Transcription
DEPARTMENT OF DEFENSE (DoD)CLOUD COMPUTINGSECURITY REQUIREMENTS GUIDE (SRG)Version 1, Release 112 January 2015Developed by theDefense Information Systems Agency (DISA)for theDepartment of Defense (DoD)UNCLASSIFIED
DoD Cloud Computing SRG v1r112 January 2015DISA Field Security OperationsDeveloped by DISA for DoDTrademark InformationNames, products, and services referenced within this document may be the trade names, trademarks,or service marks of their respective owners. References to commercial vendors and their products orservices are provided strictly as a convenience to our users, and do not constitute or implyendorsement by DoD, DISA, or DISA Field Security Operations (FSO) of any non-Federal entity,event, product, service, or enterprise.iiUNCLASSIFIED
DoD Cloud Computing SRG v1r112 January 2015DISA Field Security OperationsDeveloped by DISA for DoDTable of Contents1INTRODUCTION. 11.1Purpose and Audience. 11.2Authority . 21.3Scope and Applicability . 31.4Security Requirements Guides (SRGs) / Security Technical Implementation Guides(STIGs) . 31.5SRG and STIG Distribution . 41.6Document Revisions and Update Cycle . 41.7Document Organization . 42BACKGROUND . 72.1Cloud Computing, Cloud Service, and Cloud Deployment Models . 72.2Cloud Service Provider (CSP) and Cloud Service Offering (CSO) . 72.3DoD Risk Management Framework (DoD RMF) . 82.4Federal Risk and Authorization Management Program (FedRAMP). 82.5FedRAMP Plus (FedRAMP ) . 82.6DoD Provisional Authorization . 83INFORMATION SECURITY OBJECTIVES / IMPACT LEVELS . 93.1Security Objectives (Confidentiality, Integrity, Availability) . 93.2Information Impact Levels . 103.2.1 Level 1: Unclassified Information approved for Public release . 103.2.2 Level 2: Non-Controlled Unclassified Information . 113.2.3 Level 3: Controlled Unclassified Information . 113.2.4 Level 4: Controlled Unclassified Information . 113.2.5 Level 5: Controlled Unclassified Information . 113.2.6 Level 6: Classified Information up to SECRET . 124RISK ASSESSMENT OF CLOUD SERVICE OFFERINGS . 134.1Assessment of Commercial/Non-DoD Cloud Services . 134.2Assessment of DoD Provided Cloud Services . 144.3Cloud Service Offering and Mission Owner Risk Management . 154.3.1 Cloud Service Offering (CSO) Risk . 154.3.2 Mission Risk . 154.4CSP Transition from CSM v2.1 to SRG v1r1 . 165SECURITY REQUIREMENTS . 195.1DoD Policy Regarding Security Controls . 195.1.1 DoD use of FedRAMP Security Controls . 195.1.2 DoD FedRAMP Security Controls/Enhancements. 195.1.3 Parameter Values for Security Controls and Enhancements . 235.1.4 Security Controls/Enhancements to be Addressed in the Contract/SLA . 235.2Legal Considerations . 245.2.1 Jurisdiction/Location Requirements . 245.2.2 Cloud Deployment Model Considerations / Separation Requirements . 245.2.2.1 Impact Levels 2 and 4 Location and Separation Requirements . 255.2.2.2 Impact Level 5 Location and Separation Requirements . 26iiiUNCLASSIFIED
DoD Cloud Computing SRG v1r112 January 2015DISA Field Security OperationsDeveloped by DISA for DoD5.2.2.3 Impact Level 6 Location and Separation Requirements . 265.3Ongoing Assessment . 275.3.1 Continuous Monitoring . 275.3.1.1 CSPs in the FedRAMP Catalog . 275.3.1.2 DoD Self-Assessed CSPs. 305.3.2 Change Control . 305.3.2.1 CSPs in the FedRAMP Catalog . 315.3.2.2 DoD Self-Assessed CSPs. 335.4CSP use of DoD Public Key Infrastructure (PKI) . 345.4.1 Identification, Authentication, and Access Control Credentials . 355.4.1.1 Mission Owner Credentials. 365.4.1.2 CSP Privileged User Credentials . 385.4.2 Public Key (PK) Enabling . 385.5Policy, Guidance, Operational Constraints . 385.5.1 SRG/STIG Compliance . 385.6Physical Facilities and Personnel Requirements. 395.6.1 Facilities Requirements . 395.6.2 Personnel Requirements. 395.6.2.1 Personnel Requirements – PS-2: Position Categorization . 405.6.2.2 Personnel Requirements – PS-3: Background Investigations . 415.6.2.3 Mission Owner Responsibilities Regarding CSP Personnel Requirements . 425.7Data Spill . 435.8Data Recovery and Destruction . 445.9Reuse and Disposal of Storage Media and Hardware. 455.10 Architecture. 455.10.1Cloud Access Points . 455.10.2Network Planes . 475.10.2.1Network Plane Connectivity . 475.10.2.2User/Data Plane Connectivity . 475.10.2.3Management Plane Connectivity . 495.10.3CSP Service Architecture . 515.10.3.1CSP Service Architecture - SaaS . 525.10.3.2CSP Service Architecture - IaaS/PaaS . 535.10.4IP Addressing and DNS . 535.10.5Mission Owner Architecture using SaaS . 545.10.6Mission Owner System/Application Architecture using IaaS/PaaS . 546COMPUTER NETWORK DEFENSE AND INCIDENT RESPONSE . 576.1Overview of CND Tiers . 576.2Concept Changes for Tiers for Cloud Computing . 576.2.1 Boundary CND . 586.2.2 Mission CND . 586.3CND Roles and Responsibilities. 586.4Incident Reporting and Response . 616.4.1 Incident Response Plans and Addendums . 616.4.2 Information Requirements, Categories, Timelines, and Formats . 626.4.3 Incident Reporting Mechanism . 63ivUNCLASSIFIED
DoD Cloud Computing SRG v1r112 January 20156.56.66.76.86.9DISA Field Security OperationsDeveloped by DISA for DoDWarning, Tactical Directives, and Orders. 63Continuous Monitoring / Plans of Action and Milestones (POA&Ms) . 64Notice of Scheduled Outages . 64PKI for CND Purposes. 64Vulnerability and Threat Information Sharing . 65Appendix A References . A-1Appendix B Definitions . B-1Appendix C Roles and Responsibilities . C-1Appendix D Parameter Values . D-1List of TablesTable 1 - Potential Impact Definitions for Security Objectives . 9Table 2 - DoD FedRAMP Security Controls/Enhancements . 21Table 3 - Security Controls/Enhancements to be addressed in the contract/SLA . 23Table 4 - Mission Owner Credentials . 36Table 5 - User/Data Plane Connectivity . 47Table 6 - Management Plane Connectivity . 49Table 7 - Roles and Responsibilities. C-1Table 8 – Control / Enhancement Parameter Values . D-1List of FiguresFigure 1 – Notional Division of Security Inheritance and Risk. 16Figure 2 – DoD Continuous Monitoring for CSPs with a FedRAMP JAB PA . 28Figure 3 – DoD Continuous Monitoring for FedRAMP CSPs with a 3PAO assessed FederalAgency ATO . 29Figure 4 – DoD Continuous Monitoring for DoD Self-Assessed CSPs . 30Figure 5 – DoD Change Control Process for CSPs with a FedRAMP JAB PA . 32Figure 6 – DoD Change Control Process for FedRAMP CSPs with a 3PAO assessed FederalAgency ATO .
Service Providers (CSPs) that wish to have their service offerings included in the DoD Cloud Service Catalog. 1. Establishes a basis on which DoD will assess the security posture of a non-DoD CSP’s service offering, supporting the decision to grant a DoD Provisional Authorization (PA) that allows a non-DoD CSP to host DoD missions. Defines the policies, requirements, and architectures for the use
