DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

Transcription

1 DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the DoD. As you may know, the Defense Information Security Agency (DISA) released new Department of Defense (DoD) cloud security requirements as DoD looks to shift to commercial cloud services. While the premise of leveraging and aligning with the Federal Risk and Authorization Management Program (FedRAMP) hasn t changed, the DISA has supplemented the FedRAMP baseline with DoD-specific requirements. Effective as of yesterday (January 13, 2015), an updated Security Requirements Guide (SRG) Version 1 was released and supersedes all current guidance under the DISA Cloud Security Model. The acting DoD CIO, Terry Halvorsen, has gone on record several times searching for ways to better enable the cloud procurement process by granting more purchasing ability and authority to individual agencies/components within the DoD. While the SRG release is primarily focused on impact levels 2 and 4, there was acknowledgement of opportunities for future updates, and each quarterly release will focus on those improvements. The subsequent quarterly release will include a focus on impact level 5 and considerations for hosting the DoD workloads outside of U.S. facilities. Let s be clear about which audiences the SRG guidance serves. It applies to the following entities: Commercial and non-dod federal government Cloud Service Providers (CSPs) DoD programs operating as a CSP DoD Components and Mission Owners using, or considering the use of, commercial/non-dod and DoD cloud computing services DoD risk management assessment officials and Authorizing Officials (AOs) Key Changes While there have been some success stories for cloud adoption within the DoD, industry and many DoD stakeholders are looking for faster adoption to realize the value, elasticity, mobile and on-demand capabilities of cloud. The DoD has leveraged the FedRAMP Joint Authorization Board (JAB) and U.S. federal government agency authority to operate (ATO) packages residing in the FedRAMP Secure Repository. In this release, the term FedRAMP Plus (+) was introduced and applies to both the FedRAMP JAB and Agency sponsored authorization routes currently approved through the FedRAMP.

2 As applicable on the federal civilian side, every agency/component has the ability to leverage the baseline FedRAMP assessment, and either accept or add on additional security requirements, as is the case with the DoD. Specific critical mission and business needs drive this requirement; the specific controls will also need to be impacted/tested by an accredited third party assessment organization (3PAO) to ensure proper implementation. Security Objectives/Impact Levels Consolidated Cloud security impact levels help drive the security requirements for FedRAMP and DoD systems. In all cases, security information impact levels are defined by the combination of the level of information stored and processed within the CSP offering and potential impact of an event that results in the loss of confidentiality, integrity or availability of DoD data, systems or networks. Forget what you previously read about Levels 1-6. According to the latest SRG publication, these are the new cloud DoD impact levels and the corresponding amendments: Level 1 Level 2 Unclassified Information approved for Public release Non-controlled Unclassified Information DoD Impact Levels REMOVED - Level 1 has been merged with Level 2. Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control. REMOVED - Level 3 has been merged with Level 4. Level 3 Controlled Unclassified Information Level 4 Controlled Unclassified Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order (November 2010) or other mission critical data: -Export Control -Privacy Information -Protected Health Information (PHI) -Other (FOUO, OUO, LES, etc.) Level 5 Level 6 Controlled Unclassified Information Classified Information up to SECRET Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs) At this time, only information classified as SECRET

3 The SRG also addressed the concept of FedRAMP submission/authorization paths and reiterated these paths as the only options for CSPs to follow. FedRAMP JAB Provisional Authorization (assessed by a 3PAO, P-ATO is authorized or in the process of obtaining a JAB P-ATO) FedRAMP Agency ATO (assessed by a 3PAO, system is authorized or in the process of obtaining an ATO, i.e. have a sponsor) DoD Self-Assessed PA (assessed by the DISA cloud assessment team, CSP is minimally assessed against the FedRAMP Moderate Baseline and FedRAMP+ requirements, typically seen in dedicated cloud service offerings and/or private) NIST SP Rev. 3 to Rev. 4 Transition It s worth noting that the DoD will be following the FedRAMP Program Management Office s (PMO) approach to meeting the latest NIST guidance transition guidelines. The accreditation/authorization issue still exists: Platform as a Service (PaaS)/Software as a Service (SaaS) offerings sitting on top of an already FedRAMP-approved Infrastructure as a Service (IaaS) provider have mainly been approved under the NIST SP Rev. 3 guidance. There are discussions underway to update the guidance provided from the FedRAMP PMO in Q1 of 2015, so expect this to come out soon. DoD FedRAMP+ Security Controls/Enhancements I won t bore you with the details of each and every control, save that for a rainy day. However, any control that is added can certainly cause impact to your CSP offering, so read the controls very closely. CSPs will be required to re-evaluate their current understanding of the previously published impact levels and respective security controls, and realign the levels against recently published security requirements. As of the date of this publication, the tailored baseline was only published for impact levels 4-6, which is summarized below: NIST SP r4 Control/Enhancement Total Level 2 Level 4 Level 5 Level 6 TBD 35 PLUS Privacy Overlay Controls if applicable 44 PLUS Privacy Overlay Controls if applicable 44 PLUS 98 from Classified Overlay The best way to navigate these security requirements is to review the current control values (pages 27-28), currently assigned to Levels 4-6, and then go to Appendix D (pages ) to view the actual security control values. Again, it is not clear why Level 2 security controls are missing from the publication, but expect to see these fleshed out with a sponsoring DoD entity or in a new SRG release for all CSPs to follow suit.

4 Continuous Monitoring The Continuous Monitoring Strategy Guide, published from the FedRAMP PMO, largely remains intact for CSPs seeking to maintain their authorization. DoD agencies/components can and will impose more stringent requirements in accordance with the latest impact levels and continuous monitoring guidance. At a minimum, the monthly requirements are as follows: Monthly Credentialed Network/OS, Web, and Database vulnerability scans, in addition to a frequently updated Plan of Actions and Milestones (POAM) and remediation plan for identified findings. Summary It s very clear that organizations need to take a tiered approach to navigating the DoD cloud market. I recommend you start with the FedRAMP Moderate Baseline and work to get approved under the FedRAMP JAB or FedRAMP Agency route. Once that is achieved, which is no small feat in itself, then look to engage your DoD buyers early in the process to help you fill in the blanks. If the potential DoD buyers are still on the periphery, you can certainly bank on the Level 4-6 approach for preparing your solution and FedRAMP documentation to include these specific controls. I anticipate this process and recommended approach will evolve, and am eager to see some traction in the DoD cloud space in 2015 and beyond.

5 References DoD Cloud Computing SRG - Version 1, Release 1: James Leach is VP, Service Development & Commercial of Veris Group, LLC, an industry-leading, awardwinning cybersecurity company headquartered in Vienna, VA. verisgroup.com E: info@verisgroup.com T: