CSPs are subject to the FedRAMP selected security control SP 800-53 CM-6. STIGs and/or SRGs may be used to fulfill this baseline configuration requirement.
Impact Level 2: While the use of STIGs and SRGs is preferable, industry standard baselines such as those provided by the Center for Internet Security are an acceptable alternative to the STIGs and SRGs.
Impact Levels 4/5/6: STIGs are applicable if the CSP utilizes the product the STIG addresses. SRGs are applicable in lieu of STIGs if a product specific STIG is not available. However, the SP 800-53 control applies whether or not a STIG or SRG is available.
CSPs must utilize all applicable DoD STIGs and/or SRGs to secure all DoD contracted cloud computing services provided on dedicated infrastructure that only serves DoD tenants. This applies at levels 4 and above for IaaS, PaaS, and SaaS offerings.
The Mission Owner must utilize all applicable DoD SRGs and STIGs to secure all Mission Owner systems and applications instantiated on CSP’s IaaS and PaaS at all levels.
The full list of All STIGs and SRGs can be found on DISA’s IASE web site.
5.6 Physical Facilities and Personnel Requirements
The following sections discuss facility and personnel requirements as they align to the impact levels.
5.6.1 Facilities Requirements
Impact Level 2: CSP data processing facilities supporting Level 2 information will meet the physical security requirements defined in the FedRAMP Moderate baseline.
Impact Levels 4 and 5: CSP data processing facilities supporting Level 4 and 5 information will meet the physical security requirements defined in the FedRAMP Moderate baseline as well as any FedRAMP+ C/CEs related to physical security.
Impact Level 6: DoD data processing facilities that support cloud services infrastructure and classified service offerings will be housed in facilities (designated as a secure room) designed, built, and approved for open storage commensurate with the highest classification level of the information stored, processed, or transmitted as defined in DoDM 5200.01 Volume 3. DoD Information Security Program: Protection of Classified Information. Commercial CSP’s data processing facilities that support cloud services infrastructure and classified service offerings must participate in and be approved through the National Industrial Security Program (NISP) to receive a facilities clearance. The requirements for NISP are outlined in DoD 5220.22M - the National Industrial Security Program Operating Manual (NISPOM). To receive a DoD PA for Level 6, a CSP must either have a facility clearance or be verified that they can meet the requirements to receive it when a contract is executed.
5.6.2 Personnel Requirements
The concept of cloud operations, given the shared responsibilities between multiple organizations along with the advanced technology being applied within this space, can impact personnel security requirements. The ability for a CSP’s personnel to alter the security controls/environment of a provisioned offering and the security of the system/application/data processing within the offering may vary based on the processes/controls used by the CSP. The components of the underlying infrastructure (e.g. hypervisor, storage subsystems, network devices) and the type of service (e.g. IaaS, PaaS, SaaS) provided by the CSP will further define the access and resulting risk that a CSP’s employee can have on DoD mission or data.
5.6.2.1 Personnel Requirements - PS-2: Position Categorization
The FedRAMP Moderate baseline includes the personnel security controls PS-2, PS-3, and enhancement PS-3(3). Under PS-2, the CSP is required to “assign a risk designation to all organizational positions” and “Establish screening criteria for individuals filling those positions”. Supplemental guidance states “Position risk designations reflect Office of Personnel Management (OPM) policy and guidance.” The OPM position designation process takes into account the duties, level of supervision, and the scope over which misconduct might have an effect (i.e., worldwide/government-wide, multi-agency, or agency). For IT system and information access it also takes into account the sensitivity level of the information accessed (i.e., non-CUI, CUI, and classified).
The OPM Position Designation Tool is provided to enable Federal Agencies a methodical and consistent means to determine position sensitivity for National Security Positions (e.g., positions concerned with the protection of the Nation from foreign aggression or espionage or positions that require regular access to classified information) and Public Trust Positions (e.g., positions at the high or moderate risk levels, which includes responsibility for protection of information security systems). Position risk levels are determined using the Position Designation Tool. A position may have both National Security and Public Trust considerations that will jointly impact the sensitivity level and ultimately the type of security investigation required. The Position Sensitivity Tool will be used to determine position sensitivity, position risk levels and investigation requirements for key CSP personnel.
DoD’s primary concern is CSP personnel with direct access to or can gain access to DoD information, or that have responsibilities that can affect the security of the information technology processing, storing, or transmitting that information. Under OPM policy, such a person with access to CUI or classified information is designated as filling a position designated as “critical-sensitive” or “high risk”. However, if the person’s “work is carried out under technical review of a higher authority” (i.e., a person holding a “critical-sensitive” or “high risk” position), then the position may be designated as “noncritical-sensitive” or “moderate risk”. Positions only having access to non-CUI and publicly released information could have a designation of “non-sensitive” or “low risk”. All positions are considered to have some level of “public trust”.
From a DoD policy perspective under PS-2 and IAW DoD 5200.2-R, Category I automated data processing (ADP) (ADP-1 or IT-1), positions include those in which an individual is responsible for the planning, direction, and implementation of a computer security program; has major responsibility for the direction, planning and design of a computer system, including the hardware and software; or can access a system during the operation or maintenance in such a way and with a relatively high risk for causing grave damage or realize a significant personal gain. These positions are designated “critical-sensitive”. Category II automated data processing (ADP) (ADP-2 or IT-2) positions include those in which an individual may have the same responsibilities listed for ADP-1 but whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system. These positions are designated “noncritical-sensitive”. Â These designations are in consistent with the OPM Position Designation System October 2010 document and automated tool.
To receive a DoD PA, the CSP must demonstrate that their personnel position categorization and compliance with PS-2 is equivalent to the OPM position designations for the similar CSP positions to the “critical-sensitive” (e.g., DoD’s ADP-1) or “high risk”; “noncritical-sensitive” (e.g., DoD’s ADP-2) or “moderate risk”; and/or “non-sensitive” or “low risk” (i.e., access to only non-CUI and public information) position designations. These designations drive the level of screening to be established IAW the second half of PS-2 and for PS-3.
5.6.2.2 Personnel Requirements - PS-3: Background Investigations
Under PS-3 and PS-3(3), the CSP is required to “Screen individuals prior to authorizing access to the information system”, and re-screen IAW an organizational defined frequency. PS-3(3) addresses “additional personnel screening criteria” for information “requiring special protection” such as CUI.
Per the FedRAMP supplemental guidance for PS-3, found in the FedRAMP Control Specific Contract Clauses v2, June 6, 2014 document, an agency must stipulate, “IAW OPM and Office of Management and Budget (OMB) requirements”, the type of background investigation required for CSP personnel having access to or who can gain access to information. For DoD, the minimum designations are defined by level as follows:
Impact Level 2: CSP personnel supporting Level 2 cloud service offerings will meet the personnel security requirements and undergo background checks as defined in OPM policy IAW the FedRAMP Moderate baseline. As such the minimum background investigation required for CSP personnel having access to Level 2 information based on a “non-sensitive” or “low risk” position designation (i.e., position only has access to public and non-CUI non-critical mission information), is a National Agency Check and Inquiries (NACI). The position sensitivity or risk level and resulting investigation may be elevated beyond the minimum requirement as determined by the Mission Owner / AO, based on additional risk considerations. For instance if the Confidentiality, Integrity or Availability (CIA) of information is determined to be based on a “noncritical-sensitive” or “moderate risk” position using the tool, a National Agency Check with Law and Credit (NACLC) (for “noncritical-sensitive” contractors), or a Moderate Risk Background Investigation (MBI) (for “moderate risk” positions) may be required.
Impact Levels 4/5: CSP personnel supporting Level 4 and 5 cloud service offerings will meet the personnel security requirements and undergo background checks as defined in OPM policy IAW the FedRAMP Moderate baseline, the FedRAMP+ CEs related to personnel security, and DoD personnel security policies. As such the minimum background investigation required for CSP personnel having access to Level 4 and 5 information based on a “critical-sensitive” (e.g., DoD’s ADP-1) position designation, is a Single Scope Background Investigation (SSBI) or a Background Investigation (BI) for a “high risk” position designation. The minimum background investigation required for CSP personnel having access to Level 4 and 5 information based on a “noncritical-sensitive” (e.g., DoD’s ADP-2) is a National Agency Check with Law and Credit (NACLC) (for “noncritical-sensitive” contractors), or a Moderate Risk Background Investigation (MBI) for a “moderate risk” position designation.
NOTE: To receive a DoD PA for Level 2, 4, or 5, the CSP must comply with the investigation requirements as listed for personnel requiring access to systems and data (e.g. above the hypervisor). Personnel who have access to the CSP infrastructure (e.g. at the hypervisor or below) must comply with OPM investigation requirements or the CSP must demonstrate that their personnel background investigations and compliance with PS-3 and PS-3(3) are consistent with OPM investigation requirements for each position designation.
Impact Level 6: In accordance with PS-3(1), invoked by the CNSSI 1253 Classified Information Overlay, personnel having access to a secure room, the infrastructure supporting classified processing, or handling classified information, in addition to meeting the public trust position suitability/investigation requirements (e.g., a favorably adjudicated SSBI for a system administrator in a DoD ADP-1 position) must have a security clearance at the appropriate level. Systems and network administrators (i.e., privileged users), while typically not approved to handle classified information for need-to-know reasons, are considered to have access to classified information through their duties. Therefore these individuals require a clearance at the appropriate level for the classified information stored, processed, or transmitted.
DoD personnel clearances are granted through DoD processes as defined in DoDI 5200.02 and the DoD 5200.2-R, both entitled DoD Personnel Security Program (PSP). Commercial CSPs’ personnel clearances are granted through the Industrial Personnel Security Clearance Process.
To receive a DoD PA for Level 6, the CSP must either have a facility clearance and cleared personnel who will manage the CSO, or demonstrate the ability to meet the requirements for such as defined in Industrial Personnel Security Clearance Process.
5.6.2.3 Mission Owner Responsibilities Regarding CSP
Personnel Requirements
In addition to the above requirements, the FedRAMP Control Specific Contract Clauses v2, also states the following: “Agencies leveraging FedRAMP Provisional Authorizations will be responsible for conducting their own Background Investigations and or accepting reciprocity from other agencies that have implemented Cloud Service Provider systems.” It also states Agencies are responsible for the screening process, and may want to stipulate additional screening requirements. As part of the FedRAMP+ assessment, the processes used by the CSP will be evaluated and discussed in the PA as appropriate. DoD Components and/or Mission Owners must review the investigation type required for all position designations and address investigation requirements in their contracts with the CSP.
Per CNSSI 4009, IA Glossary, a data spill or "spillage" is an unauthorized transfer of classified information or Controlled Unclassified Information to an information system that is not accredited for the applicable security level of the data or information.
A data spill is an incident that requires immediate incident reporting and response from both the Mission Owner and CSP in order to minimize the scope of the spill and the risk to DoD data. Mission owners will report the incident via their normal channels; the CSP must report the spill to the mission/information owner as well as follow the requirements in section 6.4 Incident Reporting and Response. While the Mission Owner will most likely detect a spillage within their own dataset, the CSP might also detect a spillage. CSP detection may depend on a particular service offering where the CSP might have intentional access to the content of a Mission Owner information system.
Cloud environments present a unique challenge for data spill response. Data spills are typically remediated or “cleaned” by sanitizing affected hardware to ensure that reconstruction of spilled data is impossible or impractical. This process, however, frequently requires that affected resources be taken offline until the cleanup is complete. Such loss of availability is not acceptable in a cloud environment with multiple tenants sharing the same infrastructure. CSP use of virtualization and/or innovative storage methods may make physical data locations difficult to ascertain, further complicating spill cleanup.
Variability in CSP infrastructures precludes the possibility of establishing a single cleanup process. Instead, CSPs will be responsible for providing methods and timelines for deleting specified units of data within their infrastructure in a way that provides high assurance that such data cannot be reconstructed. An example of such a process is:
NOTE: The examples above are based on currently defined data spill remediation methods for physical systems where the location of the spilled data is likely known. DoD will assess alternative methods for data spill remediation for cloud infrastructures and will approve those deemed acceptable.
CSP’s data spill cleanup methods will be evaluated as part of the PA assessment and then made available to all Mission Owners utilizing that CSP. The CSP will be responsible for executing any of those methods upon report of a data spill by a Mission Owner.
Due to data backup and disaster recovery methods used by Mission Owners and CSPs, data spills could affect associated storage. Data spills remediation must extend to storage media where the spilled data might migrate. All backups and mirrored storage affected by the spill must be remediated. Timely detection, reporting, and response are key to limiting the migration of spilled data under these circumstances.
Mission owners must take steps to protect against the detrimental effects of a data spill; to the spilled data, the Mission Owners virtual systems and networks, and to the cloud infrastructure on which it is spilled. One method is to encrypt ALL Mission Owner data stored in a cloud infrastructure. Such encryption must utilize FIPS 140-2 validated data-at-rest cryptography (operated in FIPS mode). If a spillage occurs, the encryption keys to the stored information could be destroyed; requiring data backup, recovery and disaster recovery remediation procedures to restore clean mission data from a clean backup not containing the spilled data. Alternate innovative methods for cloud data spill protection/remediation will be assessed for equivalency to standard methods and approved if found sufficient.
For the purpose of this section, Data Recovery and Destruction refers to a Mission Owner requiring the recovery and removal of data stored in a CSP’s infrastructure for the purpose of transferring it to a different storage facility. Destruction (removal) of the data in the CSP’s infrastructure is required subsequent to the successful recovery transfer. Transfers such as these typically occur when the contract with the CSP is terminated for any of several reasons or the CSP goes out of business. Mission owners must prepare for such eventualities and CSPs must support the capability in a timely manner.
Upon request by a Mission Owner, the CSP will make all Mission Owner data stored in certain service offerings available for electronic transfer out of the CSP environment, with subsequent destruction, within 60 days from the date of request. This primarily applies to any service offerings where the Mission Owner cannot just download files and request destruction of the files, as might be the case if the Mission Owner’s data is co-mingled in a large database with other Mission Owner’s data. Each Mission Owner may also request different means of data transfer (for example, as called out in the SLA), at its discretion. The subsequent destruction of transferred Mission Owner data must include removal from all CSO backups or mirrored storage maintained by the CSP. This is to prevent the Mission Owner data from being restored accidentally or intentionally after destruction has concluded. To support removal/recovery/destruction of CSP customer data in this type of service offering, the CSP must be able to identify Mission Owner data on a mission by mission basis. The CSP will provide assurance of all data destruction.
Alternate timeframes can be proposed and assessed by DoD for acceptability. Data backup entropy (i.e., letting backups be overwritten in accordance with CSP’s backup retention and media reuse policies) is unacceptable if longer than the defined destruction time frame. While this approach is typical for IaaS/PaaS, it may not be for SaaS where customer data might be co-mingled in a database and identification of a specific customer’s data is most important.
DoD Mission Owners using non-DoD service offerings must be capable of recovery of their data at any time if able to download the data files. For primary storage and CSO-managed backups or mirrored storage (or capability therein even if not obligated by contract) maintained by the non-DoD CSP, Mission Owners must assure that Level 4 and higher data is protected with FIPS 140-2 validated data-at-rest cryptography (operated in FIPS mode). This alleviates the need for data destruction, which can be simply accomplished by destroying the encryption key(s).
CSPs will ensure that no residual DoD data exists on all storage devices decommissioned and disposed of, reused in an environment not governed by an agreement between the CSP and DoD, or transferred to a third party; as required by the FedRAMP selected security control MP-6.
Impact Levels 4/5: CSPs may not reuse or dispose of storage hardware until all DoD data has been successfully removed. The CSP will minimally ensure this by “Purging” all data on devices prior to decommissioning, disposal, reuse, or transfer, in accordance with NIST 800-88. Devices that are unable to be cleared or purged must be physically destroyed, as defined in NIST 800-88. When there is any doubt to the success of the cleared or purged process, the storage device must be destroyed in accordance with NIST 800-88.
Impact Level 6: CSP’s may not reuse or dispose of storage hardware at a lower sensitivity or classification level and will ensure classified data is irretrievable from decommissioned devices by sanitizing them in accordance with NSA/CSS Storage Device Declassification Manual 9-12.
This section of the Cloud Computing SRG provides guidance on the various architectural considerations related to DoD’s use of commercial cloud services in the following areas:
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, states “Commercial cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point (CAP)”
A DoD Cloud Access Point (CAP) is a system of network boundary protection and monitoring devices, otherwise known as an IA stack, through which CSP infrastructure will connect to a DoD Information Network (DoDIN) service; the Non-secure Internet Protocol Router Network (NIPRNet), or Secret Internet Protocol Router Network (SIPRNet). In general, the CAP will provide the following protections:
The CAP architecture will change character depending on whether the cloud infrastructure is on- premises or off-premises. There are internal CAPs (ICAPs) and DoDIN/NIPRNet/SIPRNet Boundary CAPs (BCAPs). Some CAPs will leverage existing infrastructure and some will be a new capability.
The implementation of the DoDIN BCAP capability is ultimately a DISA responsibility as part of its mission to protect the DoDIN and DoD information. Per the 15 December 2014 DoD CIO memo, initial capability may temporarily be provided by DoD Components other than DISA, as approved by the DoD CIO. Specific CAP architectural requirements (under development) are beyond the scope of this SRG and will be published separately.
Connection of a mission system to the DoDIN via an ICAP or BCAP will be approved and recorded by the DISA Connection Approval Office in accordance with normal connection approval procedures. Initial connections (physical or virtual) to a CSP’s network will occur during onboarding of the CSP’s first Mission Owner customer. Additional connections will be made or capacity will be scaled as more Mission Owners use the given CSP. Specific processes and procedures regarding connection approval and Mission Owner connections via a BCAP are beyond the scope of this SRG and will be published separately.
CSP Infrastructure (dedicated to DoD) located inside the B/C/P/S “fence-line” (i.e., on-premises) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities such as the IA Stack protecting a DoD Data center today or may be a Joint Regional Security Stack (JRSS). On the other hand, an ICAP may have special capabilities to support specific missions, CSP types (commercial or DoD), or cloud services.
CSP Infrastructure (shared w/ non-DoD or dedicated to DoD) located outside the B/C/P/S fence-line which connects to the DoDIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP’s network infrastructure and/or Mission Owner’s virtual networks. All connections between a CSP’s network infrastructure or Mission Owner’s virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DoDIN via a BCAP.
Impact Level 2: All traffic to and from off-premises CSP infrastructure serving Level 2 missions and the mission virtual networks will connect via the Internet. The BCAP is not used. On-premises CSP infrastructure serving Level 2 missions and the mission virtual networks will connect via an ICAP. See section 5.10.3.2, “Management Plane Connectivity” for additional details.
Impact Levels 4/5: All DoD traffic to and from CSP infrastructure serving Level 4 and level 5 missions and the mission virtual networks must connect via one or more BCAPs. This includes the production plane for non-privileged user access and the management plane for privileged user access and deployed IA/CND tool connectivity to internal CND monitoring systems. See sections 5.10.2.2, “User/Data Plane Connectivity” and 5.10.3.2 Management Plane Connectivity for additional details. High availability Mission Owner systems and their supporting CSP network infrastructure must connect to two or more BCAPs. The BCAP will support Internet facing Mission Owner systems IAW the DMZ STIG.
Impact Level 6: All DoD traffic to and from CSP infrastructure serving Level 6 missions and the mission virtual networks must connect via one or more BCAPs to the SIPRNet instead of the NIPRNet. This includes the production plane for non-privileged user access and the management plane for privileged user access and deployed IA/CND tool connectivity to internal CND monitoring systems. See section 5.10.2.2, “User/Data Plane Connectivity” and 5.10.2.3, “Management Plane Connectivity” for additional details. High availability Mission Owner systems and their supporting CSP network infrastructure must connect to two or more BCAPs.
A plane, in a networking context, is one of three integral components of network architectures. These three elements - the data synchronization/control or network plane, the user/data or production plane, and the management plane - can be thought of as different areas of operations. Each plane carries a different type of traffic and is conceptually an overlay network on top of the network plane.
The network or data sync/control plane carries signaling traffic and data replication between servers/data centers. Network control packets originate from or are destined for a network transport device (virtual or physical). The network plane in general is subject to network related DoD SRGs and STIGs. This Cloud Computing SRG does not contain additional requirements related to network plane connections to the cloud computing infrastructure.
The user/data plane (also known as the forwarding plane, car