DoD Cloud Acquisition Guidebook.pdf - Defense Acquisition...

Unformatted text preview: Defense Acquisition University DoD Cloud Computing Acquisition Guidebook December 2018 Version 1.0 This page intentionally left blank DOCUMENT CHANGE HISTORY Version Date Change 1.0 18 December 2018 Initial Version DoD Cloud Acquisition Guidebook ACKNOWLEDGEMENTS / LEGAL STATEMENT: The following DoD/Federal government personnel provided content to this Guidebook: Author: Ardis B. Hearn, Defense Acquisition University (DAU) CASTLE Team – Scott Stewart (DISA), Jodi Cramer (USAF) for CASTLE guide Mr. Ashley P. Moore, MBCI, CEAP™, CPIC-P™ Director, IT Risk Management Division (T/CR) Office of the Chief Information Officer (CIO) United States Agency for Global Media (USAGM) Kim Kendall, Cybersecurity Department, DAU National Geospatial-Intelligence Agency NGA Cloud Team (2018) _____________________________________________________ December 2018 - Version 1.0 4 DoD Cloud Acquisition Guidebook Executive Summary DoD agencies are struggling with how to utilize existing acquisition methods to acquire cloud services that use consumption and rate-based business models. Cloud computing presents an enormous paradigm shift from the usual acquisition model for acquiring traditional Information Technology (IT) services. An understanding of how to acquire IT “as-a-service” must be addressed in order to obtain the benefits that these services can provide. The technology is mature and available commercially and therefore a lesser concern than the existing business and contracting models. This Guidebook provides information and best practices that will allow programs to take advantage of the opportunities provided by cloud services. This new paradigm requires agencies to understand how to acquire critical services and re-think not only the way they acquire IT services in the context of deployment, but also how the IT services they consume provide mission and support functions on a shared basis. This Guidebook also includes information on the importance of understanding the commercial cloud environment as well as how solid planning can avoid potential risk areas such as vendor-lock and hidden costs. The DoD Cloud vision is to deliver an assured DoD Cloud Computing Environment capable of responding to the Department's rapidly changing mission needs while improving return on our IT investments. This Guidebook will aid in implementing this vision by providing a broad overview of Cloud computing terminology and concepts in addition to detailed considerations for DoD Personnel based on their roles and responsibilities in the acquisition of IT capabilities. The Guidebook is aligned with DoD Instruction (DoDI) 5000.02, DoDI 5000.74, DoDI 5000.75, the Defense Acquisition University’s (DAU) Introduction to Cloud Computing (CLE 075), and the Defense Acquisition Guidebook (DAG). Other key references include: 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services defines The Federal and Department of Defense (DoD) Cloud Computing Strategies The DoD Joint Information Environment (JIE) The DoD Chief Information Officer’s DoD Cloud Way Forward NIST Guidelines on Security and Privacy in Public Cloud Computing The DoD Cloud Computing (CC) Security Requirements Guide (SRG) For a full list of references, refer to Appendix F: References. December 2018 - Version 1.0 5 DoD Cloud Acquisition Guidebook This page intentionally left blank December 2018 - Version 1.0 6 DoD Cloud Acquisition Guidebook Table of Contents DoD Cloud Computing Acquisition Guidebook ................................................................... 1 1 Overview........................................................................................................ 11 1.1 Audience......................................................................................................... 11 1.2 Applicability..................................................................................................... 11 1.3 Basic Terminology .......................................................................................... 11 2 Foundations of Cloud Computing ............................................................... 17 2.1 Background .................................................................................................... 17 2.2 DoD Definition of Cloud Computing ................................................................ 18 3 DoD Approach for Acquisition of Commercial Cloud Services ................ 23 3.1 Assessment of “As-Is” State ........................................................................... 23 3.2 DoD Specific Requirements to Acquire Cloud ................................................ 26 4 Information Tailored for Specific Roles and Responsibilities .................. 33 4.1 Program Managers Roles and Responsibilities .............................................. 33 4.2 Contracting Officers/Financial Managers/Attorneys ........................................ 42 4.3 Technical Considerations (Engineers/IT Specialists) ...................................... 51 4.4 Cybersecurity Considerations ......................................................................... 70 5 Service Level Agreements (SLAs) ............................................................... 82 5.1 Background .................................................................................................... 82 5.2 Challenges and Best Practices ....................................................................... 82 5.3 The Exit Strategy ............................................................................................ 84 5.4 Standards 19086 Series -- Service Level Agreements Standards .................. 84 5.5 SLA Fundamental Concepts and Vocabulary ................................................. 85 5.6 SLA Metrics .................................................................................................... 85 6 Existing DoD Contracts and POCs .............................................................. 96 December 2018 - Version 1.0 7 DoD Cloud Acquisition Guidebook Appendix A: Representative Example Contract Clauses ............................................ 102 Appendix B: Example Service Level Agreement (SLA) Checklist .............................. 132 Appendix C: Examples of Commercial Cloud Acquisition Scenarios ........................ 163 Appendix D: Glossary of Terms .................................................................................... 178 Appendix E: Acronyms .................................................................................................. 183 Appendix F: References ................................................................................................. 189 Appendix G: NGA’s Annex D, Cloud Data Guidance ................................................... 197 December 2018 - Version 1.0 8 DoD Cloud Acquisition Guidebook List of Figures Figure 1. Cloud Computing ................................................................................................................................... 18 Figure 2. IT Business Case Analysis .................................................................................................................... 26 Figure 3. Security Requirements Guide (SRG) ..................................................................................................... 27 Figure 4. Information Impact Levels (IIL) .............................................................................................................. 28 Figure 5. ATO Process .......................................................................................................................................... 30 Figure 6. DoD Boundary Cloud Access Points ..................................................................................................... 30 Figure 7. DoD Pathfinder to Hybrid Cloud Environments and Multiple Vendors .................................................. 34 Figure 8. Contract Options Representation .......................................................................................................... 49 Figure 9. Cloud Characteristics ............................................................................................................................. 51 Figure 10. Secure Cloud Computing Architecture (SCCA) ................................................................................... 62 Figure 11. SCCA Boundary CAP (BCAP) ............................................................................................................. 64 Figure 12. SCCA Architecture Approach in AWS ................................................................................................. 65 Figure 13. Differences between S-VMs and Application Containers .................................................................... 67 Figure 14. Cloud Identity/Access Architecture Pattern ......................................................................................... 75 Figure 15. Cloud Model Maps to Security Model .................................................................................................. 77 Figure 16. Cybersecurity Reference Architecture (CS RA) .................................................................................. 80 Figure 17. Constructing New Cloud Metrics ......................................................................................................... 86 Figure 18. SLA Content Areas .............................................................................................................................. 87 Figure 19. Visual Scenario Reference ................................................................................................................ 164 Figure 20. Visual Scenario Reference, Establishing Cloud ................................................................................ 165 Figure 21.Visual Scenario Reference, Building Cloud ........................................................................................ 170 Figure 22. Visual Scenario Reference, Refining Cloud ...................................................................................... 173 Figure 23. Visual Scenario Reference, Tuning Cloud ......................................................................................... 176 December 2018 - Version 1.0 9 DoD Cloud Acquisition Guidebook List of Tables Table 1. Definition of Basic Terms ........................................................................................................................ 11 Table 2. Definition of Essential Characteristics ..................................................................................................... 19 Table 3. Cloud Service Model Types .................................................................................................................... 20 Table 4. Definition of Cloud Deployment Models .................................................................................................. 21 Table 5. Suggested Steps and Activities Needed to Assess As-Is State ............................................................. 23 Table 6. Training Websites.................................................................................................................................... 36 Table 7. Explanation of Cost Drivers in Cloud Environments ........................................................................ 38 Table 8. Funding Cloud in Private and Public Enterprises ................................................................................... 40 Table 9. Requirements Document Type Benefits ................................................................................................. 42 Table 10. Service Model Contract Type Considerations ...................................................................................... 44 Table 11. Overview of the Five Essential Characteristics of Cloud Computing.................................................... 53 Table 12. Overview of the Three Cloud Service Models ...................................................................................... 56 Table 13. Overview of the Four Cloud Deployment Models ................................................................................. 58 Table 14. Non-DISA Provided DoD Cloud CAPS, August 30, 2018 ..................................................................... 76 Table 15. Key Practices for Cloud Computing Service Level Agreements ........................................................... 83 Table 16. SLA Content Areas and Recommended SLOs and SQOs ................................................................... 87 Table 17. DoD Cloud Contracting Vehicles .......................................................................................................... 96 Table 18. Descriptions with Contract Language and Document Location ................................................. 102 Table 19. Example Service Level Agreement ..................................................................................................... 132 Table 20. CSP and End-User Agreements ......................................................................................................... 162 Table 21. Type of Cloud Service ......................................................................................................................... 162 Table 22. List of Acronyms .................................................................................................................................. 183 Table 23. List of References ............................................................................................................................... 189 December 2018 - Version 1.0 10 DoD Cloud Acquisition Guidebook 1 1.1 Overview Audience With this Guidebook, executive sponsors, program managers (PMs), contracting officers (COs) and their staffs can clearly understand and be confident about their cloud acquisitions and associated deployments. The Guidebook has chapters designed to provide specific and tailored information for PMs, Contracting personnel, Engineers/IT Technical personnel, Financial Managers, Attorneys, and Cybersecurity personnel. Those individuals familiar with cloud concepts can go to the area of the Guidebook that outlines considerations that apply directly to their area of responsibility. 1.2 Applicability The best practices information provided applies to all DoD acquisition programs and systems that have applicable requirements (e.g., defense business systems (DBS), national security systems, weapon systems, non-developmental items) regardless of their acquisition category (i.e., ACAT I, IA, II, III, IV) or their phase of the acquisition life cycle. Programs not required to follow DoDI 5000 series guidance will also benefit from following this Guidebook. The following provides definitions for basic cloud terminology. For a complete Glossary of terms used in this Guidebook, reference Appendix D. 1.3 Basic Terminology Table 1. Definition of Basic Terms Term Definition Application Within the context of cloud computing, the term application may refer to either a cloudenabled software offering as a service, web or mobile application (e.g. Facebook), or an application that exists on a virtual machine (e.g., Linux application). It is therefore preferable to clarify that type of application when using the term to avoid confusion. (NIST). Application Rationalization The reorganizing of an application portfolio to streamline the portfolio, by replacing, retiring, modernizing or consolidating applications, in accordance with a desired business outcome. As a Service (aaS) The term “as a [cloud] Service” is a suffix describing a computing capability that supports all five essential characteristics of cloud computing. Authorizing Official The individual or entity responsible for accepting the risks associated within a given area of responsibility. December 2018 - Version 1.0 11 DoD Cloud Acquisition Guidebook Table 1. Definition of Basic Terms Term Definition Big Data An umbrella term referring both to the methods surrounding the use of very large data collections, and the characterization of efforts having a high degree of data volume, velocity, and variety. Reference Appendix G, Cloud Data Guidance for Cloud specific considerations. Capital Expenditure (CAPEX) The cost to buy fixed assets or to add to the value of an existing fixed asset with a useful life extending beyond the current year. Cloud Access Point (CAP) A DoD system of network boundary protections and monitoring devices through which cloud services outside the DoD network security boundary must traverse to connect to resources inside the DoD network security boundary. Cloud Bursting An application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes. Cloud Computing Cloud computing is the delivery of computing services—via servers, storage, databases, networking, software, analytics, and more—over the Internet (“the cloud”). It is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud First The policy announced in December 2010 by the U.S. CIO to accelerate adoption of cloud computing across the Federal government by directing agencies “to evaluate safe, secure cloud computing options before making new investments” in information technology. Cloud Security Requirements Guide (SRG) The DoD document that provides the security requirements and guidance for cloud services; establishes the basis for granting DoD provisional authorizations; and provides guidance to DoD mission owners regarding the use of cloud services December 2018 - Version 1.0 12 DoD Cloud Acquisition Guidebook Table 1. Definition of Basic Terms Term Definition Cloud Service Customer (CSC) Cloud Service Customer. Sometimes referred to as the customer or the cloud consumer. Cloud Service Providers (CSPs) A service provider that owns, maintains and enhances its services, and houses those service elements in a location that it owns or manages. Companies offering computing services over the internet typically charge for cloud computing services based on usage, similar to how consumers are billed for water, cell phone plans, cable TV plans or electricity. Cloud Service Offerings (CSOs) The range or types of services offered by a CSP. A single CSP may have many CSOs. Cloud Enabled A software application or workload that is both ready to be hosted in an infrastructurebased cloud environment and has some capability to leverage the cloud characteristic of rapid elasticity. The expectation is only a minimal amount of configuration effort would be required to deploy (or re-deploy) the application in the cloud. Cloud Infrastructure The collection of hardware and software that enables the characteristics of cloud computing. The consumer of a cloud service does not manage or control the underlying cloud infrastructure. Cloud Infrastructure is represented in SP 500-292 NIST Cloud Computing Reference Architecture (CCRA) within the ‘Resource Abstraction and Control’ layer and Hardware layer. Cloud Smart New Federal government cloud strategy. The policy looks to build on Cloud First by ensuring the technology fits the mission that you’re trying to serve. While the 2010 Cloud First policy asserted the potential benefits of cloud, Cloud Smart will stress mission outcomes. The Cloud Smart policy establishes workforce, procurement and security as the main pillars of the strategy, three areas often linked together when talking about current IT modernization. Computer Network Defense (CND) The defense and ...
View Full Document