DoD Pathway to the Cloud

(1)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

DoD Pathway to the Cloud

1

Jodi Cramer

AF/JAA

(2)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

(3)

Application

Monitoring Content Collaboration Messaging

Platform

Infrastructure

Identity Database Runtime

Compute _{Block Storage}

Desktops

Tablets

Smart Phones Servers

(4)

Why are Agencies

Going to the Cloud?

(5)

Types of Clouds

Private: For use by a single organization Public: For use by general public

Community: For use by a specific

(6)

Cloud Services

Block Storage

Servers

Infrastructure: the provision of processing, storage, networking & other fundamental computing

resources Platform: the deployment of apps _{created using programming}

languages, libraries, services, and tools supported by a cloud provider Software: the use of apps

running on a cloud

(7)

Types of Agreements

Terms of Service

Agreements

Non-Disclosure

Agreements

(8)

DATA

…While being compliant with all other Federal laws and regulations

(9)

Issues to Think About…

How to move the Data to

the Cloud

How to Secure the Data in

the Cloud

How to Retrieve the Data

in the Cloud

How to Search and Redact

the Data in the Cloud

While being

compliant with

all other

Federal laws

and regulations

(10)

Legal Issues

! 

Security

! 

Privacy

! 

E-discovery

! 

FOIA

! 

Records

FOIA

(11)

Security

" 

Clear Security Authorization

Requirements

" 

Continuous Monitoring

" 

Incident Response

" 

Key Escrow

" 

Forensics

" 

Two-Factor Authentication

using HSPD-12

" 

Audit

(12)

(13)

Privacy

"

 

Compliance w/Privacy Act

of 1974 & Related PII Requirements

"

 

Privacy Impact Assessments (PIA)

"

 

Privacy Training

"

 

Data Location

(14)

E-Discovery

" 

Info Management in the Cloud

" 

Locating Relevant Documents

" 

Preservation of Data in the Cloud

" 

Moving Documents through the

E-Discovery Process

" 

Potential Cost Avoidance by

Incorporating E-Discovery Tools

into the Cloud

(15)

FOIA

" 

Conducting a Reasonable

" 

Search to Meet FOIA Obligations

" 

Processing ESI Pursuant to FOIA

" 

Tracking and Reporting

(16)

(17)

Records

" 

Proactive Records Planning

" 

Timely and Actual Destruction

of Records Required by Record Schedules

" 

Permanent Records

(18)

Jurisdiction

" 

State and Local access to

Federal Records

" 

Foreign Government Access to

Government Records

(19)

(20)

(21)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

Security In the Cloud

(22)

FedRAMP

! 

OMB established the Federal Risk and Authorization

Management Program (FedRAMP) to review CSP for a

baseline security model for all Agencies (FIPS low and

moderate).

! 

Two ways to get into FedRamp:

! 

JAB authorization

! 

CSP pays an independent company(3PAO) to

review and the JAB (DoD, DHS, and GSA CIOs)

review.

! 

Agency Authorization – Approval by an Agency

(23)

DoD Security Model

! 

DoD has additional security controls from FedRAMP.

! 

DISA has developed a 6 level security model.

! 

Levels 1 and 2 – FedRAMP plus 125 additional controls

! 

Levels 3-6 require a DoD Private Cloud with a DISN/SIPR

drop.

CSP MUST HAVE FedRAMP PLUS A DoD Provisional Authorization

(for the data level) PRIOR TO HOSTING DoD DATA.

! 

Level 1 Unclassified Public, approved for public release

! 

Level 2 Unclassified Private, publicly releasable, but

customer wants to control the access

! 

Levels 3-5

Controlled Unclassified Information (CUI)

e.g., PII, PHI, FOUO

! 

Level 6 Classified information up to and including SECRET.

(24)

UNCLASSIFIED

24 24

(25)

UNCLASSIFIED

25

(26)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

Data Categorization

(27)

Level 1:

!

 

Public facing data

!

 

Public websites (example:

www.defense.mil

)

Level 2:

!

 

Public data not on public facing websites

!

 

Internal portals that link to other sites

!

 

Early Bird

Names of DoD employees at the O6/civilian

equivalent and below not in public liaison positions

are not public data per Long vs. OPM

(28)

CUI Low Data:

!

 

Low level PII (contact information, names,

addresses, phone numbers, e-mail addresses)

!

 

Commercial information that does not contain

any ITAR, proprietary, or trade secrets

!

 

Morale and welfare information

!

 

Recruiting (if only contact information)

DoD CIO is going to grant a waiver for low level PII to move it to level

2 for the cloud security model.

(29)

CUI Moderate Data:

!

 

Education

!

 

Training

!

 

PII to include SSN and DoD ID numbers

!

 

Recruiting (if medical is not included)

!

 

Credit card information for individuals (PX,

events)

!

 

Base Housing

(30)

CUI High Data:

!

 

ITAR data

!

 

HIPAA

!

 

Trade secrets

!

 

Personnel files

!

 

Critical military

infrastructure (as

defined by 10 USC

130e)

!

 

Unclassified Nuclear

Data

• Overseas troop movement

• Logistics and Readiness

• Pay records

• Security files

• Recruiting (if medical

included)

• E-mail content (including

attachments)

• Legal files

(31)

The Privacy Act of 1974 requires a System of

Records Notice (SORN) for all systems of records

(systems) where information is routinely

retrieved by a personal identifier.

!

 

DOD has 1137 SORNs across all components.

!

 

All 1137 SORNs were reviewed based on SORN and

categorized into the Security Model Impact Levels (1-5).

(32)

DATA Level

# of

SORNs

%

3

179

16

4

254

22

5

704

62 Total

1137

100 Data Categories

16%

22%

62%

Level 3

Level 4

Level 5

(33)

Level 3

Examples

Executive Dining Facilities Marine Corps Marathon Automated Support System DON Family Support

Program Volunteers

Level 4

Examples

Army Training Requirements and Resources System Lodging Reservations System Voluntary Leave Transfer Program

Level 5

Examples

Defense Clearance and Investigations Index (DCII) Defense Civilian Pay

System (DCPS) Air-to-Air Weapon System Evaluation

(34)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

DoD Additional Contract

Considerations

13 AUG 2013 -- 1630

(35)

DoD Policy

35

DoD Supplemental Guidance on Cloud requires:

• Data to be categorized

according to the security

model.

• All Cloud contracts to address

the issues in the Cloud Issues

Matrix.

• All cloud providers to be

approved by the DISN Flag

Panel for the appropriate data

environment.

(36)

Commercial Cloud Considerations

!

 

New DFARS Clauses

!

 

#1 Physical Access

!

 

#6 PIA and OCI

!

 

#8 Data Breach

!

 

#9 Facility Inspection

!

 

#12 Indemnification

!

 

#13 Cyber Insurance

!

 

#14 Jurisdiction

!

 

#15 Law Enforcement

!

 

#17 Notification

!

 

#18 Records

Management

!

 

#19 Spillage

!

 

PWS Requirements

!

 

#2 Personnel Access

!

 

#3 NDA

!

 

#4 Asset Availability

!

 

#5 Banner

!

 

#7 Continuous

Monitoring

!

 

#10 Compliance

!

 

#11 Use of

Subcontractors

!

 

#16 Maintenance

!

 

#20 SCRM

!

 

#21 TOS

(37)

! 

BLUF – Of the

twenty-one “Cloud

clauses” working

their way through

the Rules Making

process, eleven are

candidates for

DFARS clauses

and ten are PWS

considerations.

! 

Industry feedback

is negative for

three of the DFARS

candidates (

RED

)

Security Privacy Law Enforcement

Personnel Access Org Conflict of Interest

Physical Access

Non-Disclosure Data Breach Banner

Asset Availability Insurance Facility Inspections Continuous

Monitoring

Location of Data

FISMA Compliance Law Enforcement Use of

Subcontractors

Notification

Maintenance Spillage

Supply Chain Risk Mgmt

(38)

! #1 Physical Access - DoD agencies require physical access to CSP data centers to conduct

inspections under FISMA, for audit purposes, and Inspector General investigations. Such inspections, audits, and investigations may be unannounced, so DoD agencies must ensure that its inspectors, auditors, and investigators have the access required complete their

inspections, audits, and investigations.

! #2 Personnel Access - DoD agencies must require that all CSP employees who have access to

Government data, or the physical and logical architecture that supports Government data, be U.S. persons per Executive Order 12333 and pass an appropriate background check as

required by HSPD-12.

! #3 Non Disclosure Agreements - DoD agencies must require that CSP employees with access

to non-public Government data and information sign an NDA that would legally prohibit a CSP employee from disclosing non-public Government data and information.

(39)

! #5 Banner - Banners or consent to monitor language allows Federal law enforcement the right

to access and review Government data, including email created on a Government system, without a warrant or a subpoena. When DoD agencies acquire hosting services, banner

language will be a requirement of the system developer. When acquiring software as a service, however, DoD agencies must require that the CSP display the agencies’ approved banner

language prior to allowing access to the system.

! #6 PIA and OCI - When DoD agencies places commercial proprietary information, contractor

bid or proposal information, source selection information, or non-public information on a

commercial cloud, the agencies must ensure that the CSP refrains from using or releasing such information in violation of the cited legal authorities. Special NDAs are required to avoid or

(40)

!  #7 Continuous Monitoring - FedRAMP mandates certain requirements for continuous monitoring in

the “Continuous Mentoring Strategy Guide”. These requirements require the CSP to produce certain reports and provide them to FedRAMP PMO and/or a FedRAMP 3PAO. DoD agencies need to

request copies of these reports as deliverables (PWS/SOW), as the DoD Designated Authorizing Authority is ultimately responsible for the protection of the data.

!  #8 Breach and PII - To mitigate the risk of a data breach, DoD agencies must require that CSPs

provide a plan for handling such a breach which includes the requirement to notify the agency of a breach within 60 minutes (a US-CERT requirement). In addition, DoD agencies are required to conduct a Privacy Impact Assessment (PIA) on all of their IT systems. The purpose of the PIA is to analyze how information in identifiable form is handled; to ensure that its handling conforms to

applicable legal, regulatory, and policy requirements for privacy; to determine the risks and effects of collecting, maintaining, and disseminating such information in an electronic information system; and to examine and evaluate protections and alternative processes for handling such information to mitigate potential privacy risks. To assist an agency in Developing the PIA, the CSP must be required to

(41)

! #9 Facility Inspections - FISMA and DoD policy require that facilities hosting DoD data meet

certain security standards. Routine inspections ensure that facilities are in compliance with these standards. Usually these inspections are conducted by the Government; however, in the case of a CSP the Government may agree to allow a third party to conduct an inspection based on the Government’s criteria.

! #10 Compliance - When hosting Government data, CSPs must comply with FISMA and related

agency policies.

! #11 Use of Subcontractors - When subcontracting, the agency should ensure that the prime

contractor retains operational configuration and control of Government data

! #12 Indemnification - Indemnification by the CSP benefits the Government when third parties

make claims or sue the Government when the CSP, and not the Government, is liable.

(42)

! #13 Insurance - DoD agencies must require that CSPs have the necessary insurance to cover

costs stemming from a breach of Government data or damage to a DoD system.

! #14 Jurisdiction - Government data must not reside within a foreign jurisdiction due to the risk

that such data might be seized by a foreign Government or other non-U.S. authorities.

! #15 Law Enforcement - As mentioned above, all users of DoD systems have constructively

consented through the banner language to monitoring of their use of a DoD system and use of that data for law enforcement purposes. As such, Federal law enforcement, investigative, and auditing officials do not need a warrant or a subpoena to access Government data on a

Government system.

! #16 Vulnerability Security Maintenance - Agencies must require CSPs to conduct regular

(43)

! #17 Notification - CSP data centers are subject to state and local authorities, and state and

local legal process (e.g., subpoenas). The Agency must ensure the CSP notifies the agency of a warrant or a subpoena to take action to protect Government data from unauthorized release.

! #18 Records Management - DoD agencies are required to maintain and produce records per

the Federal Records Act, the Freedom of Information Act, and the Federal Rules of Civil Procedure. Records are kept based on the Agency’s disposition schedule. The Government should work with the CSP to ensure that all Government records and CSP records about Government data are kept in accordance with Agency record’s schedules.

! #19 Spillage - When classified information “spills over” to an unclassified system happens, DoD

(44)

! #20 Supply Chain Risk Management - The Agency must ensure that CSPs exercise due

diligence to use genuine hardware and software products that are free of malware.

! #21 Terms of Service - Many commercial services have TOS Agreements that contain clauses

that the Government cannot accept. Below are some examples:

! CONFIDENTIALITY: This is a clause where the Government agrees not to release

confidential information. However, the Government is subject to the Freedom of Information Act and must follow its procedures to release or protect commercial information.

! INDEMNIFICATION: Many terms of service agreement contain an open ended

indemnification clause where the Government will indemnify the CSP against third party claims. This type of clause violates the Anti-Deficiency Act because the Government is committing to funds that have yet to be appropriated. This clause needs to be re-worked to reference other applicable laws.

(45)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

Information Management In the

Cloud

(46)

Why Information Management

Agencies have legal obligations to store, preserve,

retrieve, searches, redact, de-dupe, de-nist, and produce

records when requested under FOIA or E-discovery.

Agencies are also required to maintain records IAW

their disposition scheduled per the Federal Records Act.

!

 

Agencies have 20 days to respond to a FOIA request

or can be sued and have to pay attorneys’ fees out of

Agency funds. 5 USC 552 (a)(4)(E)(i)

!

 

Agencies can face sanctions for not following

E-discovery rules as laid out in the Federal Rules of Civil

Procedure.

(47)

THINGS TO CONSIDER:

! 

Locating relevant documents

! 

Preservation of data in the cloud

! 

Producing relevant documents in

native format with metadata.

! 

Moving documents through the

e-discovery process

! 

Incorporating e-discovery tools

to avoid costs

! 

Have an audit trail to document a

thorough search.

WHY SHOULD I CARE?

• $6.8K to 7.7K to run a search.

• Takes a contractor 50 man hrs to

complete the process from start to

finish

• Sanctions for e-discovery are up to

$8.6

million

per case for failure to

produce records.

– For the AF alone that liability would be

up to $1.2 billion a year

• Failure to produce records under

FOIA means the Agency may have to

pay attorney’s fees and sanctions (to

date for DoD up to

$500,000

per

case) out of their appropriated funds

(48)

Information Management in SaaS

! 

Any acquisition of SaaS must have a plan for information

management which will preserve, store and retrieve data in native

format for Records Management (NARA), law enforcement

investigations, Congressional inquiries, FOIA, and E-discovery.

! 

All SaaS solutions must comply with:

! 

OMB Memo 12-18 – Enterprise Electronic Records

Management

! 

The Federal Records Act – All Agency Disposition

Schedules

! 

Federal Rules of Civil Procedure – Rule 34

! 

Freedom of Information Act – 5 USC 552

(49)

Authorities

!

 

Federal Records Act of 1950 as Amended

!

 

Freedom of Information Act of 1966 as

Amended

!

 

Federal Rules of Civil Procedure

!

 

OMB Memo 12-18

(50)

Federal Records Act

!

 

What is a Record?

Records include all books, papers, maps, photographs,

machine-readable materials, or other documentary materials, regardless of

physical form or characteristics, made or received by an agency of

the United States Government under Federal law or in connection

with the transaction of public business and preserved or

appropriate for preservation by that agency or its legitimate

successor as evidence of the organization, functions, policies,

decisions, procedures, operations, or other activities of the

Government or because of the informational value of the data in

them.

(44 U.S.C. 3301)

Records are based on the information not the medium.

(51)

Types of Records

• Records that can be deleted upon receipt as they have no value

• Example – “do you want to go to lunch?”

Transitory

• Records that have value but are not transferred to NARA as part

of the permanent history of the US. Records can be kept up to 100 years as temporary records.

• Most of our records fit in this category and are governed by the

disposition schedules.

Temporary

• Records that are important to this history of the US.

• These records are kept at the Agency for a period of time then

transferred to NARA.

Permanent

(52)

FOIA

!

 

What is a Record:

!

 

A record is anything either created or obtained

by an agency; and

under Agency control at the time of the FOIA

request

!

 

DoD Contractor records may be Agency

records

!

 

Emails/draft records are Agency records

5 USC 552(f)(2)(A)

(53)

Responsive Records under

FOIA

!

 

Includes audio and video

!

 

Includes records contained in electronic

databases (generating a report is not

creating a record)

!

 

Documents in storage

!

 

Draft documents and emails kept on

your computer

(54)

eDiscovery

!

 

What is record (ESI)?

Electronically Stored Information (ESI)

includes “writings, drawings, graphs, charts,

photographs, sound recordings, images, and

other data or data compilations—stored in any

medium from which information can be

obtained either directly or, if necessary, after

translation by the responding party into a

reasonably usable form”

FRCP 34(a)

(55)

Why is ESI important

?

!

 

ESI viewed as more efficient and

user friendly than paper

!

 

Advancement in Technology – 97% of all information

created electronically; only 3% converted to paper

!

 

Metadata – more than meets the eye

!

 

Disclosure and Production Requirements – FRCP 16,

26, 33, 34, 45

(56)

Litigation Holds (Process)

Requirements—The Discovery Cycle

* Electronic Discovery Reference Model (www.edrm.net)

*Standardized Discovery Cycle:

Applies equally to traditional paper and

electronically stored information

(57)

E-Discovery’s Duty to Preserve

A party is obligated to preserve information when it

“reasonably anticipates litigation.”

Zubulake v UBS

Warburg LLC,

220 FRD 212 (S.D.N.Y. 2003)

This means we must place a litigation hold on all

relevant information in native format.

Sources of duty:

! 

Common Law Duty

! 

Ethical Duty

! 

Statutory Mandate

! 

Federal Rules of Civil Procedure

(58)

System Failures

!

 

Lack of knowledge

!

 

Lack of ownership/responsibility

!

 

Lack of resources

58

(59)

Cautionary Tales

! 

QualComm Inc. v. Broadcom Corp

., 2008 WL 66932 (S.D. Cal. Jan. 7,

2008) – plaintiff sanctioned $8.5M for failing to produce over 200,000

pages of evidence and misleading court; separate sanctions against

counsel vacated after no finding of bad faith

! 

Harkabi v. SanDisk Corp,

275 F.R.D. 414 (S.D.N.Y. 2010) – “[A] cascade

of errors, each relatively minor . . . aggregated to a significant discovery

failure.”

! 

Maggette v. BL Development Corp.,

2010 WL 3522798 (N.D. Miss. Sept

02, 2010) – sanction took form of adverse inference instruction because

lesser monetary sanction viewed as “acceptable cost” for defendant’s

strategy

! 

Green v. Blitz U.S.A, Inc.,

2011 WL 806011 (E.D. Tex. Mar. 1, 2011) – party

required to pay monetary sanctions, provide sanction order to every

party litigated against in past two years and file copy of order in every

case for the next five years

(60)

Government

Agencies Too

! 

Elion v. Jackson

, 2006 WL 2583694, (D.D.C. Sept. 8, 2006) – as

sanction for tardy production of e-mail, USAO precluded from

offering any testimony regarding e-mail

! 

SEC v. Colllins & Aikman Corp

., 256 F.R.D. 403 (S.D.N.Y. 2009) –

govt agency cannot rely on assertion of “‘undue burden’ on

limited public resources” to unilaterally restrict eDiscovery

! 

In re Fannie Mae Securities Litigation

, No. 04cv01639 (D.D.C.),

aff’d

552 F.3d 814 (D.C. Cir. 2009) – agency held in contempt for

failure to meet discovery deadline after spending $6 million

! 

City of Colton v. American Promotional Event, Inc

., No. ED CV

09-01864 PSG (C.D. Cal. 2012) – in CERCLA action both EPA and

DOD sanctioned for multiple discovery failures, including failing

to produce ESI in native file format

(61)

OMB Memo 12-18

Requires:

• Enterprise Records

Management

System for E-mail

by 2016

• Enterprise Records

Management

System for other

records by 2019

(62)

Software As A Service

The technical evaluations should ask

the vendor to include a detailed

description of how its cloud solution

stores, retrieves, searches, redacts,

de-dupes, de-nists and produces records

and related electronically stored

information (ESI).

(63)

OMB Memo 12-18

Specifically:

!

 

How the solution manages e-mail and other ESI;

!

 

How the records management solution is

interoperable with other enterprise records

management solutions (AGENCY CAN SPECIFY ONE

IF CHOSEN); and

!

 

How the records management solution allows for

records retention based on the Agency’s disposition

schedules.

!

 

How the solution meets DoD 5015.2 requirements.

(64)

Rule 34 of the Federal Rules of

Civil Procedure

Specifically:

! 

How the solution preserves records and related ESI for e-discovery

purposes;

! 

How the solution searches documents and related ESI across the

enterprise;

! 

How the solution allows for the reporting and authentication of searches

and litigation holds;

! 

How the solution allows for redacting documents in native format;

! 

How the solution allows for documents to be produced in native format;

! 

How the solution allows for de-duplication of email chains and duplicate

documents;

! 

How the solution allows for searching and producing of meta-data; and

! 

How the solution provides early case assessment tools.

(65)

FOIA

Specifically:

!

 

How the solution preserves records and

related ESI for FOIA purposes;

!

 

How the solution allows for asserting

FOIA exemptions;

!

 

How the solution preserves the

produced documents

.

(66)

(67)

Questions

(68)