The Department of Defense is in discussion with leaders of the commercial IT sector on how to update regulations governing cloud computing security demands for the private sector, reports Federal News Radio.
The Cloud Security Requirements Guide, which has not been updated in nearly three years, serves as a protocol companies must abide by if they want to host or process DoD data at various security levels.
Representatives from the DoD's CIO's office hosted two sessions within the last 60 days with cloud firms to discuss ways of modernizing its approach to cloud security. The goal of the sessions is to make the agency's security demands less specific and prescriptive.
"I think we'll have to, and this isn't strictly about cloud," Essye Miller, the deputy DoD CIO for cybersecurity, told Federal News Radio. "If you look at what we did with [EHRs] as we worked with Cerner and Leidos, both from an industry and government perspective, the lessons learned were that there were adjustments to be made on both ends. We are typically more stringent when industry offers innovation that we may not have explored. So my word of encouragement to folks who work in our security business is balance. How do we strike a balance between our security controls and the experience that industry brings to bear?"
More articles on cybersecurity:
Viewpoint: Better to be cyberaware than cybersecure
Wi-Fi weakness discovered, puts almost any wireless device at risk