DOD posts cloud security rules to JEDI solicitation

The Pentagon has released a memo laying out the Defense Department's rules for maintaining cybersecurity while transitioning to a cloud computing environment, as DOD plans to soon release a request for proposals to provide the military with enterprise, commercial cloud services.

The November 2017 memo, "Department of Defense Cybersecurity Activities Performed for Cloud Service Offerings," was signed by John Zangardi, then the acting DOD chief information officer. Zangardi has since assumed the CIO role at the Department of Homeland Security.

The memo states "mission owners are required to register DOD networks, applications, data, and services that are migrating to DOD and/or commercial cloud capabilities and services." The mission owners must also identify the cloud provider's "alignment to an appropriate DOD [Cybersecurity Services Provider] in the DOD CIO System/Network Approval Process (SNAP) database," according to the document. 

"The mission owner is responsible for ensuring data migrated to a DOD or commercial cloud is at the appropriate security impact level," the memo continues. Attachments to the document lay out the activities DOD officials must carry out to meet the cybersecurity rules.

The memo was posted April 18 to the Joint Enterprise Defense Infrastructure solicitation page on the Federal Business Opportunities website. Just a few days earlier, the Pentagon released a second draft request for proposals for JEDI, but DOD declined to provide the rationale behind awarding a single contract for cloud services expected to be made available to the entire department. The single-award strategy has been a major point of contention between DOD and industry.