Army cloud plan keys-in on creating a zero-trust architecture

Like other parts of the federal government, the Army’s cloud plan and data plan put a big focus on zero-trust.

The Army’s cloud plan, announced last week at the Association of the US Army Conference, said it will take advantage of a zero-trust architecture to create a global cloud network without routing all traffic to a boundary cloud access point, while providing touch points to the Department of Defense Information Network (DODIN) only where necessary.

As per the DOD’s zero-trust strategy, protecting Army data while at rest, in motion, and in use is a “minimum barrier-to-entry” for future combat and weapon systems. The data plan emphasizes a disciplined approach to protecting sensitive information, leveraging concepts like attribute-based access control across the enterprise to allow DOD maximize the use of data while also employing more stringent security standards.

The Army is planning fulfill its own definition of a zero-trust architecture by relying on a mix of newly purchased solutions and legacy software. That set up will be configured and modified where necessary to lay the groundwork for more advanced tools like security, orchestration automation and response, as well as new data analytic capabilities.

Other lines of effort include establishing training programs and culture around cloud computing, extending a suite of shared services to the Army’s private cloud that can operate even in a disconnected state and developing an enterprise cloud portal to integrate cloud initiatives across the Army, DoD, industry, and academia.

On the broader cloud front, the Army also announced its $1 billion Enterprise Application Modernization and Migration (EAMM) contract, which aims to offer a more convenient way for Army IT teams to purchase cloud services. The service plans to structure the contract as an indefinite-delivery/indefinite-quantity (IDIQ) contract with slots for multiple cloud vendors.

Army spokesperson Bryce S. Dubee told SC Media that the contract will require vendors to provide application modernization services in a standard architecture that is based on zero trust for cybersecurity, while tools such as the Army's DevSecOps platform (called CReATE) will also be provided to vendors to enable a continuous Authority to Operate.

"The goal of the contract is to modernize and migrate enduring applications currently residing in Army on-premises data centers to the cARMY commercial cloud. This will enable the Army to close a number of on-premises data centers while at the same time help modernize the enduring applications to become cloud-native," Dubee said in an email.

Pushing the easy button on cloud migration

The push is part of a broader effort by Army CIO, Raj Iyer, to implement a zero-trust architecture across the entire Army in the next five years. At AUSA, Iyer cast the new contract as a means to simplify the Army's procurement environment, cutting down on the kind of contract shopping and bureaucratic delays that have made it difficult to carry out broad cloud migration mandates in the past. Under the new contract, offices could potentially award task orders from the contract in a month, far quicker than the status quo.

"This is going to become the easy button for the Army to actually move to the cloud, because right now what’s happening is even when we have commands that want to move to the cloud, today there’s not one contract that they can go to...so they are doing a lot of shopping," Iver said. "They got to go to multiple contracting centers to go find the right vehicle and then when they go there it takes them nine months before they can actually get on contract."

The plans received mostly positive reviews from members of industry.

These latest moves to the cloud based on centralized contracts are "spot on" when it comes to the way the DOD and other government agencies should look at cloud and data security, said Tony D’Angelo, vice president for North America Public Sector at Lookout.

“Ideally these contracts aren't one-size-fits-all. Instead, they offer various types of clouds, services, and security solutions to meet the varied needs of a multitude of missions," D’Angelo said. "The complexity of cloud migration and sorting through the broad landscape of solutions from the vendor community is best served under a centralized contract — but one with pre-vetted options that can  address the needs of the entire community.”

Mohit Tiwari, co-founder and CEO at Symmetry Systems, added  that the Army’s move to the cloud presents an opportunity to build scalable security solutions.

“With cloud expertise and skills -- particularly in security -- in high demand, this strategic contract is essential to speed up the contractual engagement of third parties and ensure appropriate and scalable security requirements are considered,” Tiwari said.

Jerrod Piker, competitive intelligence analyst at Deep Instinct, told SC Media he likes the Army's plans on paper, but expressed concern that the initiative has been set with a tight timeline.

“This plan will serve two roles,” Piker said. “First, it will allow the Army to perfect their model within an environment that’s under their own complete control to begin. Secondly, it will give them the chance to better classify their data and systems before moving to the public cloud.” 

Creating a zero-trust architecture has been a major priority for DOD IT teams over the last two years. Earlier this year the military’s IT and communications arm said it will partner with contractor Booz Allen Hamilton on a six-month $6.8 million project to prototype a new security model based on zero-trust principles.

The Defense Information Systems Agency (DISA) said the project was designed to align with the May 2021 cybersecurity executive order issued by President Joe Biden. The new zero-trust focus will put a greater emphasis on protecting data and incorporate technologies and concepts — like secure access service edge (SASE) and SD-WANs — that were recommended in a zero-trust plan developed by DISA in 2020.