Last week, the Department of Defense (DOD) released an update to the Cloud Computing Security Requirements Guide (CC SRG) through the Chief Information Office and the Defense Information Systems Agency (DISA). This update provides guidance to a number of components, including: cloud service providers (CSPs), both commercial and DOD, to all DOD components using cloud, and all other DOD mission components looking to or developing cloud computing solutions.
“DISA has approved the signed Cloud Computing Security Requirements Guide v1r2 for public release. The requirements in this SRG become effective immediately except for those CSPs currently being assessed under v1r1. The SRG is available on IASE. The DoD Cloud computing policy and the CC SRG is constantly evolving based on lessons learned with respect to the authorization of Cloud Service Offerings and their use by DoD Components. As such the CC SRG is following an “Agile Policy Development” strategy and will be updated quickly when necessary.”
All cloud computing is required to take place in the U.S and are based off of impact levels:
1 – *removed as part of the update
2 – public data over the internet
3 – *removed as part of the update
4 – controlled unclassified information (CUI) over NIPRNet. CUI includes protected health information, privacy data, and export controlled data
5 – “higher sensitivity CUI”, mission critical information, or NSS over NIPERNet
6 – Classified data over SIPRNET
How Do Cloud Computing Security Changes Affect Security Certifications?
- There are FIPS 140-2 requirements for remote management access to system, data-at-rest-encryption, and data-in-transit encryption at all impact levels.
- There are IPsec VPN requirements for public internet to NIPERNet and data replication between storage sites (if over public internet)
- There are Common Criteria requirements for I&A at impact levels 4 – 6
- There are a number of references to DoD CAC/PKI/FIPS 201 at all levels
- This reference ties STIG/SRG requirements into FedRAMP
“The Cloud SRG identifies and clarifies DoD specific security requirements that are not required as part of the FedRAMP certification (FedRAMP+).” – Cloud Connection Process Guide.
The Cloud SRG has additional requirements, above and beyond FedRAMP, that are specific to DoD. There is a DISA Connection Approval Office (CAO) that issues Cloud Authority to Connect (CATC) to those seeking level 4 or 5.
DoD is using the results (or test artifacts) from a FedRAMP evaluation, but will not accept an ATO where the cloud service has only done FedRAMP (and only been assessed by a 3PAO). Cloud providers need to go through FedRAMP and then submit to get an ATO from DoD. This ATO would require the cloud service to have a TCOE test the Cloud SRG, at a minimum. This is what we call FedRAMP+ (the ‘+’ being that DoD will add on the Cloud SRG) – “DoD leverages FedRAMP JAB PAs and non-DoD U.S. Government Federal Agency ATO packages residing in the FedRAMP Secure Repository, including all supporting documentation when assessing a CSO for a DoD PA. However, DoD will only accept non-DoD Agency ATOs where the CSP/CSO was assessed by a FedRAMP accredited Third Party Assessor Organization (3PAO).”
Contact Corsec to better understand how this could impact your product and its security requirements.