Uncategorized

NISTs Guidelines for Public Cloud Security Emphasize Risk Management

The National Institute of Standards and Technology has released a preliminary set of guidelines for cloud computing security. The draft version of Special Publication 800-144, “Guidelines on Security and Privacy in Public Cloud Computing,” offers recommended precautions and policies that federal agencies should follow if they plan to use public cloud resources.The document does not dismiss public clouds as an option for government systems. But the authors of the document, NIST computer scientists Wayne Jansen and Timothy Grance, were clear about the many hazards of outsourcing systems to a public cloud provider. Much of what makes cloud computing an attractive option for government agencies is also at odds with the way agencies have traditionally applied governance and security to information systems, Jansen and Grance wrote”

Several critical pieces of technology, such as a solution for federated trust, are not yet fully realized, impinging on successful cloud computing deployments. Determining the security of complex computer systems composed together is also a long-standing security issue that plagues large-scale computing in general, and cloud computing in particular. Attaining high-assurance qualities in implementations has been an elusive goal of computer security researchers and practitioners and…is also a work in progress for cloud computing.

The rest of this post is at: Virtual Integrated System Blog – Government – NISTs Guidelines for Public Cloud Security Emphasize Risk Management.

Standard
Cyberdefense and Information Assurance, Defense Department, DISA, tech, Web 2.0 and Social Media

FORGE.mil set for secret code

Update [7/22] I spoke with DISA’s Rob Vietmeyer yesterday. FORGE.mil currently consists of a collaborative software development site; it’s open to use by all of DOD and contractors with NIPRNet (and now SIPRNet) access to create applications that can be openly shared within DOD. The impetus for creating a classified net version of FORGE.mil came from STRATCOM and the Army–STRATCOM has already moved a project onto FORGE on SIPRNet.

Currently, the Navy is hosting the FORGE platform. By October, Vietmeyer said DISA will release a version running on RACE, DISA’s cloud computing platform, hosted out of DISA’s Defense Enterprise Computing Centers (DECCs). That will turn FORGE into a cloud application, distributed across multiple sites.

FORGE could potentially provide a platform for the services to create software repositories for government-owned and open-source code. The Navy currently is creating its own repository, called SHARE; SHARE is on SIPRNet because it contains code for C4ISR systems and other combat systems. THe move of FORGE onto SIPR means that it could conceivably become the platform to support SHARE. Vietmeyer says he’s been having regular conversations with the SHARE team, which is trying to create a taxonomy for all of the code in the Navy inventory–something that could be extremely useful for the other services if it gets ported over to a common platform.

The development projects on the SIPR side of FORGE either use classified algorithms that are restricted to government use but are shareable within DOD, or are continuations of unclassified open and community source projects that need access to classified data. A large percentage of them, Vietmeyer says, are C4ISR related. Based on STRATCOM’s recent elevation of cyberwarfare as a mission, it’s possible that development of cyber command and control applications is one of the projects that made STRATCOM eager to have a SIPR version of FORGE.mil.

While FORGE.mil is free right now, and for shared projects only, the upcoming ProjectForge capability will allow DISA customers to pay for a private portal for collaborative software development within the Global Information Grid, advancing DISA’s goal to become a cloud service provider for DOD and related agencies and organizations.

From DISA, release on 7/20:

FORGE.MIL NOW READY FOR CLASSIFIED PROJECTS

Arlington, Va. – The Defense Department’s newest collaborative software development tool is now available for use in a classified development environment. The Defense Information Systems Agency granted Forge.mil Interim Authority to Operate on SIPRNet, the DoD’s classified version of the civilian Internet.

“This was a remaining crucial capability to offer our DoD development community,” said Rob Vietmeyer, Forge.mil Project Director. “With 2200 users, 500 contributors with engaged development and 93 projects on Forge.mil, we’ll now be able to offer even more with this IATO for classified use up to SECRET,” he added.

Forge.mil enables collaborative software development and cross-program sharing of software, system components, and services in support of net-centric operations and warfare. Already in Initial Operational Capability for unclassified use, Forge.mil is a collaborative environment for shared development of open source and DoD community source software. DISA expects four more components of Forge.mil to be launched in future releases: CertificationForge, which will support agile certification; ProjectForge, which will provide private project portals; StandardsForge, which will drive collaborative standards development; and TestForge, which will provide on-demand software testing tools.

Forge.mil is available to the U.S. military, DoD government civilians, and DoD contractors for new and existing projects, enabling the organizations to save money, to improve software development efficiency, and to drive collaborative dynamics that help deliver better software faster to the warfighter. To register or host a project on Forge.mil, visit http://www.disa.mil/forge for more information.
DISA, a Combat Support Agency, engineers and provides command and control capabilities and enterprise infrastructure to continuously operate and assure a global net-centric enterprise in direct support to joint warfighters, National level leaders, and other mission and coalition partners across the full spectrum of operations.

Standard