DoD cloud authorization paths that cloud service providers
should evaluate and focus
on are:
Provisional Authorizations – Focuses on Cloud Service Offering Risks
Issued by the FedRAMP JAB and the DISA Authorizing Official (AO)
Component ATO’s – Focused on Mission Risk
Issued by DoD Component/s Authorizing Official
Defense Information Systems Agency
(DISA)
published the Cloud Computing Security Requirements Guide (CC SRG) which introduces
terminology and concepts that are unique to cloud computing and DoD’s usage of the
technology.
This CC SRG outlines the security model
by
which DoD leverages cloud computing along with the security controls and requirements
necessary for using cloud-based solutions. Defines the requirements and architectures
for the use and implementation of DoD or commercial cloud services by DoD Mission
Owners.
CC SRG provides security requirements and
guidance to DoD and commercial cloud service providers (DoD contractors) that wish to
have their cloud service offerings CSO(s) included in the DoD Cloud Service Catalog.
CC SRG defines the DoD Impact Levels (IL2, IL4, IL5 & IL6) which are the combination
of:
The sensitivity of the information to be stored and/or processed in the cloud.
The potential impact of an event that results in the loss of confidentiality,
integrity or availability of that information.
DoD impact level 2 (IL2)
Information security: Accommodates DoD
information that has been approved for public release or is non-critical mission
information
Security controls: IL2 + controlled unclassified information
specific tailored set
Location: US/US-outlying areas or DoD on-premises
Off-premises connectivity: Internet
DoD impact level 4 (IL4)
Information security: Accommodates DoD controlled or non-controlled unclassified
information, non-critical mission information and non-national security systems
information
Security controls: IL2 + controlled unclassified information specific tailored
set
Location: US/US-outlying areas or DoD on-premises
Off-premises connectivity: NIPRNet (non-classified internet protocol router
network) via CAP (cloud access point)
DoD Impact Level 5 (IL5)
Information security: Accommodates DoD higher sensitivity controlled
unclassified information, mission-critical information, and national security
systems information
Security controls: IL4 + national security systems information
Location: US/US-outlying areas or DoD on-premises
Off-premises connectivity: NIPRNet (non-classified internet protocol router
network) via CAP (cloud access point)
DoD Impact Level 6 (IL6)
Information security: Accommodates DoD classified SECRET and national security
systems information
Security controls: IL5 + classified overlay information
Location: US/US-outlying areas, DoD on-premises, or cleared/classified
facilities
Off-premises connectivity: Secret internet protocol router network (SIPRNET)
DIRECT With DoD SIPRNet enclave connection approval
