An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.
HomePolicyPolicy Display

Guidance for Department of the Air Force Access to Software as a Service

  • Published

MEMORANDUM FOR MAJCOMs, FLDCOMs, DRUs, HAF DISTRIBUTION C
FROM: SAF/CN  - 22 May 2023
SUBJECT: Guidance for Department of the Air Force Access to Software as a Service
References:

  • (a) SAF/CN Memorandum, "Migration Guidance for Department of the Air Force Enterprise Cloud Services", 21 June 2021
  • (b) National Institute of Standards and Technology (NIST) Special Publication 800-145 The NIST Definition of Cloud Computing

For the Department of the Air Force to maintain its warfighting advantage and to drive organizational efficiency and effectiveness, it must take advantage of commercial software products in addition to the innovative capabilities that are developed by program offices, software factories, operational wings, and others. To accomplish this, organizations must be able to rapidly secure and host Software as a Service (SaaS) capabilities in accredited environments.

Per guidance in reference (a), all DAF organizations were mandated to transition workloads to Cloud One in order to “streamline and phase out program specific cloud data services.” This effort is still in progress and is proving extremely successful for legacy application transformations, in-house built technologies, and bespoke applications, but the complex, heterogeneous nature of commercial SaaS requires more cloud landing zones. Therefore, this memorandum is intended to provide clarity on how DAF users can access current and future SaaS.

SaaS is defined by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145 (b) as a cloud service model where “the consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings”. Examples of SaaS within the DAF are SalesForce and ServiceNow. DAF organizations should ensure they acquire SaaS services through authorized contracting channels only.

Migrating from a data center to a SaaS platform provides significant benefits, providing savings by reducing upfront and ongoing costs of infrastructure, scalability and growth without infrastructure limitations, accessibility and improved collaboration and productivity, reduced maintenance, streamlined authorizations and rapid deployment without complex installations or hardware purchases. As a result, IT resources are freed from constraints to focus on other mission areas.

In an effort to accelerate change or lose, I hereby authorize:

  1. Organizations that adopt commercial SaaS should use the most expeditious path to accreditation and production hosting based on unique security, technical, contractual, or budgetary requirements, with options to include, but not limited to, FedRAMP (in coordination with a DoD accrediting official), Cloud One, BESPIN, Platform One’s Party Bus, AFRL’s ODIN, Kessel Run’s ADCP, AFWERX's Game Warden, and Space System Command’s ARCUS. Contacts for each provider will be hosted at the SAF/CN Compute and Store SharePoint.
  2. Commercial SaaS hosted in an accredited environment shall be made available for use by DAF and other DoD users as the same impact or classification level, with appropriate identity access management, to reduce the need to host the same applications in multiple clouds.
  3. DAF users may access accredited commercial SaaS, with appropriate identity access management, hosted in other accredited DoD cloud environments, without additional approvals from a DAF accrediting official. Approval is still required for an Authority to Connect applications, systems, and services.
  4. Organizations that build software outside an existing software factory should use the most expeditious path to accreditation and production hosting based on their unique security, technical, contractual, or budgetary requirements, but in accordance with the intent of reference (a), should give first consideration to Cloud One, BESPIN, or Platform One before pursuing other options as stated in paragraph (1).

Transition to shared cloud services and the adoption of commercial technologies are critical to the continued evolution of the Department of the Air Force. Moving quickly, while staying secure, must be foundational to how we operate.
For questions or concerns regarding cloud hosting, please contact the SAF Compute and Store team at saf.cn_compute.and_store_portfolio@us.af.mil.

LAUREN B. KNAUSENBERGER, SES, DAF
Chief Information Officer