DOD Cloud Security Requirements Get an Update
DISA is updating the Security Requirements Guide for DOD cloud service providers and the requirements for securing cloud access points.
As part of the Defense Department’s initiative to migrate department websites and applications to the cloud, the Defense Information Systems Agency (DISA) is updating the Security Requirements Guide (SRG) for cloud service providers, and also requirements for securing cloud access points.
Draft versions of the revised documents have been released [http://iase.disa.mil/cloud_security/Pages/index.aspx] for public comment.
“Cloud computing enables the department to consolidate infrastructure, leverage commodity IT functions, and eliminate functional redundancies while improving continuity of operations,” the authors say in introducing the new SRG. The success of the cloud initiative depends on properly securing the cloud environment, whether operated by DOD or by commercial providers. “Consistent implementation and operation of these requirements assures mission execution, provides sensitive data protection, increases mission effectiveness, and ultimately results in the outcomes and operational efficiencies the DOD seeks.”
The initial version of the Cloud Computing SRG, released late last year, replaced DISA’s Cloud Security Model for public data and Controlled Unclassified Information (CUI). The SRG also covers classified information up to and including Secret. The draft updates provide more detailed definitions of cloud security, with detailed requirements for DOD managers acquiring and authorizing the service offerings as well as for the service providers.
The SRG spells out the security model that DOD will use for cloud computing. It provides guidance for service providers who want to be included in the DOD Cloud Service Catalog and establishes a basis for DOD agencies in assessing security in granting a provisional authority to operate. The guidance follows the requirements of the civilian Federal Risk and Authorization Management Program (FedRAMP), together with DOD-specific needs.
Like FedRAMP, the SRG relies primarily on the catalog of cybersecurity controls published by the National Institute of Standards and Technology in Special Publication 800-53. [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf]
A draft update of a companion document on Cloud Access Point Functional Requirements focuses on securing the gateway between the DOD network and the commercial platform.
The DOD cloud initiative recognizes the need to maintain security at the network perimeter, including the access point. The agency must provide a consistent level of security to enable the use of commercial cloud services, including the capability to detect and prevent an attack before it reaches the DOD information network. As an initial offering, DISA is modifying the NIPRNet Federated Gateway (NFG) to serve as the CAP offering.
A new document being released for comment is the DOD Concept of Operations for Cloud Computer Network Defense, which defines reporting and incident handling procedures for cloud computing, based on specifications in the SRG and other requirements.
Comments on the draft documents are due by Aug. 22. DISA has posted comment forms for each document. Each form, containing a single comment, should be returned in a separate e-mail to firstname.lastname@example.org with “[Organization name] Comments for [document title]” in the subject line.
William Jackson is a freelance writer with the Tech Writers Bureau [www.techwritersbureau.com] and the author of The Cybereye. Follow him on Twitter @TheCybereye.