Navy Path to Cloud

Commercial Services Integration (CSI) Team

November 2013

ACT-IAC Pacific: Cloud Computing Panel & Roundtable

CSI Timeline

SPAWAR Datacenter

Consolidation (2010)

Navy DCC Task Force

(Fall 2010)

SPAWAR Commercial

Service Brokerage (Spring 2011)

FedRAMP and NIST Cloud (Fall 2011)

DoD Cloud Strategy / DISA ECSB Standup (Summer 2012)

Navy IATO for Public

(Fall 2012)

Navy ATO for Public

(Spring 2013)Today…

3 This document, and the information contained herein, is confidential. In this document, the term "Deloitte" refers to Deloitte Touche Tohmatsu Limited member firms and the term "Deloitte Network" refers to DTTL and its member firms.

• Attempt to fit AWS into existing DOD DIACAP/8500.2 framework, attempt a ‘traditional’ ATO;

• Supporting an Echelon III command, there was not much influence on IA policy, so we had to mitigate risks with engineering and architecture;

• We did not attempt to solve for ‘cloud’ in generic sense (no funding, too strategic for operations);

• The team solved most non-technical issues through existing use cases (Navy NMCI experience, NAVFAC Utilities contracting/budgeting experience, etc.).

The Team’s Approach

Our Challenge: Complex, Changing Environment

ATO?

DIACAP

NIST800-53

DoD ECSB CSM

CNSSI 1253DoD

InstructionsCJCSM

FAR /

Public Law

CSP Capability

FedRAMP

5 This document, and the information contained herein, is confidential. In this document, the term "Deloitte" refers to Deloitte Touche Tohmatsu Limited member firms and the term "Deloitte Network" refers to DTTL and its member firms.

• Consistent terminology is critical (NIST 800-145 is only 3 pages, in plain language!)

• Public multi-tenancy is a primarily ‘new’ component of AWS

• Have IA, CA, DAA, AO folks involved as early in the process as possible

• Engage in phases, rather than jumping in the deep end

• Revisit policy to verify assumptions about actual requirements

• Communication with the vendor is important, especially when doing initial C&A work

The Team’s Approach

CSI Operating Model

Scoping Questionnaire

/ ASHRD

Cost Estimation

Engineering MIPR

Engineering Analysis

Execution MIPR Execution

• System Size and Scoping Questionnaire

• Application &SystemHostingRequirementsDocument

• Rough Cost of Cloud component

• Total depending on scope/size

• Analyze sponsor requirements

• Develop execution plan, schedule and costing

• Assess security posture

• Total depending on scope/size

Deloitte Consulting, LLP

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

© 2013 Deloitte Development LLC. All rights reserved.

Adam CrosbySpecialist Master

Deloitte Consulting LLP295 Bendix Road, Suite 105, Virginia Beach, VA 23452

Mobile: +1 757 839 3826acrosby@deloitte.com | www.deloitte.com