The 2012 National Defense Authorization Act directed the US Department of Defense (DoD) to transition from private clouds controlled by the Department to public, commercial clouds. The reasoning behind this was that commercial clouds would be able to provide better service at reduced cost to taxpayers. Now, critics are arguing that this was a major error, ultimately putting sensitive data at risk, with no savings for taxpayers at all.
What is the NDAA?
Congress passed the 2012 National Defense Authorization Act (NDAA) in December 2011. Notably, it included a section (Section 2687) on data centers and servers, which concern the IT industry, in particular cloud hosting providers. These changes were proposed in order to reduce budgetary requirements.
The provisions in the NDAA call for a plan to reduce necessary resources for servers and data centers. In particular, the plan includes a reduction in:
- Square footage of floor space
- Power and cooling utilities
- Investments in capital infrastructure (measured in cost per megawatt of data storage)
- Number of applications
- Full-time personnel/cost of labor
In addition, the NDAA also calls for a performance plan that effectively measures and sets standards for server and data center operations, including implementation of a strategy for the following requirements:
- Desktop, laptop and mobile device virtualization
- Cloud computing transitions for lower costs and greater security
- Use of cloud computing and data center security services managed by the private sector
- Reporting standards to measure data center infrastructure aspects, including space, power, cooling, age, cost, capacity, efficiency, etc.
Included in the Act is a requirement that a report from the CIO be produced each fiscal year from 2012 to 2016. This report should discuss the DoD’s cost-savings as a result for the transition to cloud computing. It is hoped that a careful analysis of investments and the projected reduction of security breaches will provide a more comprehensive framework for annual cloud computing and data center re-strategizing.
Probably the most important element put forward by the NDAA is the requirement that defense data and government-provided services from department-owned data centers be migrated to cloud computing services within the private sector. Of course, private sector providers need to provide services at a lower cost with an equivalent or greater degree of security.
Critics argue that the NDAA has brought unexpected delays, increased costs and looming security risks to the DoD. They suspect that the Act was significantly influenced by cloud computing lobbyists, as there is strong bias to “cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security.”
As the NDAA requires the DoD’s CIO to submit a plan for this unwieldy migration project by April 1, 2012, it becomes clear that this is not a money-saving project. In fact, DoD private clouds developed by DISA have already been developed with public funds. It later became clear that the private clouds did not offer more security than public cloud computing providers. This NDAA attempts to respond to that blunder by encouraging the Department to move back to the public cloud.
This might not be such an effective solution. According to the InfoWorld Cloud Computing blog,
“… forcing CIOs to use public clouds is an inappropriate one-size-fits-all approach to technology, and that never works. Government CIOs should be able to select the right technology for the job, whether private or public clouds – or even no clouds. [Moving] to one extreme resulted in Congress pushing them hard the other way. The danger is replacing one lopsided approach with another.”
This article introduces the 2012 National Defense Authorization Act (NDAA) which was passed by Congress in December 2011. The NDAA mandates a number of important changes regarding data centers and servers and requires that the Department of Defense transition towards public cloud computing providers. This marks a significant shift from IT requirements of past years, which were biased towards private clouds. The article also discusses the NDAA from a critical perspective.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Compliance analysis and audits (Domain 4)
- Key management best practices (Domain 11)
- Virtual Machines (Domain 13)