The 'secret' is out – how DISA solved the classified cloud challenge for the Department of Defense


By the Office of Strategic Communication and Public Affairs
November 17, 2023

DISA launches the first Microsoft 365 classified cloud in the United States Department of Defense secret environment.

Executing the vision of the Department of Defense operating securely in a cloud space was a seemingly impossible conundrum of connectivity, collaboration and robust security – and the solution required an innovative partnership between the public sector and private industry.

Leveraging the success of the unclassified cloud joint environment, the Defense Information Systems Agency, in collaboration with General Dynamics Information Technology (GDIT) and Microsoft, developed Department of Defense 365-Sec (DOD365-Sec), the first of its kind hyper-scale cloud Software as a Service (SaaS) on a classified mission network.

DISA deployed the highly anticipated DOD365-Sec at the end of May, initially targeting more than 11,000 DISA end users for onboarding into the classified cloud environment. Velocity migrations ramped up over the summer and DISA expects approximately 275,000 migrations into the secret environment by the end of the year.

"DISA is pleased to be leading this first implementation of M365 in the classified environment for the DOD and working with our defense and industry partners to make it happen," says Carissa Landymore, director, DISA Defense Enterprise Office Solutions program, also referred to as DEOS.
DOD365-Sec is the tip of the spear in DISA's efforts to modernize the mission network and supplies industry-leading applications, intelligent cloud services, and world-class security to the DOD and the warfighter. DOD365-Sec is part of DEOS enabling the department to improve interoperability and enhance cybersecurity across operational boundaries.  

"Delivering DOD365-Sec to warfighters is one of DISA's top priorities. It will enable seamless communication, collaboration and sharing of classified material in a way they have never been able to on SIPRNet," says Landymore. "By offering solutions for seamless and secure information sharing across operational boundaries, we're providing warfighters with modern tools that allow them to operate ahead of the adversary and meet their mission anytime, anywhere.” 

The warfighter will have access to the full suite of Microsoft capabilities with DOD365-Sec, including Outlook, OneDrive, SharePoint Online, Teams and Power Platform. 


What about security?

"Secure data is critical to all-domain warfare. There's going to be a lot more security around this capability than what you have in the commercial world. We're putting additional security ... more fence, more guardrails ... around this. We're moving toward data segregation and zero trust as the long-term objective," says Landymore.

DISA is utilizing and testing a regiment of native and third-party capabilities to accomplish data protection and separation in DOD365-Sec. These security resources include an enterprise-wide classification and marking tool (CMT), data separation with attribute-based dynamic groups, and standard purview capabilities including compliance boundaries, eDiscovery, data loss prevention policies, and sensitivity labels. DOD365-Sec is a future enabler for zero trust architectures through single tenancy and single identity.


The multibillion-dollar engine that could

The vehicle making DOD365-Sec a reality is the DEOS 10-year Blanket Purchase Agreement (BPA) between DISA, GDIT, Dell, Minburn, and the Government Services Administration (GSA). The DEOS BPA is a contracting bullet train with an $8 billion engine capable of fast-tracking contracting efforts and getting mission-critical work started and delivered to the station on time.  
"The BPA is a powerful tool that our mission partners can utilize to solve problems for the DOD," says Caroline Bean, director, DISA Program Executive Office Joint Enterprise Services. "Because the BPA is a broad-spectrum, long-term, easily accessible contracting vehicle, the potential ahead is nearly limitless."

Mission partners who need next-generation services and capabilities will find the BPA an expedited means to acquire these services. Identity, credential and access management (ICAM), zero trust security, and enterprise architecture are a few of the capabilities covered under the BPA. Likewise, if DOD partners need cloud tenant services, configuration management, cybersecurity monitoring, classification marking, and other capabilities relevant to a secure cloud collaboration experience, DEOS offers 13 task areas to cover the breadth of support necessary to design, migrate, train and sustain customers. 

Because the BPA eliminates the need for repetitive, individual purchases from schedule type contracts, it decreases cost, reduces paperwork and saves time, creating a purchasing mechanism that works better and costs less. Defense organizations onboard rapidly to the DEOS BPA through a process of mapping objectives to services offered by the contract. 

"The BPA is an agile easy button for contracting; it has already been awarded and fits into the DOD structure. For mission partners that need cloud-related and identity strategy needs, training, engineering support or migration support, it's a one-stop contracting vehicle," says Landymore. 


The DEOS roadmap 

DOD365-Sec is making history, but DEOS won't stop at the classified cloud. Areas on the DEOS horizon are mission partner migrations and cybersecurity support. Additionally, supporting DOD partners deployed in a denied, disconnected, intermittent and limited (DDIL) bandwidth environment is another next-generation project covered under the scope of the DEOS BPA. The United States Marine Corps leveraged the BPA to develop and implement tactical requirement solutions including enabling ship embarkation/debarkation between domains; ensuring naval access to data on travel, ship and plane; and providing ship-to-shore connectivity for units supporting forward deployments. DDIL solutions provide critical access to the warfighter working in compromised and limited bandwidth scenarios. 

From the recently deployed DOD365-Sec to future mission-critical capabilities and services, the DEOS program is changing how the DOD and warfighter operate and collaborate in new environments.

"What we're doing, by bringing the DOD to the cloud and beyond, is equipping the warfighter and the department with secure, responsive and resilient services," says Landymore.  

Individuals with a common access card (CAC) or a government issued computer can visit the DISA Customer Service Management Portal for DOD365-Secret web page and complete a Service Request Form (SRF) to get more information about DOD365-Sec and learn how your organization can become a part of the DOD365-Sec environment, or email deos@mail.mil.

Learn More

Follow us on Twitter, LinkedIn, and Facebook to learn more about how DISA is strengthening the nation and warfighter communications.

Subscribe to receive the latest DISA news.


DISA: Trusted to Connect, Protect, and Serve

Learn more