DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY ...

1 UNCLASSIFIED DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE Version 1, Release 3 6 March, 2017 Developed by the DEFENSE Information Systems Agency For the DEPARTMENT of DEFENSE DoD CLOUD COMPUTING SRG v1r3 DISA Risk Management, Cybersecurity Standards 6 March, 2017 Developed by DISA for DoD UNCLASSIFIED ii Trademark Information Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our users, and do not constitute or imply endorsement by DoD, DISA, the DISA Risk Management Executive (RME), or DISA RME Cybersecurity Standards Branch of any non-Federal entity, event, product, service, or enterprise.

2 DoD CLOUD COMPUTING SRG v1r3 DISA Risk Management, Cybersecurity Standards 6 March, 2017 Developed by DISA for DoD iii UNCLASSIFIED Table of Contents 1 INTRODUCTION .. 9 Key Terminology .. 9 Purpose and Audience .. 10 Authority .. 11 Scope and Applicability .. 11 Applicability of CC SRG vs DoDI .. 13 SECURITY Requirements Guides (SRGs) / SECURITY Technical Implementation Guides (STIGs) .. 14 SRG and STIG Distribution .. 14 Document Revisions and Update Cycle .. 15 Comments, Proposed Revisions, and Questions .. 15 Document Organization .. 15 2 BACKGROUND .. 17 CLOUD COMPUTING , CLOUD Service, and CLOUD Deployment Models .. 17 CLOUD Service Provider (CSP) and CLOUD Service Offering (CSO).

3 19 DoD Risk Management Framework (DoD RMF) .. 19 Federal Risk and Authorization Management Program (FedRAMP) .. 19 FedRAMP Plus (FedRAMP+) .. 20 DoD Provisional Authorization .. 20 3 INFORMATION SECURITY OBJECTIVES / IMPACT LEVELS .. 22 SECURITY Objectives (Confidentiality, Integrity, Availability) .. 23 Information Impact Levels .. 24 Level 1: Unclassified Information approved for public release .. 25 Level 2: Non-Controlled Unclassified Information .. 26 Level 3: Controlled Unclassified Information .. 26 Level 4: Controlled Unclassified Information .. 26 Level 5: Controlled Unclassified Information .. 28 Level 6: Classified Information up to SECRET.

4 29 4 RISK ASSESSMENT OF CLOUD SERVICE OFFERINGS .. 31 Assessment of Commercial/Non-DoD CLOUD Services .. 31 Assessment of DoD CLOUD Services and Enterprise Services Applications .. 34 CLOUD Service Offering and Mission Owner Risk Management .. 35 CLOUD COMPUTING , Authorization Boundaries .. 36 CLOUD Service Offering (CSO) Risk .. 37 Mission Risk .. 37 CSP Transition from CSM to CC SRG v1r1 and Subsequent Updates .. 39 CSP Transition from CC SRG Version/Release to Updated CC SRG Version/Release .. 40 DoD PA in Relation to RFP Response and Contract Award; DFARS Interpretation .. 40 CLOUD Service vs a Managed IT Service .. 41 5 SECURITY REQUIREMENTS .. 43 DoD Policy Regarding SECURITY Controls.

5 43 DoD use of FedRAMP SECURITY Controls .. 43 DoD CLOUD COMPUTING SRG v1r3 DISA Risk Management, Cybersecurity Standards 6 March, 2017 Developed by DISA for DoD UNCLASSIFIED iv DoD FedRAMP+ SECURITY Controls/Enhancements .. 44 Parameter Values for SECURITY Controls and Enhancements .. 47 National SECURITY Systems (NSS) .. 47 NSS Level 6 Classified Overlay Applicability .. 47 CNSSI 1253 Privacy Overlay .. 48 PII/PHI at Level 2 .. 48 Effects of the Privacy Overlay on CSPs and Mission Owners .. 48 CSO Assessment of Privacy Overlay Control/Control 49 Mission System / Application Assessment of Privacy Overlay Control/Control Enhancements .. 50 SECURITY Controls/Enhancements to be optionally addressed in the Contract/SLA.

6 50 Additional Considerations and/or Requirements for L4/5 DoD PA Award .. 51 Legal Considerations .. 52 Jurisdiction/Location Requirements .. 53 DoD Off-Premises Vs On-Premises Vs Virtually On-Premises .. 53 CLOUD Deployment Model Considerations / Separation Requirements .. 55 Impact Level 2 Location and Separation Requirements .. 56 Impact Level 4 Location and Separation Requirements .. 56 Impact Level 5 Location and Separation Requirements .. 56 Impact Level 6 Location and Separation Requirements .. 57 Separation in Support of Law Enforcement and Criminal Investigation and E-Discovery .. 58 DoD Data Ownership and CSP Use of DoD Data .. 58 Ongoing Assessment.

7 59 Continuous Monitoring .. 60 Continuous Monitoring for CSOs in the FedRAMP Catalog with a DoD PA . 60 Continuous Monitoring for DoD Assessed CSOs .. 64 Change Control .. 64 Change Control for CSOs in the FedRAMP Catalog with a DoD PA .. 65 Change Control for DoD Assessed CSOs .. 68 CSP use of dod public key infrastructure (PKI) .. 69 Identification, Authentication, and Access Control Credentials .. 70 Mission Owner Credentials for CSP and Mission System Interfaces .. 71 CSP Privileged User Credentials .. 73 public Key (PK) Enabling .. 74 Policy, Guidance, Operational Constraints .. 74 SRG/STIG Compliance .. 74 Physical Facilities and Personnel Requirements.

8 75 Facilities Requirements .. 75 CSP Personnel Requirements .. 75 CSP Personnel Requirements PS-2: Position Categorization .. 76 CSP Personnel Requirements PS-3: Background Investigations .. 77 Mission Owner Responsibilities Regarding CSP Personnel Requirements .. 79 Training 80 Data Spill .. 80 Data Retrieval and Destruction for Off-boarding from a CSO .. 81 DoD CLOUD COMPUTING SRG v1r3 DISA Risk Management, Cybersecurity Standards 6 March, 2017 Developed by DISA for DoD v UNCLASSIFIED Reuse and Disposal of Storage Media and Hardware .. 82 Architecture .. 83 CLOUD Access Point (CAP).. 84 Boundary CAP (BCAP) .. 86 NIPRNet 87 NIPRNet BCAP Meet-Me Points.

9 88 CSP Support for BCAP Connectivity .. 89 CSP/CSO Network Connectivity to Internet and BCAP .. 90 Internal CAP (ICAP).. 90 SIPRNet BCAP/ICAP .. 92 Mission Partner Environments or Communities of Interest Network CLOUD Access Points .. 92 Mission Partner Environment Access to NIPRNet Services Hosted in the CLOUD 93 Mission System Connection Approval through DISN 93 Network Planes .. 94 Network Plane Connectivity .. 94 User/Data Plane Connectivity .. 94 Management Plane Connectivity .. 96 CSP Service Architecture .. 99 CSP Service Architecture - SaaS .. 100 CSP Service Architecture - IaaS/PaaS .. 101 CSP Disaster Recovery (DR) - Continuity of Operations (COOP).

10 102 Internet Protocol (IP) Addressing and Domain Name Services (DNS) .. 102 IP Addressing .. 103 Domain Name Services (DNS) .. 106 Mission Owner Requirements using SaaS (All Levels) .. 107 Mission Owner System/Application Requirements using IaaS/PaaS .. 107 Active Directory Integration for CLOUD .. 110 Active Directory Federation Services (ADFS) .. 111 Active Directory DirSync (Directory Synchronization) .. 111 Encryption of Data-at-Rest in Commercial CLOUD Storage .. 111 Cryptographic Erase .. 113 Backup .. 113 DoD Contractor / DoD Component Mission Partner Use of CSOs .. 114 DoD Component Mission Partners .. 114 Non-CSP DoD Contractors and DIB Partners Use of CSOs for the Protection of Sensitive DoD Information.