57
ISA 201 Intermediate Information Systems Acquisition
ISA 201Intermediate
Information Systems Acquisition
Lesson 19
DoD Cloud Computing
Learning Objectives
3
Overall: Given a DoD IT/SW Acquisition, apply cloud
acquisition best practices to obtain cloud services.
• Identify the basic terms of Cloud Computing
• Recognize the five (5) essential characteristics of a cloud service.
• Recognize characteristics of the three (3) NIST-defined Cloud
Service Models: Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), and Software as a Service (SaaS).
• Recognize the four (4) Cloud Deployment Models: public, private,
community and hybrid cloud deployment models (NIST).
• Describe some DoD Concerns of Using Cloud Services.
• Recognize the steps and considerations for obtaining Cloud
services.
• Describe the problems with Legacy software applications and
Cloud.
Today we will learn to:
DoD Cloud Computing Services
4
• True or False: According to the DoD Chief Information Officer (CIO), DoDcomponents are required to use the Defense Information Systems Agency (DISA) to acquire cloud services.
In-Class Quiz
• The _____________ provided cloud services must be considered as part of the
Enterprise IT Business Case Analysis (BCA) performed by the Component for cloud
services.
• The __________________________ is intended to give cloud providers a stable
security requirement, and to help DoD cloud customers move more rapidly and
securely into the cloud.
Team
1
Team
2
Team
3
• Which of the following is NOT a benefit of Cloud Computing per the DoD Cloud
Computing Strategy? De-coupled from private sector innovation; Enables improved
asset utilization; Allows for near-instantaneous increases and reductions in capacity;
Shifts focus from asset ownership to service management
• According to the DoD Cloud Computing Strategy, what are the three areas DoD can
benefit from by moving to cloud computing?
Team
4
Team
5
DoD Cloud Computing Services
5
• True or False: According to the DoD Chief Information Officer (CIO), DoDcomponents are required to use the Defense Information Systems Agency (DISA) to acquire cloud services.
In-Class Quiz
• The DISA provided cloud services must be considered as part of the Enterprise IT
Business Case Analysis (BCA) performed by the Component for cloud services.
• The DoD Cloud Computing Security Requirements Guide is intended to give
cloud providers a stable security requirement, and to help DoD cloud customers
move more rapidly and securely into the cloud.
Team
1
Team
2
Team
3
• Which of the following is NOT a benefit of Cloud Computing per the DoD Cloud
Computing Strategy? De-coupled from private sector innovation; Enables improved
asset utilization; Allows for near-instantaneous increases and reductions in capacity;
Shifts focus from asset ownership to service management
• According to the DoD Cloud Computing Strategy, what are the three areas DoD can
benefit from by moving to cloud computing? Agility, Innovation and Efficiency
Team
4
Team
5
DoD Cloud Computing Services
Lesson Overview
Lesson Plan
6
•Cloud Laws, Policies, Guidance and Standards
•Cloud Basics and Benefits• Cloud Computing Definition
• Concerns with using Cloud
• Using the Cloud (Assessment & Authorization)
• Exercise
HOMEWORK
DoD Cloud Computing Services
7DoD Cloud Computing
• Latest DoD Cloud Strategy – December 2018
Latest Policies – Federal CIO Council Cloud Smart
Today, the Department is largely
constrained by physical resources,
manpower limitations, organic skillsets
and, oftentimes, laborious contracting
processes to procure or grow storage and
computing capabilities. In addition, the
cyberspace domain continues to be an
increasingly contested environment. In
order for the U.S. to keep its strategic
advantage, warfighters and the force that
support them need to be provided with the
proper capabilities and technologies to
succeed.
8DoD Cloud Computing
• Cloud Smart replaces Cloud First – Posted 25 June 2019
Latest Policies – Federal CIO Council Cloud Smart
Three key
pillars of
successful
cloud
adoption:
security,
procurement,
and workforce.
9DoD Cloud Computing
This playbook is a
practical guide for
application
rationalization and
IT portfolio
management
under Cloud Smart.
DoD is creating
their own Apps Rat
Strategy/Plan.
Latest Policies – Federal CIO Council Application Rationalization Playbook
10DoD Cloud Computing
This playbook is a
practical guide for
application
rationalization and
IT portfolio
management
under Cloud Smart.
DoD is creating
their own Apps Rat
Strategy/Plan
Latest Policies – Federal CIO Council Application Rationalization Playbook
11DoD Cloud Computing
Latest Policies – Federal CIO Council Application Rationalization Playbook
12DoD Cloud Computing
December 13, 2018 Findings:
Services reviewed did not consistently
rationalize their software applications.
(Army not assessed because they did
their own audit).
Latest Policies – Where is the DoD with Apps Rationalization?
Although the Marine Corps divisions and the Navy
commands had a process in place to prevent duplication
when purchasing software applications, the Air Force did
not. In addition, the U.S. Fleet Forces Command was the
only command we reviewed that had a process in place for
eliminating duplicative or obsolete software applications it
owned. Furthermore, none of the commands or divisions
we reviewed maintained accurate software inventories to
facilitate that process.
13DoD Cloud Computing
Latest Policies – Where is the DoD with Apps Rationalization (March 2019)?
14DoD Cloud Computing
• Enterprise
Cloud Adoption
- Operational
Test
Considerations
– signed 1 Oct
2018
Latest Policies – DoD OT&E Memo
Lesson Overview
Lesson Plan Status
15
• Cloud Laws, Policies, Guidance and Standards
• Cloud Basics and Benefits
•Cloud Computing Definition• Concerns with using Cloud
• Using the Cloud (Assessment & Authorization)
• Exercise
DoD Cloud Computing Services
16
NIST Special Publication 800-145
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction.
Official DoD Definition of Cloud Computing
DoD Cloud Computing Services
17DoD Cloud Computing
Cloud Adoption History
TIMELINEDoD Cloud Adoption History
2010 2012 2015 2017 2018
25 Point
Implementation
Plan to Reform
Federal IT
Management
DoD Cloud
Strategy
DoD Cloud
Computing
Security
Requirement
Guide (SRG)
DEPSECDEF
Creates Cloud
Executive Steering
Group (CESG)
CESG/DoD
Releases RFP for
DoD Enterprise
Cloud Contract
(JEDI)
18
NIST Special Publication 800-145
• The “Cloud” is
composed of
- five essential
characteristics,
- three service models,
- four deployment
models
The Composition of the Cloud
19
NIST Special Publication 800-145
• According to the NIST Special Publication 800-145, the Cloud model is composed of five essential characteristics:
• On-demand self-service
• Broad network access
• Resource pooling
- Location independence
• Rapid elasticity
• Measured service
5 Essential Cloud Characteristics
20
5 Essential Cloud Characteristics
Term Definition
On-demand self-
service
Users are able to provision cloud computing resources
without requiring human interaction, mostly done through a
web-based self-service portal (management console).
Broad network
access
Cloud computing resources are accessible over the
network, supporting heterogeneous (i.e. dissimilar) client
platforms such as mobile devices and workstations.
Resource
Pooling
Service multiple customers from the same physical
resources, by securing separating the resources on logical
level (virtual separation).
Rapid Elasticity Resources are provisioned and released on-demand and/or
automated based on triggers or parameters. This will make
sure your application will have exactly the capacity it needs
at any point of time.
Measured
Service
Resource usage are monitored, measured and reported
(billed) transparently based on utilization. In short, pay for
use.
How to determine if offering is “Cloud”
On-Demand Self-Service
Can the computing capability be provisioned without human interaction with the Cloud Service
Provider (CSP)?
____ YES ____ NO
If Yes, what level?
____ Option A) Fully automated service provisioning
____ Option B) The Cloud Service Customer (CSC) CSC uses an automated interface to request
and track the service, but the CSP may use manual labor to provision the service.
Broad Network Access
Is the computing capability available from a wide range of locations using standard protocols?
____ Option A) Available over the Internet using internet protocols
____ Option B) Available over a network that is available from all access points the CSC requires
Resource Pooling
Can two or more CSCs use a single cloud service where the resources are shared based on a
multi-tenant model?
____ YES ____ NO21
22
Resource Pooling (cont).
Can the resources be assigned and reassigned according to CSC demand?
YES ____NO
Rapid Elasticity
Can the computing capabilities be “rapidly” provisioned and released to scale?
YES ____NO
Option A) Resource allocation modification is automated and near-real-time (within five
minutes).
Option B) Not fully automated, but fast enough to support the requirements of the CSC.
Measured Service
Are the cloud services characteristics including resource usage measured?
YES NO
Option B) Cloud services and/or resource usage are measured with enough detail to
support the requirements of the CSC.
How to determine if offering is “Cloud”
23
• Infrastructure as a Service (IaaS)
- Compute, storage, and networking capability
• Platform as a Service (PaaS)
- Deploy customer-created applications to a cloud
• Software as a Service (SaaS)
- Use provider’s applications over a network
• To be considered “cloud” the Cloud Service Models must be deployed on top of cloud infrastructure that has the key characteristics
The 3 Cloud Service Models
24
• Provisioning processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
• The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Infrastructure as a Service (IaaS)
25
• Deployed onto the cloud infrastructure
consumer‐created or acquired
applications created using
programming languages, libraries,
services, and tools supported by the
provider.
• The consumer does not manage or
control the underlying cloud infrastructure
including network, servers, operating
systems, or storage, but has control
over the deployed applications and
possibly configuration settings for the
application‐hosting environment.
Platform as a Service (PaaS)
26
• Using the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web‐based email), or a program interface.
• The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user‐specific application configuration settings.
Software as a Service (SaaS)
27
• Cloud Services offers a way for the DoD to lower costs,
improve performance, increase utilization and security,
and take advantage of commercial innovation
Management Responsibilities with the 3 Cloud Service Models
Traditional
Hosting (not
cloud)
28
Pizza as a Service
Cloud services can be deployed in different ways
depending on the customer’s specific needs, such as
security, privacy, and cost.
1. Public cloud
2. Private cloud
3. Community cloud
4. Hybrid cloud
29
NIST Special Publication 800-145
The 4 Cloud Deployment Models
30
• Public cloud infrastructures operate in a multi-tenant environment whose resources are allocated for the general public.
• Public clouds tend to be large and provide economies of scale for their customers.
• Security and privacy concerns are heightened because any individual or organization can potentially access the same cloud infrastructure.
• Only DoD information that has been approved for public release should be placed on a public facing website.
Public Cloud Deployment Model
31
• Private cloud infrastructures are operated only for an individual organization (Single Tenant).
• The organization can leverage the scalability and performance aspects of cloud computing, but the infrastructure is isolated from that of other organizations, improving security and privacy.
• Because of their specialized nature, private clouds could potentially be as costly as dedicated data centers.
• For example, the DoD has a Private Cloud, milCloud, which is operated by DISA.
Private Cloud Deployment Model
32
Community Cloud Deployment Model
• Community cloud infrastructures are private
clouds provisioned for a specific community of
interest with shared concerns, such as a govern-
ment-only cloud.
• The Community cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
• Community clouds may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
• Amazon GovCloud is an example of a Community Cloud that is available to Federal, State and Local Governments.
33
Hybrid Cloud Deployment Model
• Hybrid cloud infrastructures are combinations of any
two or more of the other cloud deployment models.
• This model will be the most prevalent model for the
DoD given its strategy to aggressively pursue the
competitive acquisition and use of commercial cloud
service offerings and understanding that “one cloud’ will
not meet all the unique requirements of the DoD.
• One example of Hybrid Cloud is used in the
Development – Test – Production software lifecycle.
Lesson Overview
Lesson Plan Status
34
• Cloud Laws, Policies, Guidance and Standards
• Cloud Basics and Benefits
• Cloud Computing Definition
• Concerns with using Cloud• Using the Cloud (Assessment & Authorization)
• Exercise
35
DoD Cloud Acquisition Guide Exercise
• Released 23 January 2019 – updated April 2019 (Hearn)
1. Google DAU.mil/tools.
2. Select the DoD Cloud Acquisition Guidebook (DCAG) Select Launch Tool.
3. Perform the following:
Group 1: Summarize Activity (3.2.1.1) ensure you discuss the purpose of IT
BCAs
Group 2: Summarize Activity (3.2.1.2)
Group 3: Summarize Activity (3.2.1.3)
Group 4: Summarize Activity (3.2.1.4)
Group 5: Summarize Activity (3.2.1.5)
ALL TEAMS – Identify 2-3 significant items from Chapter 4 that you think
people should know about. Summarize the items and explain why they
matter.
Take 30-40 minutes to work. Brief out 5-7 minutes.
36
• Data Security- Location of DoD data
- Comingling of DoD data with other
customer’s data
- Physical security of data center
- “Noisy Neighbor”
• Latency- Network congestion/bandwidth availability
- Remote cloud data centers
• Unanticipated costs- Network upgrades to maintain performance (increased
bandwidth demands)
- Strict security requirements (e.g. Private vs Public)
• Cybersecurity: Protecting the Defense Information Systems Network (DISN)- The DISN is a critical infrastructure to the DoD Mission
DoD’s Concerns of Using Cloud Services
The DISN is the protected networks which include NIPRNet, SIPRNet, or other DISN-
based mission partner/Community of Interest networks37
• Joint Publication 1-02 states:- Defense Information Systems Network (DISN) - The
integrated network, centrally managed and configured by the DISA to provide dedicated point-to-point, switched voice and data, imagery, and video teleconferencing services for all Department of Defense activities.
- Department of Defense Information Network (DoDIN) - The set of information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, whether interconnected or stand-alone, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems
DISN, DoDIN; what’s the diff?
38
• With respect to Cloud Computing, “Mission” refers to
the information systems and function for which a DoD
entity acquires or uses a Cloud Service
• The Mission Owner must consider Risk to Data (referred
to as Information Impact Level) and Risk to the DISN
• Risk to Data
- Loss of Confidentiality, Integrity and Availability (CIA)
• Risk to DISN
- Loss of CIA of Data on DISN
- Loss of Availability of DISN
Cybersecurity is a Concern when using Cloud Services
39
Service Level Agreement (SLA) Considerations
● Restoration of Service ● Notification
● Availability ● Performance
● Information Security (SRG on IASE) ● Data Management
● Service Support ● Termination of Service
● Business Continuity ● Configuration Management
SO name Restoration of Service
Definition Time to regain full operational and functional restoration of
service
Rules CSP required to notify customer by email, phone, SMS.
CSP required to monitor (cf. availability metric).
CSP must monitor at CSP interface.
Exceptions Does not include scheduled maintenance agreement, unless
otherwise notified.
Criticality Rules Monitoring interval less than 2 minutes
The following is a list of common service objectives needed to be addressed in an
SLA. As a first example (below), the service objective – Restoration of Service,
was selected and described. A NIST led working group is developing standards
and definitions to assist US Government acquirers in writing low-risk SLAs.
Lesson Overview
Lesson Plan Status
40
• Cloud Laws, Policies, Guidance and Standards
• Cloud Basics and Benefits
• Cloud Computing Definition
• Concerns with using Cloud
• Using the Cloud (Assessment &
Authorization)• Exercise
41
• Types of Cloud Services
- Commercial
- DoD
- Non-DoD (i.e., Federal, DHS)
• Cloud Service Provider (CSP)
- A company or organization that offers some component of
cloud computing (i.e., IaaS, PaaS, or SaaS) to other
businesses, organizations or individuals.
• Cloud Service Offering (CSO)
- The deployed cloud computing service(s) (i.e., IaaS, PaaS,
or SaaS)
Cloud Service Providers and Offerings
42
• The DoD Chief Information Officer’s memo from December 2014 identified 5 activities when acquiring cloud services:
1. Perform an IT business case analysis
2. Apply the DoD Cloud Computing Security Requirements Guide
3. Use commercial cloud services that have a DoD Provisional
Authorization and obtain a Component Authority to Operate
4. Use an approved DoD Boundary Cloud Access Point (BCAP)
and Cyber Security Service Provider (CSSP) to protect
sensitive data
5. Apply the Defense Federal Acquisition Regulation Supplement
Interim Rule to commercial cloud contracts
Using the Cloud
43
DoD Cloud Acquisition Guide Exercise
This exercise is intended to have the students research and brief the five
activities for the Cloud IT BCA.
Use the DoD Cloud Acquisition Guidebook (DCAG) for this exercise.
Released 23 January 2019 – updated April and November 2019
Instructions:
1. Google DAU.mil/tools.
2. Select the DoD Cloud Acquisition Guidebook (DCAG)
3. Select Launch Tool.
4. Perform the following:
Team 1: Summarize Activity (3.2.1.1) ensure you discuss the purpose of IT
BCAs
Team 2: Summarize Activity (3.2.1.2)
Team 3: Summarize Activity (3.2.1.3)
Team 4: Summarize Activity (3.2.1.4)
Group 5: Summarize Activity (3.2.1.5)
ALL TEAMS – Identify 2 significant items from Chapter 4 that you think
people should know about. Summarize the items and explain why they
matter.
44
• Keep in mind that a BCA is not a requirements validation process. The purposes of the BCA are as follows:
- Ensure a consistent approach in IT investment analysis.
- Facilitate comparison of alternatives.
- Clearly define expected costs, benefits, operational impacts, and risk.
• The major components of a BCA are:
- Cost and economic viability
- Requirement satisfaction/completeness
- Operational benefit (qualitative)
- Risk assessment
- Conclusions and recommendations
- Balance cost effectiveness with operational benefit
- Funding type and sources
Activity 1 - Performing the IT Business Case Analysis (BCA)
45
• Each use of cloud services must complete an Enterprise
IT Business Case Analysis (BCA)
• The BCA must be approved by the Component CIO, or
designee, with a copy submitted to the DoD CIO
- Follow Component direction on completing the BCA
• DISA provided services must be considered as an
Alternative in the BCA
Activity 1 - Performing the IT BCA
Prior FY15 FY16 FY17 FY18 FY19 FY20 FY21To
CompleteLCCE
Lowest
LCC$
Alternative 1 $_ $_ $_ $_ $_ $_ $_ $_
Alternative 2
Alternative 3
Life Cycle Cost Comparison(dollars in millions)
46
• All DoD data is important, but not all data needs to be
equally protected
• Information Impact Levels (IILs) consider the potential
impact should the confidentiality and integrity of the
information be compromised
Activity 2 - Apply the DoD Cloud Computing SRG
47
• For cloud products and services used by the Federal Government, FedRAMP is a program that provides a standardized approach to:
- Security assessment
- Authorization
- Continuous monitoring
• OMB policy requires Federal departments and agencies to use FedRAMP approved Cloud Service Providers (CSPs) and share Agency ATOs with the FedRAMP Secure Repository
- “Do Once, Use Many Times”
- https://www.fedramp.gov/marketplace/compliant-systems/
Federal Risk and Authorization Management Program (FedRAMP)
48
• FedRAMP+ is the concept used in order to meet and assure
DoD’s critical mission requirements
- Leverages FedRAMP assessment
- Adds specific security controls and requirements
• DoD Provisional Authorization is an acceptance of risk
based on an evaluation of the CSP’s Cloud Service Offering
(CSO) and the potential for risk introduced to the DISN
• DoD PAs are granted by DISA to the CSP for a CSO, not for
a CSP
- If a CSP’s CSO (e.g., SaaS) leverages another CSP’s CSO
(e.g., IaaS) then the DoD PA for the former includes inherited
compliance for the latter.
FedRAMP+ and DoD Provisional Authorization
49
• Each CSO must be granted a DoD PA in order to host DoD mission systems
• CSOs possessing a DoD PA are listed in the DoD Cloud Service Catalog
• The responsible Authorizing Official leverages the DoD PA information, supplemented with an assessment of the risks within the Mission Owner’s responsibility, in granting an Authorization to Operate (ATO)
• Authorizing Officials use the Risk Management Framework to issue an ATO
Activity 3 – Use Commercial CSPs with DoD PAs and Obtain an Authority to Operate
50
• A DoD Boundary Cloud Access Point (BCAP) is a system of network
boundary protection and monitoring devices, otherwise known as an
Information Assurance stack, through which CSP infrastructure and
networks will connect to the DISN
Activity 4 – Use a DoD BCAP and CSSP (1 of 2)
• With Controlled Unclassified Information
data (IIL 4 & 5), a BCAP is required
between the DISN and the CSO
• The BCAP is used to protect the DISN,
and systems, information and users
residing on the DISN from attacks that
may be launched from within a
compromised CSO; facilitate protected
connections between users on a DoD
network and systems/applications on the
CSO
51
• DoD BCAPs will provide the following generalized functions:
- Intrusion Detection/Intrusion Protection
- Data Loss Prevention
- Full Packet Capture
- Network Routing/Switching
- Network Access Control to CSPs
- Next Generation Firewall
- Application Firewall
• The Cyber Security Service Provider (CSSP) provides cyber security services and Command and Control direction addressing the protection of the network, detection of threats and response to incidents
• DoD PMs must ensure that CSSP processes are in place and functional prior to any transition to or use of a CSO
Activity 4 – Use a DoD BCAP and CSSP(2 of 2)
52
• DoD issued an interim rule amending the DFARS to
implement a section of the FYs 13 & 15 National
Defense Authorization Acts
- Require contractor reporting on network penetrations
- Implements DoD policy on the purchase of cloud
computing services
• DFARS, Subpart 239.76 Cloud Computing
- Policy and Responsibilities
- Required storage of data within the US or outlying
areas
- Solicitation provision and contract clauses
(252.239-7010)
Activity 5 – Apply the DFARS Interim Rule for Cloud Services
53
• The contractor shall maintain within the United States or
outlying areas all government data that is not physically
located on DoD premises, unless the contractor receives
written notification from the contracting officer to use
another location.
• The contractor shall provide the government with a list of
the physical locations which may contain government
data within 20 days. Updates are required on a quarterly
basis.
Required Storage of Data within the US
54
• The U.S. government restricts the transfer of sensitive or classified data (such as sensitive technology information and information that could potentially affect operational security) to locations outside of the control of U.S. companies or the U.S. government
• There are specific rules for the locations of data processing centers based on the IIL of the data:
- IIL 2 and 4 must be hosted at locations in the U.S., U.S. territories, or on DoD premises per the Status of Forces Agreement (SOFA) unless the location is authorized by the AO
- IIL 5 must be hosted at locations in the U.S., U.S. territories, or on DoD premises per the SOFA
- IIL 6 must be hosted at locations authorized for classified processing
Storing Data in Non-US Locations
55
• The DoD Program Manager needs to understand and
perform additional activities when acquiring cloud
services
1. Consider key skills needed for a successful deployment
2. Protect DoD Equities in cloud contracts and Service Level
Agreements
3. Complete Cloud Service Offering funding reporting
responsibilities, e.g., SNaP-IT, Budget 300 Exhibits 53A/C
4. Plan for Close-Out and Transition
Additional Considerations for Using the Cloud
DoD Cloud Computing Services
Lesson Overview
Lesson Plan Status
56
• Cloud Laws, Policies, Guidance and Standards
• Cloud Basics and Benefits
• Cloud Computing Definition
• Concerns with using Cloud
• Using the Cloud (Assessment & Authorization)
•Exercise
DoD Cloud Computing Services
Summary
57DoD Cloud Computing Services
Today we learned to:
Overall: Given a DoD IT/SW Acquisition, apply cloud
acquisition best practices to obtain cloud services.
• Identify the basic terms of Cloud Computing
• Recognize the five (5) essential characteristics of a cloud service.
• Recognize characteristics of the three (3) NIST-defined Cloud
Service Models: Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), and Software as a Service (SaaS).
• Recognize the four (4) Cloud Deployment Models: public, private,
community and hybrid cloud deployment models (NIST).
• Describe some DoD Concerns of Using Cloud Services.
• Recognize the steps and considerations for obtaining Cloud
services.
• Describe the problems with Legacy software applications and
Cloud.
