Cloud Computing Concerns of the U.S. Government by Michael Erbschloe - HTML preview

PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub for a complete version.

Appendix A References

  1. Executive Order 13526: Classified National Security Information, dated 29 December 2009.
    http://www.archives.gov/isoo/policy-documents/cnsi-eo.html
  2. Executive Order 12829 - National Industrial Security Program, dated January 1993. http://www.archives.gov/isoo/policy-documents/eo-12829.html
  3. NIST SP 500-292: NIST Cloud Computing Reference Architecture, dated September 2011.
    http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
  4. NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations, Revision 4, dated April 2013.
    http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Note: http://csrc.nist.gov/publications/PubsSPs.html contains additional documents relating to SP 800-53.

  1. NIST SP 800-59: Guideline for Identifying an Information System as a National Security System, dated August 2003.
    http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf
  2. NIST SP 800-66, Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, dated October 2008.
    http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
  3. NIST SP 800-88, Revision 1: Draft: Guidelines for Media Sanitization, dated September 2012.
    http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf
  4. NIST SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), dated April 2010.
    http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
  5. NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing, dated December 2011.
    http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
  6. NIST SP 800-145: The NIST Definition of Cloud Computing, dated September 2011. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  7. NIST SP 800-37, Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems, dated February 2010. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
  8. CNSS Instruction 4009: National Information Assurance (IA) Glossary, dated 30 April 2010.
    https://www.cnss.gov CNSS Instruction 1253: Security Categorization and Control Selection for National Security
    Systems, dated 27 March 2014. https://www.cnss.gov
  9. CNSS Instruction No.1253F, Attachment 5: Classified Information Overlay dated 09 May 2014.
    https://www.cnss.gov
  10. CNSS Instruction No.1253F, Attachment x: Privacy Overlay dated TBD.
    https://www.cnss.gov (when available)
  11. DoD Chief Information Officer, Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, 15 December 20014.
    http://iase.disa.mil/Documents/commercial_cloud_computing_services.pdf
  12. DoD Instruction 8500.01: Cybersecurity, dated 14 March 2014. http://dtic.mil/whs/directives/corres/pdf/850001_2014.pdf
  13. DoD Instruction 8510.01: Risk Management Framework (RMF) For DoD Information Technology (IT), dated 12 March 2014. http://dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
  14. DoD Instruction 8520.03: Identity Authentication for Information Systems, dated 13 May, 2011.
    http://dtic.mil/whs/directives/corres/pdf/852003p.pdf
  15. DoD Instruction O-8530.2, "Support to Computer Network Defense (CND)", March 9, 2001.
    https://whsddpubs.dtic.mil/corres/pdf/O85302p.pdf (PKI requiredd)
  16. DoD Instruction 5220.22: National Industrial Security Program, dated March 2011. http://www.dtic.mil/whs/directives/corres/pdf/522022p.pdf
  17. DoD Instruction 5200.02: DoD Personnel Security Program (PSP), Change 1 dated September 2014
    http://www.dtic.mil/whs/directives/corres/pdf/520002_2014.pdf
  18. DoD Manual 5220.22 Manual: National Industrial Security Program: Operating Manual (NISPOM), dated march 2013.
    http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf
  19. DoD Instruction 5200.01: DoD Information Security Program and Protection of SCI, dated June 2011.
    http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf
  20. DoD Manual 5200.01 Vol 1: DoD Information Security Program: Overview, Classification and Declassification, dated February 2012.
    http://www.dtic.mil/whs/directives/corres/pdf/520001_vol1.pdf
  21. DoD Manual 5200.01 Vol 2: DoD Information Security Program: Marking of Classified Information, dated March 2013.
    http://www.dtic.mil/whs/directives/corres/pdf/520001_vol2.pdf
  22. DoD Manual 5200.01 Vol 3: DoD Information Security Program: Protection of Classified Information, dated March 2013. http://www.dtic.mil/whs/directives/corres/pdf/520001_vol3.pdf
  23. DoD Manual 5200.2-R: Personnel Security Program, dated February 1996.
    http://www.dtic.mil/whs/directives/corres/pdf/520002r.pdf
  24. CJCSM 6510.01B: Chairman of the Joint Chiefs of Staff Manual: Cyber Incident Handling Program, dated 10 July 2012. http://www.dtic.mil/cjcs_directives/cdata/unlimit/m651001.pdf
  25. DSS Facility Clearance Branch http://www.dss.mil/isp/fac_clear/fac_clear.html
  26. DoD ECA PKI Certificate: http://iase.disa.mil/pki/eca/Pages/index.aspx
  27. OPM Position Designation System 2010: .
    http://www.opm.gov/investigations/background-investigations/position-designation-tool/oct2010.pdf  
  28. Federal Risk and Authorization Management Program (FedRAMP) Home Page http://cloud.cio.gov/fedramp
  29. FedRAMP Control Specific Contract Clauses v2, June 6, 2014; http://cloud.cio.gov/document/control-specific-contract-clauses
  30. Defense Information Systems Agency, the Security Technical Implementation Guide (STIG) Home Page.
    http://iase.disa.mil
  31. Defense Information Systems Agency, DoD Cloud Services Support website. http://disa.mil/Services/DoD-Cloud-Broker

 

Appendix B Definitions

Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Availability: The property of being accessible and useable upon demand by an authorized entity.

Classified Data: Information that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).

CNDSP: Computer Network Defense Service Provider

Federal Community Cloud: A multi-tenant cloud in which services are provided for the exclusive use of the DoD and Federal Government organizations. Resources providing the cloud services must be dedicated to Federal Government use and require physical separation from non-DoD/non-Federal customers.

Confidentiality: The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.

Infrastructure as a Service (IaaS): A cloud service model focused on providing infrastructure required to host a workload; includes virtual machines, servers, storage, load, balancers, network, etc.

Integrity: The property whereby an entity has not been modified in an unauthorized manner.

JAB: Joint Authorization Board. The primary governance and decision-making body for the FedRAMP program.

Non-Repudiation: Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither may later deny having processed the data.

Platform as a Service (PaaS): A cloud service model focused on providing a suite of environment capabilities that enables the execution or development of applications; includes operating system, execution runtime, database, web server, development tools, etc.

Private Cloud: Cloud in which services are provided for the exclusive use of the DoD; supporting multiple DoD tenants or DoD sponsored tenants in the same cloud. The DoD maintains ultimate authority over the usage of the cloud services, and any non-DoD use of services must be authorized and sponsored through the DoD. Resources providing the cloud services must be dedicated to DoD use and have physical separation from resources not dedicated to DoD use.

Restoration: The return of something to a former, original, normal, or unimpaired condition. Software as a Service (SaaS): A cloud service model focused on providing the full suite of products and applications to provide a service; includes email, virtual desktop, communication, applications, etc.