DoD Cloud Computing Security

RequirementsGuide (SRG)

Overview

1

General SRG Information

• Released 12 January 2015 –Version 1, release 1

• Provides comprehensive security guidance for components (missions) to acquire cloud services

• Provides comprehensive guidance for CSP’s to understand security requirements if they so choose to deliver cloud services to DoD

• Developed by DISA for DoD

• Processes are very FedRAMP like

• Impact levels now only 2, 4, 5 & 6 – collapsed from prior Cloud Security Model’s 1 – 6 levels

• http://iase.disa.mil/cloud_security/Documents/u-cloud_computing_srg_v1r1_final.pdf

2

General - SRG Overview

• SRG release details mission data risk associated with data impact levels 2-5. Subsequent quarterly release will include changes in security control analysis and legal considerations for hosting DoD workloads are not addressed in current version

• SRG introduces the requirement for DoD Provisional Authorizations and use of a Cloud Access Point for Levels 4-5 to mitigate risk to DoD by allowing CSPs to interconnect with DoD networks

• SRG introduces the term FedRAMP Plus (+)

• “shared controls” require both the CSO and Mission Owner to address security; Computer Network Defense (CDN) responsibilities must be clearly defined

• Mission defines cloud availability and resiliency (DR) under SLA with CSP

• The NIST 800-145 definition of cloud services used by DoD to determine if it is “cloud”

3

SRG – Counting Controls

4

SRG Path to P-ATO

• FedRAMP is minimum security baseline for all DoD cloud services

• Three paths to PAs:• From FedRAMP JAB to DoD PA

• From FedRAMP Agency to DoD PA

• DoD Sponsored – CSP needs 3PAO or DoD assessor

• FedRAMP moderate CSPs = IL 2

• FedRAMP moderate CSPs + additional DoD C/CE can get to IL 4 and above

• PII/PHI will add C/CEs overlays from NIST 800.53 rev4 (mission directed)

• CONUS only for IL 4, 5 and 6 (same for 2 but exceptions could be granted)

5

SRG Observations

• APIs of a cloud can create risk of unauthorized access to NIPRnet

• Tenancy matters -e-discovery & law enforcement seizure issues

• Proper physical/logical isolation is key to PA

• Shared infrastructure = cloud for Federal and DoD as well as Non-Federal / Non-DoD tenants

• Private cloud = dedicated infrastructure to serve one group or class of customer

• ITAR clouds do not necessarily meet the standards for “dedicated” clouds

6

SRG – Where and Who

• IL 2 = Shared or dedicated infrastructure (and on or off premise OK)

• IL 4 = Shared or dedicated with strong evidence of virtual separation controls and monitoring – ability to meet search and seizure requests of DoD data (on and off premise OK)

• IL 5 = only dedicated infrastructure (on or off premise OK) • Only DoD Private, DoD Community or Federal Government community clouds can be

used

• Each deployment can support multiple missions/tenants from each customer organization

• Virt/phys separation between DoD & Federal tenants / missions is permitted

• Virt/phys separation between DoD tenants / missions is permitted (minimally)

• Physical separation from non-DoD/non-Federal tenants required

7

SRG Where and Who

• IL 6 = Dedicated infrastructure approved for classified information• On or off premise OK provided NISPOM is met

• Requires cleared personnel (CSP must have FCL at appropriate level)

• IL 6 = each deployment may support multiple SECRET missions • Virt/phys separation between DoD & Federal tenants / missions at SECRET level is

permitted

• Virt/phys separation between DoD tenants / missions is permitted (minimally)

• Physical separation from non-DoD/non-Federal tenants required

8

SRG Observations

• Continuous Monitoring • Differs amongst CSP depending on Agency or JAB ATO leveraged

• FedRAMP JAB = JAB TRs to FedRAMP PMO to DISA AO to Mission Owner

• FedRAMP Agency = 3PAO to DISA AO to Mission Owner

• DoD Self-Assessed PA = varies but generally DISA AO to Mission Owner

• Change Control / Significant changes = same as above

• PKI now matters• CAC and “Alt Token” (IdentiTrust (GSA) etc) must be utilized at IL 4/5

• NSS PKI at IL 6 (CNSS)

• Cloud provisioning portal or MFA must be PK enabled for IaaS/PaaS/SaaS at IL 4, 5 and NSS at IL 6

9

SRG Shared Responsibilities

IaaS: The CSP is responsible for running the data center which includes the network, servers, the disks, etc. The Mission Owner manages and maintains the cloud stack and must do many of the tasks i.e., patching, locking down ports, removing unnecessary commands from servers and encrypting data. Can we negotiated back to CSP under SOW

PaaS: CSP is responsible for the infrastructure layer and the application stack layer. Mission Owner needs to understand the underpinnings of how the PaaS provider’s platform works in order to build software on top

SaaS: CSP has responsibilities for all the controls within the cloud stack from application layer down

10