DOD's testing chief wants cloud contracts to allow for more security checks

The Defense Department's chief weapons testing body is recommending cloud contracts be renegotiated to better account for cybersecurity risks and needs at a time when the reliance on the infrastructure expands to assist with daily work needs and key initiatives such as data analytics and artificial intelligence use, according to a recent report. 

The Office of the Director, Operational Test and Evaluation (DOT&E) wrote in its annual report for fiscal 2021, which was released Jan. 27, that the organization will continue to work with cloud service providers to understand how cyber risks to commercial cloud infrastructure can affect DOD – which should renegotiate existing contracts to include independent assessments. 

"The DOD increasingly uses commercial cloud services to store highly sensitive, classified data, but current contracts with cloud vendors do not allow the DOD to independently assess the security of cloud infrastructure owned by the commercial vendor, preventing the DOD from fully assessing the security of commercial clouds," the report states. 

"The DOD should renegotiate contracts and establish requirements for future contracts with commercial cloud providers that enable the DOD to perform independent and threat-representative cybersecurity assessments of cloud infrastructure which hosts critical DOD capabilities." 

The findings come months after Nickolas Guertin, who leads DOT&E, told Congress that the inability of DOD to make independent cyber assessments of commercial cloud infrastructure "a severe limitation" and that "the only way to test whether a system can withstand an actual cyberattack is to actually conduct such an attack on the system in a test environment," during his confirmation hearing in October. 

More generally, a Government Accountability Office report released last March found that DOD's acquisitions contracts for weapons systems were often missing or had vague cybersecurity requirements, which often yielded a system that didn't meet security needs.

The DOT&E's report also recommended DOD conduct operational testing of cyber tools before they're deployed, like those used for endpoint security, to assess effectiveness, usability, and potential vulnerabilities – which could help determine a return on investment.

"Adequate testing of cyber capabilities will require operational environments for both on-premises and cloud-based architectures, with up-to-date catalogs of threats and malware, fielded versions of the endpoint systems, and well-planned tests," the report states. "Rigorous testing would allow the use of new malware with existing software to determine how well a current defensive cyber tool reacts to zero-day vulnerabilities."