For the past few years, cloud computing has increasingly become the focus of IT decision makers and CFOs. Many Defense Contractors and other security-conscious businesses have been resistant to move their critical data and workloads into the cloud. Many businesses are concerned with the migration process, cost, security of data and the ability of their personnel to access that data readily and safely.
Businesses that migrate to the cloud immediately realize the numerous benefits of cloud-provided resources, including:
Modernization of current IT asset base
Planning and flexibility for future growth
Lowered infrastructure costs (this is a big plus!)
Increased business agility and responsiveness
Disaster Recovery (DR) and restoration
Business Continuity of Operations (COOP)
Remote access to resources for the new mobile workforce
Integrate and secure with a BYOD workforce
Physical and data security
We’ll start by addressing the reality – you don’t just “jump into” a Cloud-based model (unless you are a new business and just opened your doors – in which case this is the best way to start!). Odds are, you have invested thousands or even hundreds of thousands of dollars in server hardware – and your CFO will give you an evil glare if you say “Let’s scrap all of our hardware and move to the Cloud!”
The best approach is a phased-adoption approach. First, starting with your oldest hardware or your most critical servers. Why spend $10k on a new server? Move that aging server directly to a Cloud platform like AWS or Microsoft Azure and take your first step into a hybrid cloud model.
If you are moving your infrastructure either into a Hybrid Cloud or into a Public or Private Cloud infrastructure, review chapter 5 to make sure you are compliant with government requirements whether you are a CSP or potentially processing/storing CUI within the cloud.
Meet your security and compliance requirements, first, by understanding which service levels are being offered by Government Cloud Service Providers such as Microsoft Azure/Office 365 and Amazon Web Services (AWS).
Ensure that the CSP you select is accredited for the FedRAMP moderate baseline, and is compliant with DFARS 252.204-7012 §§ C-G.
Review your legal and contractual terminology for the following regulations:
- DFARS 252.204-7012
- FAR 52.204-21
- DFARS 252.239-7009
- DFARS 252.239-7010
If you see any of these clauses appear in your Prime contracts or subcontracts, you need to review the chapters above and meet the compliance guidelines.
Stakeholders must take the responsibility to ensure their compliance documentation and “statements of compliance” are up to date and available to KO’s and Primes. Stakeholders’ up-front buy-in will ensure a smooth adoption and implementation of your compliance response from the rest of the team.
Once you have selected a CSP and level of compliant government-level resources, use the following checklists to determine your readiness:
- Determine your server and data resource requirements.
- Create a network architecture diagram.
- Estimate monthly cloud costs (including compute, storage, networking, egress, and backups) and calculate the cost savings of moving to the cloud
- Plan your options for Disaster Recovery and Continuity of Operations in the Cloud.
- Contact Techni-Core for a complete Managed Cloud Compliance Services plan that includes BOTH Managed Services and Managed Compliance for ongoing lifecycle maintenance of your compliance in any environment.
- Use Techni-Core for Separation of Duties requirements to provide 3rd Party Service Provider Dibnet portal management, Cyber Incident reporting responsibilities, and Security Log review and documentation.
- Create the required documentation, including a Systems Security Plan (SSP) and a Plan of Actions & Milestones (PoA&M). (Clue: call Techni-Core to order one of our pre-prepared DFARS 7012 Template Packages!)
- Contact Techni-Core to schedule your complimentary cloud readiness and compliance consultation.
Buy our Newest Book on Amazon!
Click the link below to purchase our newest book, “Weather the Storm in the Cloud”
It will guide you through your planning process for moving to and maintaining your DFARS 7012 compliance in the cloud.