For Cloud Services Providers (CSPs) looking to achieve Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) Impact Level 2 (IL2), Impact Level 4 (IL4), Impact Level 5 (IL5), or Impact Level 6 (IL6) authorization for a Cloud Service Offering (CSO), implementing and following the security requirements guides are a must to ensure effective implementation of DISA requirements.
Impact Levels can be defined as the combination of the sensitivity of information to be stored or processed within the cloud and the potential impact of an event that results in the loss of confidentiality, integrity, or availability of that information.
On June 14, 2024, DISA released the newest copy of the CC SRG. This version of the CC SRG is for the transition from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 4 to NIST SP 800-53 Rev 5 and addresses the requirements in Committee on National Security Systems (CNSS) Policy (CNSSP)-32 for National Security Systems. Members of the Fortreum team were able to meet with the authors of the new DoD SRG. Key takeaways, from these conversations and Fortreum’s analysis of the updated documentation, to meet impact level requirements are outlined below.
Requirements to comply with the SRG
NIST SP 800-53 and Federal Risk and Authorization Management Program (FedRAMP) baselines provide the foundation of security controls required for cloud-based systems. Additional controls may be required pending mission specifics and data to be processed or stored. If the CSO is already FedRAMP authorized or is undergoing an initial FedRAMP authorization with IL uplift, then the CSP must utilize the DoD FedRAMP+ Security Controls and DISA Parameters for the desired impact level. The specific FedRAMP+ Security Controls are listed within table D-1 of the CSP SRG (a component of the CC SRG). Furthermore, a full listing of controls that need to be tested for ILs 4, 5, and 6 can be specifically found within the DoD Cloud Computing Security (DCCS) Document Library (https://public.cyber.mil/dccs/dccs-documents/) within the DoD Rev 5 SSP Addendum Controls.
As a quick overview to the addendum, the following controls are required for ILs 2, 4, 5, and 6 authorization. Please note, if the mission owner determines that the information system is processing, storing, or transmitting data pertaining to a national security system (NSS), additional NSS controls may be required as part of authorization.
- Impact Level 2: Impact Level 2 information, which includes non-controlled unclassified information, is all data cleared for public release and non-critical mission information. IL2 data may be hosted within a CSO that holds a FedRAMP Moderate or High Provisional Authority to Operate (P-ATO).
- Impact Level 4: Impact Level 4 accommodates controlled unclassified information (CUI) categorizations based on the CNSS Instruction No. 1253 (CNSSI 1253), Security Categorization and Control Selection for National Security Systems, up to moderate confidentiality and moderate integrity. A CSO looking to achieve IL4 authorization must be compliant with all FedRAMP moderate controls, DISA Parameters, and the additional FedRAMP+ controls listed within table D-1 of the CSP SRG.
- Impact Level 5: Impact Level 5 accommodates nonpublic, unclassified NSS data or nonpublic, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A CSO looking to achieve impact level 5 authorization must be compliant with all FedRAMP high controls, DISA Parameters, and the additional FedRAMP+ controls listed within table D-1 of the CSP SRG.
- Impact Level 6: Impact Level 6 data can be defined as information and data systems that are classified as critical to national security and require maximum protection from unauthorized access or manipulation. A CSO looking to achieve impact level 6 authorization must be compliant with all FedRAMP high controls, DoD Parameters, the CNSSI 1253 Classified Information Overlay, and the additional FedRAMP+ controls listed within table D-1 of the CSP SRG.
- Impact Level 5/6 and NSS: The security requirements to achieve impact level 5 and 6 authorization requirements are designed to accommodate NSS. Additional NSS-specific security controls for a CSO must be assessed for any impact level containing NSS information. The applicability of additional NSS controls is ultimately up to the Authorization Official. For impact level 5, a CSP may achieve impact level 5 authorization for their CSO with or without additional NSS requirements. IL5 NSS and IL5 non-NSS requirements are listed within the DoD Rev 5 SSP Addendum Controls.
DoD Privacy Assignment Values (DSPAV)
Within table D-1 of the CSP SRG, multiple parameter values do not give a specific definition or frequency in which a security control must be implemented but rather states “DSPAV must be used”. DSPAV provides values specific to CNSSI 1253. If the specific control parameter is not listed within CNSSI 1253 and has a defined parameter value of “DSPAV must be used,” then Fortreum recommends consulting with your mission owner to find the parameter value for that specific control.
Cloud Access Point (CAP)
For IL 4 through 6 CSOs, a CAP is required for risk mitigation to the Defense Information Systems Network (DISN) . The DISN is a protected network that includes Non-classified Internet Protocol Router Network (NIPRNet), Secret Internet Protocol Router Network (SIPRNet), and other DISN-based mission partner/COI networks. DISA lists the requirements of the CAP beginning on page 59 of the CSP SRG.
STIG Implementation
CSPs must implement applicable DISA STIGs/SRGs for all operating systems, databases, web servers, domain name systems, etc. to meet requirements for authorization. Information pertaining to particular STIGs/SRGs can be received from https://public.cyber.mil/. Additional STIG information can be obtained from https://cyber.mil/ which requires a Common Access Card (CAC) with DoD Certificates. If a CAC is not readily available, Fortreum recommends consulting with your sponsoring DoD agency or partner to obtain additional information regarding the applicable STIGs. With the updated revision of NIST SP 800-53, all CSPs seeking FedRAMP authorization must be utilizing DISA STIGs to comply with CM-6 Configuration Settings. If there is no active STIG available, the CSP must revert to utilizing CIS Benchmark Level 2 for compliance settings. For a deeper look into CM-6 and compliance scan requirements, Fortreum has conducted an analysis, which is available upon request. Please use this form to request the analysis: https://fortreum.com/contact/
Responsibility of the Mission Owner
Along with the CSP SRG, DISA has released the DoD Mission Owner SRG as component of the CC SRG. Mission owners are program managers within the DoD components responsible for creating instances of cloud services by leveraging a CSP’s CSO. The mission owner is responsible for selecting CSP offerings that are approved in accordance with the CC SRG and have a DoD Provisional Authorization (PA). The mission owner initiates the process by selecting a DoD or non-DoD CSP to host their cloud service. Then they work with the authorization official to complete accreditation. As a CSP offering the CSO, it is important to consult with your mission owner to ensure responsibilities are clearly delineated and security is effectively delegated across appropriate members.
Conclusion
By understanding the nuances of the updated guidelines, making appropriate investments, creating an efficient timeline, and continuing compliance with continuous monitoring, you can not only meet the requirements of the revised standards but also bolster your overall cybersecurity posture.
Fortreum is the fastest growing FedRAMP 3PAO in the marketplace and was listed as number 78 on the Inc. 5000 fastest growing companies of 2024. We are actively working with clients so they are prepared for the transition to the new DoD SRG. Should you have questions about your transition, please reach out to us at: Compliance@fortreum.com.
About Fortreum:
We started with a mission to simplify cloud and cybersecurity challenges for our customers. With an extensive track record spanning nearly a quarter of a century across Public and Private Sectors, we possess a keen dedication to solving our customers complex cloud and cybersecurity challenges. Our industry commitment extends to supporting and fostering the development of future cybersecurity experts within our communities. We encourage you to investigate our services further to learn how leverage to cybersecurity as a business enabler.
Should you have questions about your cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
References:
- DoD Cloud Computing Security (DCCS) Document Library: https://public.cyber.mil/dccs/dccs-documents/
- Mission Owner and Cloud Service Provider Security Requirements Guide: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cloud_Computing_Y24M07_SRG.zip
- CNSSI 1253: https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf
