U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


  1. Home
  2. Cloud Computing: A Primer

Cloud Computing: A Primer


Alternate Definition
The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The Department of Defense adopted the NIST definition of Cloud.
General Information

According to the NIST Special Publication 800-145, the Cloud model is composed of five essential characteristics, three cloud service models and four cloud deployment models.

The five essential characteristics are encapsulated in the definition of cloud. The characteristics are:

  • On-demand self service
  • Broad network access
  • Resource pooling
  • Rapid elasticity
  • Measured service

The three cloud service models are:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

You may see other products or services that are marketed "as a Service," but those are not considered part of cloud computing by the Department of Defense.

What is Infrastructure as a Service (IaaS)? IaaS is the basic resources of a modern information technology infrastructure. It provides the compute, storage and networking capabilities on which a user can develop and deploy their software, which can include operating systems and software applications. The consumer is not able to manage or control the underlying cloud infrastructure.

What is Platform as a Service (PaaS)? PaaS is built upon the IaaS and consists of the operating systems, programming languages, libraries, services and tools. These services are supported by the cloud provider. The consumer does not manage of control the underlying cloud infrastructure nor the operating systems, but does have control over the deployed applications and possibly the configuration settings for the application-hosting environment.

What is Software as a Service (SaaS)? SaaS is built upon the PaaS and provides an entire capability to a user. The consumer uses the cloud provider's applications running on the cloud infrastructure. The applications provided by the cloud provider are accessible from various client devices or platforms through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure, operating systems or even individual applications, although they may have access to limited user-specific application configuration settings.

The four cloud deployment models are:

  • Public
  • Private
  • Community
  • Hybrid

An example of a Public cloud is Google Drive. As a user of Google, you can sign up for a Gmail account and get file storage capability without any human interaction on Google's part. Your files that are stored in Google Drive are comingled with other Google user's, albeit virtually separated.

An example of a Private cloud is the Defense Information Systems Agency's milCloud. milCloud offers Department of Defense customers the ability to store data, host operating systems or run applications on a dedicated infrastructure for the Department of Defense.

An example of a Community cloud is Amazon's GovCloud. The Amazon offering is reserved specifically for Federal, State and local governments.

A Hybrid cloud is a combination of two or more of the other cloud deployment models. The Private, Public or Community models are connected but each retain their own deployment characteristics.

According to Enclosure 11, Requirements Applicable to all Programs Containing Information Technology, of DoD Instruction 5000.02, Operation of the Defense Acquisition System, cloud computing services can deliver more efficient IT than traditional acquisition approaches. Therefore, program managers will acquire DoD or non-DoD (i.e., commercial or Federal) cloud computing services when the business case analysis determines that the approach meets affordability and security requirements. Furthermore, program managers will ensure that cloud services are implemented in accordance with DISA provided Cloud Computing Security Requirements Guidance; and will only use cloud services that have been issued both a DoD Provision Authorization by DISA and an Authority to Operate by the Component's Authorizing Official. In addition, non-DoD cloud services used for sensitive data must be connected to customers through a Boundary Cloud Access Point that has been approved by the DoD CIO. Program managers report cloud service funding investments through the submission of the Office of Management of Budget (OMB) Exhibit 53 in accordance with OMB Circular A-11.

The DoD Chief Information Officer issued updated guidance on the acquisition and use of commercial cloud computing services in December, 2014. In this clarified guidance, the DoD CIO states:

  • DoD components may acquire cloud services directly. It is no longer a requirement to use DISA for the acquisition of cloud computing services.
  • Each Component remains responsible for determining what data and missions are hosted by external cloud service providers per the following direction
  • Each use of cloud services must be analyzed using the Enterprise IT Business Case Analysis (BCA) template. The BCA must be approved by the Component CIO and a copy submitted to the DoD CIO. DISA provided cloud services must be considered as part of the BCA.
  • The Federal Risk Authorization and Management Program (FedRAMP) will serve as the minimum security baseline for all DoD cloud services. Per current policy, components may host Unclassified DoD information that has been publicly released on FedRAMP approved cloud services.
  • For more sensitive DoD unclassified data or mission, DoD has developed cloud security requirements and guidance that go beyond FedRAMP. The DoD Cloud Computing Security Requirements Guide is intended to give cloud providers a stable security requirement, and to help DoD cloud customers move more rapidly and securely into the cloud.