Defense Cloud Security Guidance Empowers Military Services

Since the DISA cloud computing publication is a Security Requirements Guide (SRG), it offers non-product specific requirements to mitigate risks associated with commonly encountered IT system vulnerabilities. While SRGs provide high level direction, Security Technical Implementation Guides (STIGs) offer product-specific details for validating, attaining, and maintaining compliance with the SRG requirements.

The previously published Cloud Security Model outlined 6 Information Impact Levels. Although the DOD cloud computing SRG has reduced the number to 4 impact levels, the numeric designators remain consistent with the previously published model. DOD provisional risk assessments for cloud services focus on evaluating the requirements for the impact levels at which a cloud service offering is supported by a provider.  Provisional authorization is then leveraged by the mission owner in granting authority to operate (ATO) for mission systems operating in the cloud.

The security control baseline for all levels aligns with the FedRAMP moderate baseline’s definition for confidentiality and integrity. This shift from high confidentiality and high integrity intends to support the categorization of customer systems targeted to be deployed to commercial CSP facilities. The 15 December 2014 CIO memo called out FedRAMP as the minimum security baseline for all DOD cloud services and advised that defense components “may host unclassified DOD information that has been publicly released on FedRAMP approved cloud services.”

The DISA cloud computing SRG covers systems up to the Secret level of classification. Services running at a classification levels above secret, including compartmented information, are governed by other policies and fall outside the scope of the guidance DISA released. General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) aims to have a cloud security baseline established for FISMA high requirements within the next six months. DISA plans to consider incorporating the FedRAMP High Baseline into its guidance once it becomes available.

Ultimately, CSPs have three paths to choose from in pursuing a DOD provisional authorization. One option is to achieve a provisional authorization through FedRAMP’s Joint Authorization Board (JAB). Another option is to achieve FedRAMP Agency ATO by completing the FedRAMP compliance process as well as meeting any additional security control requirements from the authorizing agency. The third option is for a system to be comply with requirements fo DOD Self-Assessed Provisional Authorization. The concept of FedRAMP Plus (FedRAMP+) applies to situations where an agency has specific security requirements beyond the FedRAMP baseline. Within the DOD SRG, these additional security controls and requirements are necessary to meet and assure DOD’s mission requirements.

While it appears that DISA will continue to function as the DOD's cloud broker, defense components are not limited to the offerings DISA has vetted. Like FedRAMP’s intention to allow agencies to take a greater role in steering commercial cloud authorizations, DISA’s guidance will empower the military services to procure their own solutions and leverage the government’s work through FedRAMP. Considering the trend toward shared service adoption, after a cloud solution is adopted by one service branch, other defense components may look to implement FedRAMP+ solutions or DISA may evaluate that solution for potential formal shared service use.