Software Engineering Institute

The adoption of commercial cloud technology as a virtual replacement for physical data centers represents an organizational cultural shift beyond just the adoption of a new technology. There are significant benefits from moving to a computing platform that is (1) provided by an organization dedicated to technology management, which can be scaled quickly, (2) maintained at the highest level of technology at a lower cost, and (3) widely accessed without geographic limitations. But with these benefits come significant implications for operations, cybersecurity, and compliance. Major decisions that impact the availability, testability, and auditability of systems are established in the contracting phase with the cloud provider. Options for visibility into cybersecurity controls, including available analysis tools, are inherited by programs from the provisions structured by acquisition and are no longer fully within a program’s control. How will a program office address its responsibilities for cybersecurity when monitoring and testing can no longer be performed directly on the equipment used by a system? While it may be easy to confirm that operational and cost objectives are being met, commercial cloud environments require new ways of confirming that cybersecurity risks are being managed.