John Nemoto

John Nemoto

Vice-President, CGI Federal

In the past year or so, the U.S. Department of Defense (DoD) has made a number of changes to make it easier for DoD agencies to buy cloud services, including accepting some additional risk for less mission-critical data.

The Defense Information Systems Agency (DISA) and the DoD Chief Information Officer also have published a cloud security requirements guide (SRG) to provide more standardized definitions across the Department to facilitate cloud adoption.

A recent news release stated, “As DISA advances cloud capabilities for the Department of Defense (DOD), it embraces the opportunities to use commercial cloud solutions to reduce operational costs, release available resources, enhance standardization, and increase agility and responsiveness to the changing needs of mission partners.” While there is a sense of momentum and excitement across the DoD about moving to the cloud, the emerging model of doing so faces numerous challenges, such as:

  • Lack of a unified model for deploying continuous monitoring across hybrid cloud environments
  • Authorization processes that are not easily replicated across commercial cloud services providers (CSPs)
  • Fragmented and non-standard security reporting processes between organizations and CSPs
  • Lack of risk awareness and single-pane-of-glass-visibility for stakeholders
  • Barriers for mission owners to adopt innovative services and technologies from CSPs
  • Cybersecurity approached as an “add on” and not embedded into cloud solutions
  • Inefficient compliance reporting model that results in “sprawl” across CSPs and agencies

Based on our experience as a CSP with provisional authority to operate from both the Federal Risk Management Authorization Program (FedRAMP) and DISA, CGI has developed a framework for enabling secure cloud solutions for DoD mission owners. This framework is based on continuous, repeatable, agnostic, transparent, evolving and secure attributes:

framework attributes


A standard model is needed for continuous monitoring in cloud environments. Current continuous monitoring services also need to be integrated to support new hybrid environments.


Repeatable models for implementing commercial cloud solutions are needed and should include cloud-ready continuous monitoring solutions that are rapidly and consistently delivered.


An agnostic cloud provider approach is needed to enable business, technical and security requirements to drive decisions, avoid vendor lock-in, and use advanced decision support models and consultative services to identify optimal solutions.


A continuous monitoring model is required for real-time, situational understanding across hybrid cloud provider networks, security postures, performance and spending.


The cloud provides unprecedented capabilities to adapt to rapid change in mission and technology, so agencies need to adopt and integrate new services available from CSPs quickly and easily.


A cybersecurity layer must be embedded to ensure control in a “borderless” enterprise.

Through such a security framework, DoD agencies and other government organizations can build a comprehensive layer of defense designed to secure their cloud-based IT portfolios.

CGI offers a unique combination of cloud and cybersecurity expertise, along with our CGI Unify360 hybrid IT management suite and CGI AssureIQ risk-based approach to continuous monitoring, to support our federal government clients’ move to the cloud.  

This graphic depicts CGI’s optimal hybrid IT security compliance reporting model.

About this author

John Nemoto

John Nemoto

Vice-President, CGI Federal

As a senior cloud and cybersecurity expert, John Nemoto brings over 25 years of experience implementing mission critical systems in the public and private sector.