DoD CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG)
- 152 pages
- January 12, 2015
Cloud computing technology and services provide the Department of Defense (DoD) with the opportunity to deploy an Enterprise Cloud Environment aligned with Federal Department-wide Information Technology (IT) strategies and efficiency initiatives, including federal data center consolidation. Cloud computing enables the Department to consolidate infrastructure, leverage commodity IT functions, and eliminate functional redundancies while improving continuity of operations. The overall success of these initiatives depends upon well executed security requirements, defined and understood by both DoD Components and industry. Consistent implementation and operation of these requirements assures mission execution, provides sensitive data protection, increases mission effectiveness, and ultimately results in the outcomes and operational efficiencies the DoD seeks.
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services defines DoD Component responsibilities when acquiring commercial cloud services. The memo allows components to responsibly acquire cloud services minimally in accordance with the security requirements outlined in Federal Risk and Authorization Management Program (FedRAMP) FedRAMP and this Security Requirement Guide (SRG). DISA previously published the concepts for operating in the commercial cloud under the Cloud Security Model. Version 1 defined the overall framework and provided initial guidance for public data. Version 2.1 added information for Controlled Unclassified Information. This document, the Cloud Computing Security Requirements Guide (SRG), documents cloud security requirements in a construct similar to other SRGs published by DISA for the DoD. This SRG incorporates, supersedes, and rescinds the previously published Cloud Security Model.
The following terms will be used throughout this document:
• CSP by itself refers to any or all Cloud Service Providers, DoD or non-DoD.
• Non-DoD CSP will refer to a commercial or Federal Government owned and operated CSP.
• Commercial CSP will refer to a Non-DoD Non-Federal Government organization offering cloud services to the public and/or government customers as a business, typically for a fee with the intent to make a profit.
• DoD CSP will refer to a DoD owned and operated CSP.
• CSO refers to a CSP’s Cloud Service Offering (recognizing that a CSP may have multiple offerings).
• Commercial Cloud Service is a CSO offered by a Commercial CSP.
• Mission Owners are entities such as program managers within the DoD Components responsible for instantiating information systems and applications leveraging a CSP’s Cloud Service Offering.
3.2 Information Impact Levels
The previously published Cloud Security Model defined 6 information Impact Levels. In order to simplify the selection process, the number of levels was reduced from 6 to 4. This was accomplished by integrating levels 1 (public information) and 3 (low impact Controlled Unclassified Information (CUI)) into levels 2 and 4, respectively. The numeric designators for the Impact Levels have not changed to remain consistent with previous versions of the Cloud Security Model, leaving Impact Levels 2, 4, 5, and 6. Note that a higher level can process data from a lower level.
Additionally, the security control baseline for all levels has been changed to moderate confidentiality and moderate integrity as defined by CNSSI 1253 and the FedRAMP Moderate Baseline. This modification from high confidentiality and high integrity is intended to better align with the categorization of most DoD customer systems that will be deployed to commercial CSP facilities. Mission owners with systems categorized at high confidentiality or integrity impact levels must deploy to DoD facilities assessed using CNSSI 1253 high baselines through the DoD RMF or contract for the added security. DISA will consider incorporating a FedRAMP High Baseline into this SRG after one becomes available.
The following subsections describe the impact levels, to include those used previously, and the type of information to be stored or hosted in CSOs.
3.2.1 Level 1: Unclassified Information approved for Public release
Level 1 is no longer used and has been merged with Level 2.
3.2.2 Level 2: Non-Controlled Unclassified Information
Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control.
3.2.3 Level 3: Controlled Unclassified Information
Level 3 is no longer used and has been merged with Level 4.
3.2.4 Level 4: Controlled Unclassified Information
Level 4 accommodates CUI which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data. Designating information as CUI or critical mission data to be protected at Level 4 is the responsibility of the owning organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO.
CUI contains a number of categories3, including, but not limited to the following:
• Export Control–Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. This includes dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.
• Privacy Information–Refers to personal information or, in some cases, personally identifiable information (PII)4 as defined in Office of Management and Budget (OMB) M-07-165 or means of identification as defined in 18 USC 1028(d)(7).
• Protected Health Information (PHI)6 as defined in the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
• Other information requiring explicit CUI designation (i.e., For Official Use Only, Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information).
3.2.5 Level 5: Controlled Unclassified Information
Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). As such, NSS must be implemented at Level 5.
3.2.6 Level 6: Classified Information up to SECRET
Level 6 accommodates information that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD). At this time, only information classified as SECRET, in accordance with the applicable executive orders, is applicable to this level. Services running at higher classification levels, to include compartmented information, are governed by other policies and are beyond the scope of this document. Impact Level 6 requires a similar set of tailored controls as Level 5 and includes the CNSSI 1253 Appendix F, Attachment 5 Classified Information Overlay C/CEs.