Role |
Responsibility |
DISA |
- Provide security requirements guidelines (SRGs) and Security Technical Implementation Guidance (STIGs) for DoD cloud computing
- Assess CSP’s Service Offerings and 3PAO results for consideration in awarding a DOD Provisional Authorization
- Issue DoD Provisional Authorizations
- Develop and maintain a DoD Cloud Access Point (CAP).
- Provide DoDIN Computer Network Defense (CND) capabilities and maintain a CND concept of operations (CONOPS).
- Provide technical support for the DoD CIO's role on the FedRAMP Joint Authorization Board
- Provide a catalog of DoD cloud services .
- Maintain a registry of DoD Components using commercial cloud services.
- Support the DoDIN Waiver Process.
- Receives CSP's continuous monitoring products and passes them to the appropriate entities within DoD
- Serve as the DoD CNDSP certifier
|
Cloud Service Provider (CSP) |
- Commercial vendor or Federal organization offering or providing cloud services (Includes DoD CSPs)
- Provides Cloud Service Offerings for mission use
- Provides CNDSP services (all tiers) for their infrastructure and service offerings
|
Cloud Access Point (CAP) |
- Provided by DISA or other DoD Component
- Protect DoD missions from vulnerabilities or risk that may affect operations in a CSP environment
- Provide perimeter defenses and sensing for applications hosted in the commercial cloud service
|
DoD Chief Information Officer (DoD CIO) |
- Official approving authority for all CAPs
|
FedRAMP Joint Authorization Board (JAB) |
- Reviews CSP security assessment packages under the FedRAMP program
- Grants FedRAMP Provisional Authorizations
|
Third Party Assessment Organizations (3PAO) |
- Independently performs security assessments of a CSP cloud offering and creates security assessment package artifacts in accordance with FedRAMP requirements
- May perform continuous monitoring of CSP systems
- Independently assesses a CSP’s compliance to DoD FedRAMP+ security controls and other requirements
|
DISA Authorizing Official (AO) |
- Official approving PA for a CSP’s Service Offerings for DoD use
|
DISA CND Functions |
- Perform cross-CAP correlation and analysis of event/data.
- Direct C2 actions regarding DoDIN-wide incident and system health reporting involving a CAP or CSP.
- For DoDIN-wide incidents, establish and maintain external communications with the CSP and ensure internal DoD communications are established between all entities which include the MCND and BCND.
- Interface with US-CERT to obtain relevant CSP information; ensures cross-sharing of information across all BCND/MCND entities.
|
DoD Component Authorizing Official (AO) |
- Official approving ATOs for Mission Owner’s systems/applications
- Reviews PA documentation to understand residual risk
|
Mission Owner
(CSP’s DoD Cloud Customer DoD Cloud Consumer) |
- DoD entity that acquires cloud services in support of its mission
- Performs assessment to issue ATO for their mission systems/applications
- Ensures Tier 2 Mission Computer Network Defense (MCND) Service Provider is identified and funded
- Serves as CND Tier 3 for their mission systems/applications
- Ensures CSP requirements for CND and other SRG requirements are included in any cloud contracts
|
Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) |
- Receives incident reports from CSP as mandated by FedRAMP.
- Responsible for coordination across non-DoD agencies
|
Computer Network Defense Service Provider (CNDSP) |
- Provides Computer Network Defense (CND) services and Command and Control (C2) direction addressing the protection of the network, detection of threats, and response to incidents.
|
United States Cyber Command (USCYBERCOM) / JFHQ-DODIN |
- Notify and Coordinate as appropriate with US-CERT, Intelligence Community, Law Enforcement, and other Federal Agencies
- Provides Computer Network Defense (CND) services and Command and Control (C2) direction for the entire DoDIN and all DoD information systems
|
Boundary CND (BCND) |
- Monitors and defends the connections to/from off-premises CSPs at the Cloud Access Point (CAP)
- Provides cross-CSP analysis capabilities or entities
- Communicates with CND Tier 1 and Tier 2 entities
|
Mission CND (MCND) |
- Provides CND / C2 services to specific Mission Owner’s systems/applications and virtual networks
- Serves as the DoD CND / C2 point of contact for the CSP
- Communicates with CND Tier 2 and Tier 3 entities
|
