovidenewcapabilitiestomanagelarge, diversedatasets,enablenewdatatransformationmethodsandenableadvancedanalytics. Departmentdatacloudsbasedonthesetechnologieswouldenableelasticscaling,distributing thedataacrossmultiplehostsasloadincreases;improvedatamanagementeconomicsbyusing clustersofcheapcommodityserversratherthanexpensiveproprietaryserversandstorage systems;implementflexibledatamodelsthatwouldallowapplicationstoeasilystorevirtually anydatatypeorstructurewithoutmajormodifications;andoperateonadynamicandresilient

21

dataplatformthatautomaticallydistributesandsynchronizesdataacrossDoDsvariedmission environments. DatatransportandcloudtocloudInteroperabilityentailmovingdataandapplicationsof varyingsizeandcomplexityfromexistingdesktopstothecloudwhileensuringdata, applicationsandserviceshostedwithintheenterprisecloudenvironmentarecompatibleso thatinformationcanmovefreely.Dataretrievalandviewingbenefitsfromacloudapproachby presentingdatafromitssourcelocationratherthantransportingitacrosstheInternet.By contrast,crossdomainservicesareessentialtoachievingDoDITobjectivesandtheenterprise cloudenvironmentandwillrequiremorerobustsecuritycontrolstoensurethatclassified informationisnotcompromisedbetweenhighandlowsecuritydomains.

Step4:DeliverCloudServices
TheDepartmentwillbuildonitsenterpriseserviceseffortsandcontinuetodeliverDoDCloud servicesthatprovideimprovedITcapabilitiesatreducedcosts.Componentswillbe encouragedtouseEnterpriseServices,sharedservices(cloudservicesofferedbyother Components,theFederalGovernment,missionpartners)andcommercialvendorsthatmeet theirspecificmissionrequirements.TheDepartmentwillreviseIApolicies,standards,and processestoenhancethereliabilityandsecuritypostureofDoDandcommercialcloudservices.

ContinuetoDeliverDoDsEnterpriseCloudServices
LoadandRunenterprise ready,fielddeployable applicationservices Currently,DoDconsumershaveaccesstoseveralcloud services,includingserviceswhichareprovidedbyDISAand hostedinDoDenterprisedatacenters,afewofwhichare:

DefenseConnectOnline(DCO) GlobalContentDeliveryService(GCDS) Forge.mildevelopmentplatformtools RightNowCustomerRelationshipManagement(CRM)tools RapidAccessComputingEnvironment(RACE)forprocessingresources

Continuingtodelivertheexistingservicesaboveanddevelopingandofferingthefollowing enterpriseservicesviatheDoDEnterpriseCloudEnvironmentwillsupportmeetingthe DepartmentsITobjectives: EngineerGlobalFederationApproach:TheDepartmentwillengineeraglobal federationapproachtosupportcentralmanagementandfullinteroperabilityacross multiplecloudsoperatedbytheComponentswithintheDoDEnterpriseCloud Environment

22

EnterpriseFileStorage:TheDepartmentwillimplemententerprisefilestorageasa capabilitytoenableglobalaccesstodataandfilesbyanauthorizeduser,from anywhereandfromanydevice EnterpriseDirectoryServices:TheDepartmentwillimplemententerprisedirectory servicestomakedatavisible,discoverable,andaccessible UnifiedCapabilities:TheDepartmentwillmigratelegacyvoice,videoanddata collaborationservicestoeverythingoverIP(EoIP);standardizeandconsolidate ComponentIPconvergenceeffortsacrossDoDtoreducecostandstreamline management;enhancewirelessandmobilitysupport;andproviderealtime collaboration(assured,integratedvoice,video,anddataservices) CrossDomainSolutionasanEnterpriseService:TheDepartmentwilldevelopthe enterpriselevel,crossdomainsolutionsrequiredtofulfillemergingcapabilityneedsand userrequirementsacrosstheDoD.DISAwillcontinuetoemployadiversebestofbreed fleetofcrossdomaintechnologies. EnterpriseMessagingandCollaboration:TheDepartmentwillprovideasetof EnterpriseMessagingandCollaborationcapabilitiesthatincludes,ataminimum,instant messaging(IM),chat,email,portal,andwebconferencing.Othercapabilitiestobe providedfacilitatedatataggingandrecordsmanagement.Thesecapabilitiesenable informationsharingfromanydeviceattachedtoaDoDnetwork. IdentityandAccessManagement(IdAM)Services:TheDepartmentwillimplement enterprisewideIdAMservicesthatarefocusedonmanagingdigitalidentity, credentialingandauthenticatingusers,authorizingaccesstoresources,andusingdata taggingtosupportandenforceaccesscontrolpoliciesthroughouttheenterprise.

TheDepartmentwillcontinuetoimprovetheseservices,provideadditionalcloudservices,and incorporatecloudservicesprovidedbyindividualDoDcomponentsastheyemerge.

LeverageExternallyProvidedCloudServices
TheDepartmentsEnterpriseCloudEnvironmentwillprovide Departmentwideservicesattheenterpriselevelthatenable improvedinteroperability,access,dataintegrity,andsecurity.In additiontoEnterpriseServicesprovidedDepartmentwide,Componentswillbeencouragedto useorprovidecloudservicesofferedbyotherComponents,otherentitiesintheFederal Government,missionpartnersandcommercialvendorsthatmeettheirspecificmission requirementswhilecomplyingwithDepartmentIA,cybersecurity,continuity,andother policies. Abiggertoolboxfor ourWarfighters

23

WiththeemergenceofFedRAMPandtheincreasingmaturityofcommercialcloudservices, thereisincreasingpotentialtoleveragecommerciallyprovidedservicestosupportthe DepartmentsITrequirements.However,theincreasingvolumeandsophisticationofcyber intrusionsontheInternetbringsignificantriskstotheDepartmentsmission.MovingDoD informationintocommerciallyprovidedcloudsthatoperateoutsideofDoDsecurityprotections andoperationalcontrolcanincreasetheserisks. IAPolicies,Standards,andProcesses TheDepartmentrecognizesthesignificantimprovementsincybersecurityachievedby commercialindustryascloudcomputingcontinuestomature.However,seriousthreatsremain toDoDinformationandinformationsystemsthatcanhaveadverseimpactsonthe Departmentsmission,individuals,otherorganizations,andtheNation.Cyberintrusionson DoDinformationsystemstodayareoftenaggressive,disciplined,wellorganized,wellfunded andverysophisticated. TheDepartmentiscurrentlyrevisingtheDoD8500series(SeeAppendixB,(ReferenceO))and adoptingNISTSP80053securitycontrolsandNISTSP80053aassessmentprocedures(See AppendixB,(ReferenceP))whilecoordinatingwithindustryandacademiatoenhancethe reliabilityandsecuritypostureofDoDcloudservices.ThestandardizationofIAcontrolsand sharingofsecurityassessmentdatathroughtheFedRAMPprogramwillfacilitatetheadoption ofcommerciallyprovidedcloudservicesbasedonriskmanagementthatalignsDoDIA processeswiththoseusedelsewherewithintheFederalGovernment. TheseenhancementstotheDepartmentsIApoliciesandprocessesaredesignedtoensurethat protectionmeasuresareappliedcommensuratewiththesystemscriticalityandsensitivity. Emergingprocesseswillenablegreaterflexibilityindeterminingappropriateprioritiesfor agencyinformationsystemsandsubsequentlyapplyingthepropermeasurestoadequately protectthosesystems.ThiswillallowtheDepartmenttobalancetheimportanceofinformation resourcesagainstcybersecuritysolutionsandoperationsavailablewithintheDepartmentor fromcommercialcloudproviders.Wherecommercialservicesofferthelevelofprotection necessaryforaparticularDoDmissionandinformationset,theDoDwillbeabletoleverage thosecommerciallyofferedservicesandfocusitsowncybersecurityresourcesonmorecritical challenges. Anessentialcomponentoftheongoing,dependableuseofexternallyprovidedcloudservicesis theintegrationofacloudproviderscontinuousmonitoringandresponsecapabilitieswith USCYBERCOMssystemsforprotectingDoDinformationandensuringDoDmissionassurance withtheFederalInformationSecurityManagementAct(FISMA)complianceandtheCommittee onNationalSecuritySystemsInstruction(CNSSI)1253(SeeAppendixB,(ReferenceQ)).This

24

integrationisneededtosynchronizecyberintrusiondetection,diagnosis,mitigation,and responseactivities,andmaintainongoingassuranceofDoDinformationandmission. LowRisk DoDwillbeginusingcommercialcloudproviderstoinitiallysupportlowriskinformationand missionfunctions.Datawithconfidentiality,integrity,andavailabilityratingsthatareFISMA lowdonotpresentsignificantimpactsonmissioneffectivenessoroperationalreadiness.This levelconsistsofsystemshandlingnonsensitiveinformationnecessaryfortheconductofday todaybusiness,butitdoesnotmateriallyaffectsupporttodeployedorcontingencyforcesin theshortterm.ThisapproachwillenabletheDepartmenttorapidlymatureitsprocessesfor usingcommercialcloudserviceswhileminimizingthepotentialimpacttoDoDoperationsand assetsifconfidentiality,integrity,oravailabilityislost.BecausesuccessfulintrusionsonDoD informationsystemscanresultinseriousdamagetotheinterestsoftheUnitedStates,the Departmentwilltakeacautiousapproachtousingcommercialcloudservices.Forinstance,the samevisibilityintotherealtimeuse,traffic,andconsumptionofdataorinformationwithin DoDenvironmentsisrequiredfromcommerciallyprovidedcloudservicesprovidingcomparable services. ModerateRisk Inadditiontousingcommercialcloudproviderstosupportlowriskinformationandmission functions,commercialcloudservicesthatmeetFedRAMPmoderatecontrollevelswillbe candidatesforinclusionintheDepartmentsmultiprovidercloudenvironment.Thislevelof riskrequiresadditionalIAsafeguardstomitigatepossiblelossofintegrity,delayordegradation inprovidingimportantsupportservicesorcommoditiesthatcouldseriouslyimpactmission effectivenessoroperationalreadiness. TheDepartmentwillstandardizeandstreamlinetheprocessestosupportthemigrationof moderateriskdataandinformation(e.g.,CUI,PII,PHI,ITAR,andExportAdministration Regulations(EAR))tocommercialcloudservices.TheEnterpriseCloudServiceBrokerwill enableDoDComponentstousecommercialcloudservicesthatmeetFedRAMPlowand moderatecontrollevels,andmakethemavailabletootherDoDComponentsthrough standardizedcontractsandleveragedauthorizationpackages.TheEnterpriseCloudService BrokerwillensurecompliancewithDepartmentIAandcybersecuritypoliciestoincludethe ongoingsecureconfiguration,continuity,resiliency,andoperationsoftheseexternally providedservices,andhelpintegratecommercialcomputernetworkdefenseoperationswith USCYBERCOMdefenseoperations.Inaddition,theDepartmentwillbeabletoeffectively executeitsserviceconsumerIAresponsibilities. HighRisk 25

ToensureDoDmissionsuccessinthefaceofcyberdegradation,loss,orintrusion,the Departmentwillnotusecommercialcloudserviceswhenthelossofinformation confidentiality,integrityoravailabilitycouldbeexpectedtohaveasevereorcatastrophically adverseeffectonorganizationaloperations,organizationalassetsorindividuals.Protecting missioncriticalinformationandsystemsrequiresthemoststringentprotectionmeasures includinghighlyclassifiedtools,sophisticatedcyberanalytics,andhighlyadaptivecapabilities thatmustremainwithinthephysicalandoperationalcontroloftheDepartment.The Departmentwillnotusecommercialcloudservicesthataregenerallyavailabletothepublic andremainoutsideofDoDoperationalcontroltosupporthighriskinformationandmissions.

NextSteps
TheDoDEnterpriseCloudEnvironmentisakeycomponenttoenabletheDepartmentto achieveJIEsuccess.Detailedcloudcomputingimplementationplanninghasbeenongoingand informsJIEprojectedplanofactionsandmilestonesinCapabilitiesEngineering,Operationand Governanceefforts. TheDoDCIOwillestablishajointenterprisecloudcomputinggovernancestructuretodrivethe policyandprocesschangesnecessarytotransitiontotheDoDEnterpriseCloudEnvironment andoverseetheimplementationoftheDoDenterprisecloudstrategy.ThisSeniorIT GovernancewillprovidetheleadershiptoenabletheDoDCIOs10PointPlanforIT ModernizationandJIEeffortsby: EnsuringtheEnterpriseCloudEnvironmentisafundamentalaspectofITstrategic planning,capitalinvestmentplanning,cybersecurity,investmentmanagement,and systemsacquisition,developmentandintegration DefiningtheITgovernanceframework/organizationalconstruct(workinggroups,etc), toreviewandmonitorpertinentreferencearchitecturesandimplementationplanning toensurecoordinatedandoptimizedconsolidationeffortsandtherequiredcloud capabilitytransitions/acquisitions,includingtestlabsandpilotinitiatives PublishingaDoDPolicytoaddressthechallengesassociatedwithcommercially providedcloudservicesandanEnterpriseCloudSecurityFrameworkthatincludes expandedriskassessment/riskmanagementmethodologies EstablishinganEnterpriseCloudServiceBrokertoprovidetheadditionalintegration, protectionsandongoingmonitoringneededtomitigaterisksandachieveDoD requirementsforcloudservices EngagingwithkeyDepartmentprocessownerstoestablishagileacquisitionand fundingmechanismsthatprovideincentivesforentrepreneurialinnovation

26

Establishingstandardized,baselineDoDcloudcomputingSLAsandcontract requirementstoaccommodateamultiprovidercloudserviceenvironment Identifyingandreportingperformancemeasures/metrics Establishingcommunicationsandtrainingtocontinuallydrivecloudcomputing,and socializenewandupdatedbusinessrequirements,cloudcomputingsuccesses,and lessonslearned.

Conclusion
ThisstrategyisintendedtodrivetheDepartmenttowardchangesrequiredtodramatically improvethedeliveryandoperationofIT,viaanenterprisecloudenvironment,thatprovides tangiblebenefitstotheDoDcommunity.TheDepartmentsinitiativestoachieveJIEgoalsand ITefficienciesinthiscurrentfiscalenvironment,andFederalmandates,acceleratethischange. Therewillbemanybenefitstomovingapplicationsanddatatothecloud,butthereare substantialrisks.TheDepartmenthasspecificcloudcomputingchallengesthatrequirecareful adoptionconsiderations,especiallyinareasofIAandcybersecurity,continuityofoperations, andresilience.Serviceacquisitionandfundingsustainment,datamigrationandmanagement, andovercomingnetworkdependenceatthetacticaledgearealsochallengesthatneedtobe addressedtoensureobjectivescanbemet. TheDepartmentsapproachtodeliveranenterprisecloudcomputingstrategywillrequire stronggovernanceauthorityandcontinuedcommitmenttogreatertransparencythrough regularandopenreporting.Optimizingdatacenterconsolidationeffortswithcorecloud infrastructuremustbecarefullyexecuted.Toachievethecloudcomputinggoal,allbarriersto consolidationandtransitionmustbeaddressedwithoutmajordelay.Governancemustensure mechanismsareinplacetocoordinateenterpriseactivitiesacrosstheDepartment.Working withotherkeyDepartmentleaders,theDoDCIOwillhelpestablishfundingmodelstosustain thedevelopmentofCoreshareddatacenterinfrastructureandtheEnterprisecloud environment.DoDCIOwillbethefinaldecisionauthorityandwillprovideoversightfor Componentexecutionofdatacenterandserverconsolidation,exercisingappropriate governancetoensureefficientorchestrationofchange. TheDoDCIOwillcontinuouslyseektorefineandmaturethecloudcomputingapproachand maintainopencommunicationswithalllevelsoftheDepartment,otherFederalAgenciesand ourindustrypartners.ActiveparticipationandcommitmentofallDoDComponents,in collaborationwiththeDoDCIO,iscriticaltoensureconsistency,optimizebenefits,andachieve thegoalofthisstrategy. 27

APPENDIXA
AcronymList
AoA AT&L C&A CFO CIO CJCSI CNSSI CONUS CRM CUI DaaS DAS DCAPE DCMO DCO DFARS DIL DISA DNI EAR EoIP FDCCI FedRAMP FISMA FOIA GCDS GIG IA IaaS IdAM IM IP IT ITAR ITESR JCIDS JCS JIE AnalysisofAlternatives Acquisition,Technology,andLogistics CertificationandAccreditation ChiefFinancialOfficer ChiefInformationOfficer ChairmanoftheJointChiefsofStaffInstruction CommitteeonNationalSecuritySystemsInstruction ContinentalUnitedStates CustomerRelationshipManagement ControlledUnclassifiedInformation DataasaService DefenseAcquisitionSystem DirectorCostAssessmentandProgramEvaluation DeputyChiefManagementOfficer DefenseConnectOnline DefenseFederalAcquisitionRegulationSupplement Disconnected,IntermittentandLowbandwidth DefenseInformationSystemsAgency DirectorofNationalIntelligence ExportAdministrationRegulations EverythingOverInternetProtocol(IP) FederalDataCenterConsolidationInitiative FederalRiskandAuthorizationManagementProgram FederalInformationSecurityManagementAct FreedomofInformationAct GlobalContentDeliveryService GlobalInformationGrid InformationAssurance InfrastructureasaService IdentityandAccessManagement InstantMessaging InternetProtocol InformationTechnology InternationalTrafficinArmsRegulations ITEnterpriseStrategyandRoadmap JointCapabilitiesIntegrationandDevelopmentSystem JointChiefsofStaff JointInformationEnvironment A1

JWICS MEF MILDEP NDAA NEF NIPRNet NIST NOC NSA NSS O&M OMB OUSD PaaS PII PKI PMEF POM PPB&E RACE SaaS SIPRNet SLA SOC TSSCI UDCMO USD VDI

JointWorldwideIntelligenceCommunicationsSystem MissionEssentialFunctions MilitaryDepartment NationalDefenseAuthorizationAct NationalEmergencyFunctions UnclassifiedbutSensitiveInternetProtocolRouterNetwork NationalInstituteofStandardsandTechnology NetworkOperationCenters NationalSecurityAgency NationalSecuritySystems OperationsandMaintenance OfficeofManagementandBudget OfficeoftheUnderSecretaryofDefense PlatformasaService PersonallyIdentifiableInformation PublicKeyInfrastructure PrimaryMissionEssentialFunctions ProgramObjectiveMemorandum Planning,Programming,BudgetingandExecution RapidAccessComputingEnvironment SoftwareasaService SecretInternetProtocolRouterNetwork ServiceLevelAgreement SystemOperationCenters TopSecretSensitiveCompartmentalizedInformation UnifiedCrossDomainManagementOffice UnderSecretaryofDefense VirtualDesktopInfrastructure

A2

APPENDIXB
References
A. FederalCloudComputingStrategy,Feb2011 http://www.cio.gov/documents/FederalCloudCOmputingStrategy.pdf B. 2012NationalDefenseAuthorizationAct(NDAA),PublicLaw11281 http://armedservices.house.gov/index.cfm/ndaahome?p=ndaa C. SecretaryofDefenseEfficienciesInitiative,Gates,RobertM.,(2010),Statementon DepartmentEfficienciesInitiative http://www.defense.gov/Speeches/Speech.aspx?SpeechID=1496 D. OfficeofManagementandBudget(OMB)directedFederalDataCenterConsolidation Initiative(FDCCI) http://www.cio.gov/pagesnonnews.cfm/page/TheFederalDatacenterConsolidation Initiative E. OMB,25PointImplementationPlantoReformFederalInformationTechnology Management,December9,2010 http://www.cio.gov/documents/25PointImplementationPlantoReform Federal%20IT.pdf F. FederalRiskandAuthorizationManagementProgram(FedRAMP) http://www.fedramp.gov G. DepartmentofDefense(DoD)InformationTechnology(IT)EnterpriseStrategyand Roadmap,Version1.0,September6,2011 H. HOMELANDSECURITYPRESIDENTIALDIRECTIVE/HSPD20,Subject:NationalContinuity Policy I. CreatingEffectiveCloudComputingContractsfortheFederalGovernment,February 24,2012http://www.cio.gov/cloudbestpractices.pdf J. OMBCircularA11,Preparation,Submission,andExecutionoftheBudgetofAugust 2011 http://www.whitehouse.gov/sites/default/files/omb/assets/a11_current_year/a_11_20 11.pdf

B1

K. ChairmanoftheJointChiefsofStaffInstruction3170.01G,JointCapabilitiesIntegration andDevelopmentSystem(JCIDS),March1,2009 (http://www.dtic.mil/cjcs_directives/cdata/unlimit/3170_01.pdf L. DoDDirective4630.5InteroperabilityofITandNSS,May 5, 2004, certifiedcCurrentas ofApril23,2007 http://www.dtic.mil/whs/directives/corres/pdf/463005p.pdf M. DoDDirective5000.01,TheDefenseAcquisitionSystem,May12,2003 http://www.dtic.mil/whs/directives/corres/pdf/500001p.pdf N. DoDDirective7045.14,ThePlanning,Programming,andBudgetingSystem,May22 1984,CertifiedCurrentasofNovember21,2003 http://www.dtic.mil/whs/directives/corres/pdf/704514p.pdf O. DoDDirective8500.01E,InformationAssurance(IA) (http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf) P. NISTSpecialPublications [SP500292]NISTCloudComputingReferenceArchitecture,September8,2011 [SP500291]NISTSP500291,NISTCloudComputingStandardsRoadmap, August10,2011 [SP500293]NISTSpecialPublication500293,U.S.GovernmentCloud ComputingTechnologyRoadmap,(DRAFT)Release1.0 [SP800145]NISTDefinitionofCloudComputing,September2011 [SP80053]NISTGuideforAssessingtheSecurityControlsinFederalInformation SystemsandOrganizations [SP80053a]NISTGuideforAssessingtheSecurityControlsinFederal InformationSystems NIST800SeriesSpecialPublicationsareavailableat: http://csrc.nist.gov/publications/nistpubs/index.html NISTFIPSPublicationsareavailableat: http://csrc.nist.gov/publications/PubsFIPS.html Q. NationalSecuritySystemsInstruction(CNSSI)1253,SecurityCategorizationandControl SelectionforNationalSecuritySystems,October2009, http://www.cnss.gov/Assets/pdf/CNSSI1253.pdf

B2

R. CJCSI6211.02D,DefenseInformationSystemsNetwork(DISN)Responsibilities,24 January2012 http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02.pdf

B3

APPENDIXC
CloudrelatedTerms
CloudComputing AsdefinedbyNIST,cloudcomputingisamodelforenablingubiquitous,convenient,on demandnetworkaccesstoasharedpoolofconfigurablecomputingresources(e.g.,networks, servers,storage,applications,andservices)thatcanberapidlyprovisionedandreleasedwith minimalmanagementeffortorserviceproviderinteraction.Cloudcomputingservicescanbe describedbytheirsharedcharacteristics,bythecomputingresourcesprovidedasaservice,and bythemethodofdeployment. CloudModels PrivateCloud:Thecloudinfrastructureisprovisionedforexclusiveusebyasingle organizationcomprisingmultipleconsumers(e.g.,businessunits).Itmaybeowned, managed,andoperatedbytheorganization,athirdparty,orsomecombinationof them,anditmayexistonoroffpremises. PublicCloud:Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic. Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernment organization,orsomecombinationofthem.Itexistsonthepremisesofthecloud provider. CommunityCloud:Thecloudinfrastructureisprovisionedforexclusiveusebyaspecific communityofconsumersfromorganizationsthathavesharedconcerns(e.g.,mission, securityrequirements,policy,andcomplianceconsiderations).Itmaybeowned, managed,andoperatedbyoneormoreoftheorganizationsinthecommunity,athird party,orsomecombinationofthem,anditmayexistonoroffpremises. HybridCloud:Thecloudinfrastructureisacompositionoftwoormoredistinctcloud infrastructures(private,community,orpublic)thatremainuniqueentities,butare boundtogetherbystandardizedorproprietarytechnologythatenablesdataand applicationportability(e.g.,cloudburstingforloadbalancingbetweenclouds). ServiceModels SoftwareasaService(SaaS):Thecapabilityprovidedtotheconsumeristousethe providersapplicationsrunningonacloudinfrastructure2.Theapplicationsare

C1

accessiblefromvariousclientdevicesthrougheitherathinclientinterface,suchasa webbrowser(e.g.,webbasedemail),oraprograminterface.Theconsumerdoesnot manageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers, operatingsystems,storage,orevenindividualapplicationcapabilities,withthepossible exceptionoflimiteduserspecificapplicationconfigurationsettings. PlatformasaService(PaaS):Thecapabilityprovidedtotheconsumeristodeployonto thecloudinfrastructureconsumercreatedoracquiredapplicationscreatedusing programminglanguages,libraries,services,andtoolssupportedbytheprovider.3The consumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincluding network,servers,operatingsystems,orstorage,buthascontroloverthedeployed applicationsandpossiblyconfigurationsettingsfortheapplicationhosting environment. InfrastructureasaService(IaaS):Thecapabilityprovidedtotheconsumeristo provisionprocessing,storage,networks,andotherfundamentalcomputingresources wheretheconsumerisabletodeployandrunarbitrarysoftware,whichcaninclude operatingsystemsandapplications.Theconsumerdoesnotmanageorcontrolthe underlyingcloudinfrastructurebuthascontroloveroperatingsystems,storage,and deployedapplications;andpossiblylimitedcontrolofselectnetworkingcomponents (e.g.,hostfirewalls).

CloudServiceCharacteristics OnDemandSelfService:Aconsumercanunilaterallyprovisioncomputingcapabilities, suchasservertimeandnetworkstorage,asneededautomaticallywithoutrequiring humaninteractionwitheachservicesprovider. BroadNetworkAccess:Capabilitiesareavailableoverthenetworkandaccessed throughstandardmechanismsthatpromoteusebyheterogeneousthinorthickclient platforms(e.g.,mobilephones,laptops,andPDAs). ResourcePooling:Theproviderscomputingresourcesarepooledtoservemultiple consumersusingamultitenantmodel,withdifferentphysicalandvirtualresources dynamicallyassignedandreassignedaccordingtoconsumerdemand.Thereisasenseof locationindependenceinthatthecustomergenerallyhasnocontrolorknowledgeover theexactlocationoftheprovidedresourcesbutmaybeabletospecifylocationata higherlevelofabstraction(e.g.,country,state,ordatacenter).Examplesofresources includestorage,processing,memory,networkbandwidth,andvirtualmachines.

C2

RapidElasticity:Capabilitiescanberapidlyandelasticallyprovisioned,insomecases automatically,toquicklyscaleout,andberapidlyreleasedtoquicklyscalein. MeasuredService:Cloudsystemsautomaticallycontrolandoptimizeresourceuseby leveragingameteringcapabilityatsomelevelofabstractionappropriatetothetypeof service(e.g.,storage,processing,bandwidth,andactiveuseraccounts).Resourceusage canbemonitored,controlled,andreported,providingtransparencyforboththe providerandconsumeroftheutilizedservice. AdditionalCloudTerminology DataasaService(DaaS):DaaSisbasedontheconceptthattheproduct,datainthis case,canbeprovidedondemandtotheuserregardlessofgeographicororganizational separationofproviderandconsumer.Additionally,theemergenceofserviceoriented architecture(SOA)hasrenderedtheactualplatformonwhichthedataresidesalso irrelevant.Thisdevelopmenthasenabledtherecentemergenceoftherelativelynew conceptofDaaS.Wikipedia VirtualizedInfrastructure:Todaysx86computerhardwarewasdesignedtoruna singleoperatingsystemandasingleapplication,leavingmostmachinesvastly underutilized.Virtualizationletsyourunmultiplevirtualmachinesonasinglephysical machine,witheachvirtualmachinesharingtheresourcesofthatonephysicalcomputer acrossmultipleenvironments.Differentvirtualmachinescanrundifferentoperating systemsandmultipleapplicationsonthesamephysicalcomputer.VMware CrossDomainSolution:Ameansofinformationassurancethatprovidestheabilityto manuallyorautomaticallyaccessortransferbetweentwoormoredifferingsecurity domains.Theyareintegratedsystemsofhardwareandsoftwarethatenabletransferof informationamongincompatiblesecuritydomainsorlevelsofclassification.Modern military,intelligence,andlawenforcementoperationscriticallydependontimely sharingofinformationWikipedia KeyCloudComputingRoles ServiceConsumer:OrganizationthatdecidestomovecertainITresourcesfromthe confinesoftheirenterprisetooneormoreexternalpartnersallowingthemtofocus resourcesonmissioncriticalneeds ServiceProvider:OrganizationthatdecidestospecializeinofferinganITserviceto multipleconsumersoverthenet.Theserviceproviderinvestsintransitioninga traditionalITcapabilityintoacloudservicebyimplementingamassivelyscalableand dependableinfrastructure,enablingcustomerselfserviceandmeteredusethrough C3

automation,ensuingongoingservicemaintenanceandcontinuousimprovement,and providingexceptionalcustomersupport. CloudProductsorTechnology:Ratherthanprovidingaservicethatisconsumedovera network,manyofthecloudvendorsprovideproductsthatenabletheirconsumersto provideorconsumecloudservices. CloudBroker:Acloudbrokerisanentitythatmanagestheuse,performance,and deliveryofcloudservicesandnegotiatesrelationshipsbetweencloudprovidersand cloudconsumers.

Figure3:ExampleServicesAvailabletoCloudConsumers

C4