WIXLIB

Defense Acquisition UniversityDoD Cloud ComputingAcquisition GuidebookNovember 2019Version 1.2

This page intentionally left blank

DOCUMENT CHANGE HISTORYVersionDateChange1.018 December 2018Initial Version1.120 April 2019Updated with latest DoD Cloud Strategy (references,executive summary and 4.2.1)Updated Financial Audit Requirements (added paragraph4.2.3.4) to include Special Organization Considerations(SOC)Added additional strategic contracting considerations inparagraph 4.2.5Added paragraph (4.2.7) on using Services Contracts (DoD5000.74) for acquiring Cloud Services1.25 November 2019Added sections 4.3.4.5 Testing and 4.4.6 Cybersecurity T&EAdded additional Testing considerations in applicable areassuch as in definitions, references, and Service levelagreements (SLAs)Added DoD Digital Modernization Strategy to ReferencesUpdated status of ISO/IEC 19086-1:2016 Standard(Information technology — Cloud computing — Service levelagreement (SLA) framework — Part 1: Overview andconcepts)Added (DRAFT) NIST Special Publication 800-171BProtecting Controlled Unclassified Information in NonfederalSystems and Organizations Enhanced SecurityRequirements for Critical Programs and High Value AssetsAdded CIO Cloud Smart Application Rationalization Playbookto referencesUpdated references for DoD Enterprise DevSecOpsAdded “Reference Design Version 1.0 12 August 2019(public)” and the DoD A&S and CIO signed memo “SoftwareDevelopment, Security, and Operations for Software Agility”Added Navy Cloud Broker Information and Air Force CloudOne Information to Section 6.0

DoD Cloud Acquisition GuidebookACKNOWLEDGEMENTS / LEGAL STATEMENT:The following DoD/Federal government personnel (or FFRDC support) provided content to this Guidebook:Author: Ardis B. Hearn, Defense Acquisition University (DAU)CASTLE Team – Scott Stewart (DISA), Jodi Cramer (USAF) for CASTLE guideMr. Ashley P. Moore, MBCI, CEAP , CPIC-P Director, IT Risk Management Division (T/CR) Office of theChief Information Officer (CIO) United States Agency for Global Media (USAGM)Kim Kendall, Cybersecurity Department, DAUNational Geospatial-Intelligence Agency NGA Cloud Team (2018)George "Lee" Kennedy, Institute for Defense Analyses, Information Technology and Systems DivisionSusan May, MITRE, Principal Cyber Security EngineerSarah M. Standard, Cybersecurity/Interoperability Technical Director, OUSD R&E, D-DT&ENovember 2019 - Version 1.24

DoD Cloud Acquisition GuidebookNovember 2019 - Version 1.25

DoD Cloud Acquisition GuidebookExecutive SummaryDoD agencies are struggling with how to utilize existing acquisition methods to acquire cloud services that useconsumption and rate-based business models. Cloud computing presents an enormous paradigm shift from theusual acquisition model for acquiring traditional Information Technology (IT) services. An understanding of howto acquire IT “as-a-service” must be addressed in order to obtain the benefits that these services can provide.The technology is mature and available commercially and therefore a lesser concern than the existing businessand contracting models. This Guidebook provides information and best practices that will allow programs to takeadvantage of the opportunities provided by cloud services. This new paradigm requires agencies to understandhow to acquire critical services and re-think not only the way they acquire IT services in the context ofdeployment, but also how the IT services they consume provide mission and support functions on a sharedbasis. This Guidebook also includes information on the importance of understanding the commercial cloudenvironment as well as how solid planning can avoid potential risk areas such as vendor-lock and hidden costs.The December 2018 DoD Cloud Strategy laid out clear objectives required to meet warfighter needs.“DoD will continue to rely on its ability to process and disseminate information for military operations, intelligencecollection, and related activities. To ensure this, the Department must address the unique mission requirementsthrough a multi-cloud, multi-vendor strategy that incorporates a General Purpose cloud and Fit For Purposeclouds (reference Appendix A of the DoD Cloud Strategy). To this end, this strategy will design objectives aroundsolving these strategic challenges: Enable Exponential Growth Scale for the Episodic Nature of the DoD Mission Proactively Address Cyber Challenges Enable AI and Data Transparency Extend Tactical Support for the Warfighter at the Edge Take Advantage of Resiliency in the Cloud Drive IT Reform at DoD “The DoD Digital Modernization Strategy signed in July 2019 also laid out the DoD CIO vision which includes fourtop priorities: Cybersecurity; Artificial Intelligence (AI); Cloud; and Command, Control and Communications (C3)(See Appendix F of this Cloud Guidebook for the full references.)This Guidebook will aid in implementing this strategy by providing a broad overview of Cloud computingterminology and concepts in addition to detailed considerations for DoD Personnel based on their roles andresponsibilities in the acquisition of IT capabilities.The Guidebook is aligned with DoD Instruction (DoDI) 5000.02, DoDI 5000.74, DoDI 5000.75, the DefenseAcquisition University’s (DAU) Introduction to Cloud Computing (CLE 075), and the Defense AcquisitionGuidebook (DAG). Other key references include:November 2019 - Version 1.26

DoD Cloud Acquisition Guidebook15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of CommercialCloud Computing Services definesThe Federal and Department of Defense (DoD) Cloud Computing StrategiesThe DoD Joint Information Environment (JIE)The DoD Chief Information Officer’s DoD Cloud Way ForwardNIST Guidelines on Security and Privacy in Public Cloud ComputingThe DoD Cloud Computing (CC) Security Requirements Guide (SRG)7. Financial Statement Audit Requirements for Service Organizations (DoD Cloud Way Forward)8. DOD Cybersecurity T&E Guidebook v2, Change 1 April 2018; Addendum: Cybersecurity T&E of DoD SystemsHosted on Commercial Cloud Service Offerings. )For a full list of references, refer to Appendix F: References.November 2019 - Version 1.27

DoD Cloud Acquisition GuidebookThis page intentionally left blankNovember 2019 - Version 1.28

DoD Cloud Acquisition GuidebookTable of ContentsDoD Cloud Computing Acquisition Guidebook . 11Overview. 131.1 Audience. 131.2 Applicability. 131.3 Basic Terminology . 132Foundations of Cloud Computing . 192.1 Background . 192.2 DoD Definition of Cloud Computing . 203DoD Approach for Acquisition of Commercial Cloud Services . 253.1 Assessment of “As-Is” State . 253.2 DoD Specific Requirements to Acquire Cloud . 274Information Tailored for Specific Roles and Responsibilities . 344.1 Program Managers Roles and Responsibilities . 344.2 Contracting Officers/Financial Managers/Attorneys . 424.3 Technical Considerations (Engineers/IT Specialists) . 544.4 Cybersecurity Considerations . 725Service Level Agreements (SLAs) . 835.1 Background . 835.2 Challenges and Best Practices . 835.3 The Exit Strategy . 855.4 Standards 19086 Series -- Service Level Agreements Standards . 855.5 SLA Fundamental Concepts and Vocabulary . 855.6 SLA Metrics . 866Existing DoD Contracts and POCs . 95November 2019 - Version 1.29

DoD Cloud Acquisition GuidebookMilitary Sealift Command . 98Naval Air Systems Command . 98Naval Information Warfare Systems Command . 99Appendix A: Representative Example Contract Clauses . 103Appendix B: Example Service Level Agreement (SLA) Checklist . 132Appendix C: Examples of Commercial Cloud Acquisition Scenarios . 164Appendix D: Glossary of Terms . 179Appendix E: Acronyms . 182Appendix F: References . 188Appendix G: NGA’s Annex D, Cloud Data Guidance . 197November 2019 - Version 1.210

DoD Cloud Acquisition GuidebookList of FiguresFigure 1. Cloud Computing . 20Figure 2. IT Business Case Analysis . 28Figure 3. Security Requirements Guide (SRG) . 29Figure 4. Information Impact Levels (IIL) . 30Figure 5. ATO Process . 31Figure 6. DoD Boundary Cloud Access Points . 32Figure 7. DoD Pathfinder to Hybrid Cloud Environments and Multiple Vendors . 35Figure 8. Contract Options Representation . 50Figure 9. Cloud Characteristics . 55Figure 10. Secure Cloud Computing Architecture (SCCA) . 66Figure 11. SCCA Boundary CAP (BCAP) . 67Figure 12. SCCA Architecture Approach in AWS . 68Figure 13. Differences between S-VMs and Application Containers . 70Figure 14. Cloud Identity/Access Architecture Pattern . 76Figure 15. Cloud Model Maps to Security Model . 78Figure 16. Cybersecurity Reference Architecture (CS RA) . 80Figure 17. Constructing New Cloud Metrics . 86Figure 18. SLA Content Areas . 87Figure 19. Visual Scenario Reference . 165Figure 20. Visual Scenario Reference, Establishing Cloud . 166Figure 21.Visual Scenario Reference, Building Cloud . 170Figure 22. Visual Scenario Reference, Refining Cloud . 174Figure 23. Visual Scenario Reference, Tuning Cloud . 177November 2019 - Version 1.211

DoD Cloud Acquisition GuidebookList of TablesTable 1. Definition of Basic Terms . 13Table 2. Definition of Essential Characteristics . 21Table 3. Cloud Service Model Types .

such as in definitions, references, and Service level agreements (SLAs) Added DoD Digital Modernization Strategy to References Updated status of ISO/IEC 19086-1:2016 Standard (Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts) Added (DRAFT) NIST Special Publication 800-171B