Transcription
DoD CloudComputing SecurityRequirementsGuide (SRG)Overview1
General SRG Information Released 12 January 2015 –Version 1, release 1 Provides comprehensive securityguidance for components(missions) to acquire cloudservices Provides comprehensive guidancefor CSP’s to understand securityrequirements if they so choose todeliver cloud services to DoD Developed by DISA for DoD Processes are very FedRAMP like Impact levels now only 2, 4, 5 & 6– collapsed from prior CloudSecurity Model’s 1 – 6 levels http://iase.disa.mil/cloud security/Documents/ucloud computing srg v1r1 final.pdf2
General - SRG Overview SRG release details mission data risk associated with data impact levels 2-5.Subsequent quarterly release will include changes in security control analysis andlegal considerations for hosting DoD workloads are not addressed in currentversion SRG introduces the requirement for DoD Provisional Authorizations and use of aCloud Access Point for Levels 4-5 to mitigate risk to DoD by allowing CSPs tointerconnect with DoD networks SRG introduces the term FedRAMP Plus ( ) “shared controls” require both the CSO and Mission Owner to address security;Computer Network Defense (CDN) responsibilities must be clearly defined Mission defines cloud availability and resiliency (DR) under SLA with CSP The NIST 800-145 definition of cloud services used by DoD to determine if it is“cloud”3
SRG – Counting Controls4
SRG Path to P-ATO FedRAMP is minimum security baseline for all DoD cloud services Three paths to PAs: From FedRAMP JAB to DoD PA From FedRAMP Agency to DoD PA DoD Sponsored – CSP needs 3PAO or DoD assessor FedRAMP moderate CSPs IL 2 FedRAMP moderate CSPs additional DoD C/CE can get to IL 4 and above PII/PHI will add C/CEs overlays from NIST 800.53 rev4 (mission directed) CONUS only for IL 4, 5 and 6 (same for 2 but exceptions could be granted)5
SRG Observations APIs of a cloud can create risk of unauthorized access to NIPRnet Tenancy matters -e-discovery & law enforcement seizure issues Proper physical/logical isolation is key to PA Shared infrastructure cloud for Federal and DoD as well as Non-Federal /Non-DoD tenants Private cloud dedicated infrastructure to serve one group or class ofcustomer ITAR clouds do not necessarily meet the standards for “dedicated” clouds6
SRG – Where and Who IL 2 Shared or dedicated infrastructure (and on or off premise OK) IL 4 Shared or dedicated with strong evidence of virtual separation controlsand monitoring – ability to meet search and seizure requests of DoD data (onand off premise OK) IL 5 only dedicated infrastructure (on or off premise OK) Only DoD Private, DoD Community or Federal Government community clouds can beused Each deployment can support multiple missions/tenants from each customerorganization Virt/phys separation between DoD & Federal tenants / missions is permitted Virt/phys separation between DoD tenants / missions is permitted (minimally) Physical separation from non-DoD/non-Federal tenants required7
SRG Where and Who IL 6 Dedicated infrastructure approved for classified information On or off premise OK provided NISPOM is met Requires cleared personnel (CSP must have FCL at appropriate level) IL 6 each deployment may support multiple SECRET missions Virt/phys separation between DoD & Federal tenants / missions at SECRET level ispermitted Virt/phys separation between DoD tenants / missions is permitted (minimally) Physical separation from non-DoD/non-Federal tenants required8
SRG Observations Continuous Monitoring Differs amongst CSP depending on Agency or JAB ATO leveraged FedRAMP JAB JAB TRs to FedRAMP PMO to DISA AO to Mission Owner FedRAMP Agency 3PAO to DISA AO to Mission Owner DoD Self-Assessed PA varies but generally DISA AO to Mission Owner Change Control / Significant changes same as above PKI now matters CAC and “Alt Token” (IdentiTrust (GSA) etc) must be utilized at IL 4/5 NSS PKI at IL 6 (CNSS) Cloud provisioning portal or MFA must be PK enabled for IaaS/PaaS/SaaS at IL 4, 5 andNSS at IL 69
SRG Shared ResponsibilitiesIaaS: The CSP is responsible for running the data center which includes the network,servers, the disks, etc. The Mission Owner manages and maintains the cloud stack andmust do many of the tasks i.e., patching, locking down ports, removing unnecessarycommands from servers and encrypting data. Can we negotiated back to CSP under SOWPaaS: CSP is responsible for the infrastructure layer and the application stack layer.Mission Owner needs to understand the underpinnings of how the PaaS provider’splatform works in order to build software on topSaaS: CSP has responsibilities for all the controls within the cloud stack from applicationlayer down10
The NIST 800-145 definition of cloud services used by DoD to determine if it is . Cloud provisioning portal or MFA must be PK enabled for IaaS/PaaS/SaaS at IL 4, 5 and NSS at IL 6 9. SRG Shared Responsibilities IaaS: The CSP is responsibl
