After months of planning, the Defense Information Systems Agency has released its new cloud security requirements guide as the Defense Department moves to leverage cloud computing capabilities.
In a 65-page document, DISA lays out all the ways DOD can procure cloud services and how cloud service providers must go through different security check levels before they can handle DOD data. The guide shows how DISA plans to assess cloud service providers beyond the guidelines laid out in the Federal Risk and Authorization Management Program, or FedRAMP.
In a previous set of guidelines, DISA had created six impact levels to help evaluate how sensitive a given set of data is. But with the guide’s release, DISA eliminated levels 1 and 3 on its data impact scale, now only operating on levels 2, 4, 5 and 6.
The level reduction “was accomplished by integrating levels 1 (public information) and 3 (low impact Controlled Unclassified Information (CUI)) into levels 2 and 4, respectively,” the guide reads. “The numeric designators for the impact levels have not changed to remain consistent with previous versions of the cloud security model, leaving impact levels 2, 4, 5, and 6.”
The guide also provides security requirements and guidance to cloud service providers that wish to have their service offerings included in the DOD Cloud Service Catalog, and it establishes framework to allow DOD to grant a cloud services provider with a provisional authorization.
“The [guide] is designed to ensure that DOD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk,” DISA Risk Management Executive Mark Orndorff said.
The guide comes as part of DISA’s overall focus on the cloud, which was highlighted by DISA CIO David Bennett during an industry day last August. The change in impact levels aligns with Bennett’s push to be more aware of what DOD data sits on what level of cloud.
“I fully expect we will put things fully out in the commercial cloud, for instance, publicly released information, we’ll just put it out there and forget about it. We’ll keep it updated, but, we’re not going to put any controls on it,” Bennett said in August. “But for the higher level of information, like PII or [health information], we can put that into a commercial facility, but we want to have some awareness of what’s going on with that information and extend the fence line around that enclave so we can maintain awareness.”
While the guide is considered a “final version,” Orndorff wrote in a Jan. 12 memo that he expects quarterly updates. According the memo, the next update will focus on level 5 data and hosting DOD workloads outside of U.S. facilities.
Download the full guide on DISA’s website.