DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015



Similar documents
DoD Cloud Computing Security Requirements Guide (SRG) Overview

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

What should go to the Cloud and When. What should NOT go to the Cloud and Why

Overview. FedRAMP CONOPS

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Federal Risk and Authorization Management Program (FedRAMP)

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

FedRAMP Standard Contract Language

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL

Seeing Though the Clouds

Security Authorization Process Guide

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

Cloud Security for Federal Agencies

Information Security Risk and Compliance Series Risking Your Business

Esri Managed Cloud Services and FedRAMP

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

Public Sector Cloud Service Providers

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Office of Inspector General

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE. REVISION HISTORY For Version 1, Release March, 2016

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

FISMA Cloud GovDataHosting Service Portfolio

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Lots of Updates! Where do we start?

Department of Defense Use of Commercial Cloud Computing Capabilities and Services

Army Cloud Computing Strategy

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

UCI FISMA Core Program Procedures & Processes Frequently Asked Questions (FAQs)

Department of Defense INSTRUCTION

Security Control Standard

Continuous Monitoring Strategy & Guide

VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA

AWS Worldwide Public Sector

Audit of the Department of State Information Security Program

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

The Benefits of FedRAMP. Shamun Mahmud, DLT Cloud Advisory Group

FedRAMP Master Acronym List. Version 1.0

Department of Defense INSTRUCTION

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

Office of Inspector General

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

Department of Homeland Security

Best Practices Guide for DoD Cloud Mission Owners

Management of Cloud Computing Contracts and Environment

Security Control Standard

Information Security for Managers

NIST Cloud Computing Security Reference Architecture (SP draft)

UNCLASSIFIED. Trademark Information

Security Control Standard

How To Manage Cloud Computing In The United States Of American Agriculture

Status of Cloud Computing Environments within OPM (Report No. 4A-CI )

Enterprise Managed Cloud Computing at NASA. Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

DoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

The role of certification and standards for trusted Cloud solutions

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts

Information Systems Security Line of Business (ISS LoB)

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

Review of the Total Information Technology Operations Cost for the Pentagon Reservation and National Capital Region

The NIST Definition of Cloud Computing

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Baseline Cyber Security Program

NGEN Re-compete Industry Day Navy Data Center Consolidation

Security Control Standard

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Federal Cloud Security

Department of Defense INSTRUCTION

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

Cloud Computing Strategy

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

1 Introduction Roles and Responsibilities Cloud Architectures... 7

CLOUD COMPUTING SERVICES CATALOG

5 FAH-8 H-351 CLOUD COMPUTING

Marine Corps. Commercial Mobile Device Strategy

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Cloud Computing Strategy

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

Transcription:

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the DoD. As you may know, the Defense Information Security Agency (DISA) released new Department of Defense (DoD) cloud security requirements as DoD looks to shift to commercial cloud services. While the premise of leveraging and aligning with the Federal Risk and Authorization Management Program (FedRAMP) hasn t changed, the DISA has supplemented the FedRAMP baseline with DoD-specific requirements. Effective as of yesterday (January 13, 2015), an updated Security Requirements Guide (SRG) Version 1 was released and supersedes all current guidance under the DISA Cloud Security Model. The acting DoD CIO, Terry Halvorsen, has gone on record several times searching for ways to better enable the cloud procurement process by granting more purchasing ability and authority to individual agencies/components within the DoD. While the SRG release is primarily focused on impact levels 2 and 4, there was acknowledgement of opportunities for future updates, and each quarterly release will focus on those improvements. The subsequent quarterly release will include a focus on impact level 5 and considerations for hosting the DoD workloads outside of U.S. facilities. Let s be clear about which audiences the SRG guidance serves. It applies to the following entities: Commercial and non-dod federal government Cloud Service Providers (CSPs) DoD programs operating as a CSP DoD Components and Mission Owners using, or considering the use of, commercial/non-dod and DoD cloud computing services DoD risk management assessment officials and Authorizing Officials (AOs) Key Changes While there have been some success stories for cloud adoption within the DoD, industry and many DoD stakeholders are looking for faster adoption to realize the value, elasticity, mobile and on-demand capabilities of cloud. The DoD has leveraged the FedRAMP Joint Authorization Board (JAB) and U.S. federal government agency authority to operate (ATO) packages residing in the FedRAMP Secure Repository. In this release, the term FedRAMP Plus (+) was introduced and applies to both the FedRAMP JAB and Agency sponsored authorization routes currently approved through the FedRAMP.

As applicable on the federal civilian side, every agency/component has the ability to leverage the baseline FedRAMP assessment, and either accept or add on additional security requirements, as is the case with the DoD. Specific critical mission and business needs drive this requirement; the specific controls will also need to be impacted/tested by an accredited third party assessment organization (3PAO) to ensure proper implementation. Security Objectives/Impact Levels Consolidated Cloud security impact levels help drive the security requirements for FedRAMP and DoD systems. In all cases, security information impact levels are defined by the combination of the level of information stored and processed within the CSP offering and potential impact of an event that results in the loss of confidentiality, integrity or availability of DoD data, systems or networks. Forget what you previously read about Levels 1-6. According to the latest SRG publication, these are the new cloud DoD impact levels and the corresponding amendments: Level 1 Level 2 Unclassified Information approved for Public release Non-controlled Unclassified Information DoD Impact Levels REMOVED - Level 1 has been merged with Level 2. Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control. REMOVED - Level 3 has been merged with Level 4. Level 3 Controlled Unclassified Information Level 4 Controlled Unclassified Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data: -Export Control -Privacy Information -Protected Health Information (PHI) -Other (FOUO, OUO, LES, etc.) Level 5 Level 6 Controlled Unclassified Information Classified Information up to SECRET Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs) At this time, only information classified as SECRET

The SRG also addressed the concept of FedRAMP submission/authorization paths and reiterated these paths as the only options for CSPs to follow. FedRAMP JAB Provisional Authorization (assessed by a 3PAO, P-ATO is authorized or in the process of obtaining a JAB P-ATO) FedRAMP Agency ATO (assessed by a 3PAO, system is authorized or in the process of obtaining an ATO, i.e. have a sponsor) DoD Self-Assessed PA (assessed by the DISA cloud assessment team, CSP is minimally assessed against the FedRAMP Moderate Baseline and FedRAMP+ requirements, typically seen in dedicated cloud service offerings and/or private) NIST SP 800-53 Rev. 3 to Rev. 4 Transition It s worth noting that the DoD will be following the FedRAMP Program Management Office s (PMO) approach to meeting the latest NIST guidance transition guidelines. The accreditation/authorization issue still exists: Platform as a Service (PaaS)/Software as a Service (SaaS) offerings sitting on top of an already FedRAMP-approved Infrastructure as a Service (IaaS) provider have mainly been approved under the NIST SP 800-53 Rev. 3 guidance. There are discussions underway to update the guidance provided from the FedRAMP PMO in Q1 of 2015, so expect this to come out soon. DoD FedRAMP+ Security Controls/Enhancements I won t bore you with the details of each and every control, save that for a rainy day. However, any control that is added can certainly cause impact to your CSP offering, so read the controls very closely. CSPs will be required to re-evaluate their current understanding of the previously published impact levels and respective security controls, and realign the levels against recently published security requirements. As of the date of this publication, the tailored baseline was only published for impact levels 4-6, which is summarized below: NIST SP 800-53r4 Control/Enhancement Total Level 2 Level 4 Level 5 Level 6 TBD 35 PLUS Privacy Overlay Controls if applicable 44 PLUS Privacy Overlay Controls if applicable 44 PLUS 98 from Classified Overlay The best way to navigate these security requirements is to review the current control values (pages 27-28), currently assigned to Levels 4-6, and then go to Appendix D (pages 83-152) to view the actual security control values. Again, it is not clear why Level 2 security controls are missing from the publication, but expect to see these fleshed out with a sponsoring DoD entity or in a new SRG release for all CSPs to follow suit.

Continuous Monitoring The Continuous Monitoring Strategy Guide, published from the FedRAMP PMO, largely remains intact for CSPs seeking to maintain their authorization. DoD agencies/components can and will impose more stringent requirements in accordance with the latest impact levels and continuous monitoring guidance. At a minimum, the monthly requirements are as follows: Monthly Credentialed Network/OS, Web, and Database vulnerability scans, in addition to a frequently updated Plan of Actions and Milestones (POAM) and remediation plan for identified findings. Summary It s very clear that organizations need to take a tiered approach to navigating the DoD cloud market. I recommend you start with the FedRAMP Moderate Baseline and work to get approved under the FedRAMP JAB or FedRAMP Agency route. Once that is achieved, which is no small feat in itself, then look to engage your DoD buyers early in the process to help you fill in the blanks. If the potential DoD buyers are still on the periphery, you can certainly bank on the Level 4-6 approach for preparing your solution and FedRAMP documentation to include these specific controls. I anticipate this process and recommended approach will evolve, and am eager to see some traction in the DoD cloud space in 2015 and beyond.

References DoD Cloud Computing SRG - Version 1, Release 1: http://iase.disa.mil/cloud_security/documents/ucloud_computing_srg_v1r1_final.pdf James Leach is VP, Service Development & Commercial of Veris Group, LLC, an industry-leading, awardwinning cybersecurity company headquartered in Vienna, VA. verisgroup.com E: info@verisgroup.com T: 703.760.9160

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information