DoD Cloud Computing SRG: Changes in Revision 4

Andrew Hennigan
Jesus Varela | 38North Security | compliance | cybersecurity
Jesus Varela
Technical Project Lead, Cloud Security Advisory

Jesus secured and managed US DoD and Federal systems for over 15 years before transitioning to commercial advisory. He has extensive experience building new systems, and improving existing systems, to meet a variety of cloud security frameworks.

Meet the Author

Version 4 of the DoD Cloud Computing SRG (Security Requirements Guide) brought several changes and clarifying guidance. This blog details key changes between v1 revision 3 and v1 revision 4. 

Key Definitions

  • Impact Levels (IL)
    • Impact Level 2 (IL2): Non-Controlled Unclassified Information
    • Impact Level 4 (Il4): Controlled Unclassified Information (CUI)
    • Impact Level 5 (IL5): CUI and Unclassified National Security Information (U-NSI)
  • Impact Level 6 (IL6): Classified Information Up to SECRET
  • Cloud Service Offering (CSO)
  • Cloud Service Provider (CSP)
  • Demilitarized Zone (DMZ)
  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Provisional Authorization (PA) – DoD’s acknowledgement of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks.

PII/PHI in the Cloud

Version 4 of the Cloud SRG expanded on the required protections for Personally Identifiable Information (PII) and Protected Health Information (PHI) in the cloud.  It established new requirements for PII at Level 2, further clarified the CNSSI 1253 Privacy Overlay and addressed the effects of the Privacy Overlay on CSPs and Mission Owners. It also clarified that DISA is not going to assess CSO privacy controls, as that responsibility will be on the Mission Owners performing privacy overlay assessments.  

Typically, PII/PHI is categorized as CUI and in the cloud must be protected in an IL4 CSO, at minimum. However in accordance with the updated guidance, low sensitive PII may now be published or collected in IL2 CSOs. “Level 2 will be the minimum cybersecurity requirement for DoD system/applications containing low confidentiality impact level PII as determined in accordance with NIST SP 800-122” according to the DoD CIO memo, “Treatment of PII within Level 2 Commercial CSOs for DoD.”

Cloud SRG r4 also establishes new requirements for low PII published, collected, stored, or processed in commercial CSOs:

  • Mission owners will only publish, collect, store and process low confidentiality impact (sensitivity) PII in a CSO minimally processing a FedRAMP Moderate P-ATO listed on the FedRAMP Marketplace and a DoD Level 2 PA, with privacy officer approval.
  • Mission Owner PII impact level determination will consider all relevant factors together. One factor by itself might indicate a low impact level, but another factor could indicate a high impact level, and thus override the first factor.
  • Prior to authorizing the system, the AO must review the PIA and ensure that the appropriate cyber assessments are performed per DoDI 8510.01 and the CC SRG, and that required CSSP cybersecurity support services are provided per DoDI 8530.01.
  • Low impact/sensitivity PII, when published or collect in a CSO with a Level 2 PA, must be minimally protected in accordance with NIST SP 800-122 and privacy laws as supported by a FedRAMP Moderate P-ATO, and the low PII overlay of the privacy overlay.

CNSSI 1253 provides all federal government departments, offices, agencies, and bureaus with a roadmap for security categorization of National Security Systems (NSS).  As the need to protect PII and PHI has grown, CNSSI developed the CNSSI 1253 Privacy Overlay to protect PII and PHI in NSS.  

The CNSSI 1253 Privacy Overlay does address low, moderate, and high sensitivity PII and PHI by providing an overlay for each. But it also customizes many of the security controls and security control enhancements in the FedRAMP Moderate and FedRAMP+ baselines.  This overlay is explicit for all systems and CSOs that process or store PII/PHI for the Department of Defense.  A Privacy Impact Assessment (PIA) will need to be completed to determine the overall impacted confidentiality prior to selecting the relevant overlay (L, M, H, PHI).

Jurisdiction/Location Requirements

CSPs stretch across the globe and depending on where the data resides, they may be required to meet the legal jurisdiction and location requirements of hosting countries. CSPs wanting to work with DoD and the U.S government are required to enforce jurisdiction/location requirements as referenced in the Cloud Computing SRG.

To put it simply, all data stored and processed by and for the DoD has to reside in a facility under the exclusive legal jurisdiction of the U.S. The reason for this is to protect against seizure and improper use by non-U.S. persons and government entities. There is one caveat to this and that is DoD and military bases on foreign soil operating under Status of Forces Agreements (SOFAs). 

CSPs that work with DoD or U.S. Federal Agencies must provide a list of all physical locations where their data could be stored at any given time. If CSPs add new locations, they will be required to update that list of new physical locations and make it available to DoD or Federal Agencies. In addition to providing the list of physical locations, the contracting officer and/or the mission owner must review the CSP terms and conditions to ensure that data stored and processed in U.S. data centers does not fall under the legal jurisdiction of another country.

CSP Service Architecture

The DoD understands that mission owners of cloud offerings will occasionally require a portion of their CSO to be internet facing. For these instances, DoD has made allowances for the CSP to have internet facing applications, with the caveat that there remains a logical separation between NIPRNet and internet facing applications, to include separate web servers and IP addresses. To this end, Cloud SRG r4 has updated guidance on Off-Premises IL 4/5. Additional information provided includes the requirement for CSP’s to provide a listing of their public IP subnets for registration as DoD DMZ addresses and adding into the DoD DMZ/IAP whitelist. Updates to IL 4/5 Commercial IP Addressing and Routing include a target audience of SaaS and Some PaaS, with requirements that commercial IP subnets advertised on NIPRNet must be DoD dedicated with separation from internet accessible IP subnets. 

DoD has also updated guidance for data-at-rest and data-in-transit encryption protections to include FIPS 140-3 validated modules in addition to the already listed FIPS 140-2. The FIPS 140-3 standard includes hardware module, firmware module, software module, hybrid-software module, and hybrid-firmware module and will have no restriction as to the level at which a hybrid module may be validated in the new standard. 

Hybrid Cloud-Interconnections Between CSOs

A new section has been added to the Cloud SRG r4 that speaks to the interconnections between CSOs of differing ILs. Specifically, CSOs of differing levels may be connected, with the following caveats:

  • When interconnecting a higher impact level CSO with a lower impact level CSO, the transfer of the higher impact information to the lower impact level CSO must be prevented unless an approved cross domain solution (CDS) is used, and appropriate approval procedures are followed. 
  • This is similar to organizations interconnecting “classified” and “unclassified” networks, with the notable caveat of this being in a cloud environment vs on premise. 
  • For Mission Owners leveraging multiple CSOs in their use case, connections between CSOs from different CSPs will traverse the CSOs connections to the meet-me router(s). 
  • For CSO’s leveraging external services 
  • It is the Mission owner’s responsibility to require this. CSPs should work with their customer(s) to ensure full compliance with all guidance. 
  • CSOs seeking an IL4/5 PA must ensure that sensitive DoD data is not transmitted to, or via, such external services unless that service has a DoD PA or is addressed in the CSOs PA. If the CSO is an IL4/5 CSO, traffic to and from such services will not traverse the DISN BCAP assuming the CSO serves non-DoD customers. The CSP must ensure that such external service connections, likely to be via the internet, do not permit access to NIPRNet via the BCAP from such connections.
  • This is new guidance that allows CSPs to leverage services from non-authorized cloud providers, with the understanding that the interconnections must be monitored such that unauthorized traffic and information transfer is avoided. CSPs should work with 38North Security and their customers to ensure all interconnections and data is compliant and secure. 

Contact Us to Get Started 

Contact 38North to understand how this revised guidance impacts your existing security and compliance approach for your US DoD customers.

Frequently Asked Questions:

1. How do the changes in Version 4 of the DoD Cloud Computing SRG affect the handling of Personally Identifiable Information (PII) and Protected Health Information (PHI) in the cloud?


The changes in Version 4 of the DoD Cloud Computing SRG impact the handling of Personally Identifiable Information (PII) and Protected Health Information (PHI) in the cloud by expanding required protections and introducing new requirements. Specifically:

  1. Expanded Protections: Version 4 establishes new requirements for PII at Impact Level 2 (IL2), providing additional clarity on the protection of PII and PHI. It also clarifies the role of the DISA in assessing CSO privacy controls.
  2. Minimum Cybersecurity Requirement: DoD system/applications containing low confidentiality impact level PII, as determined in accordance with NIST SP 800-122, now require a minimum cybersecurity requirement of Level 2.
  3. Authorization Process: Mission owners must review Privacy Impact Assessments (PIAs) and ensure appropriate cyber assessments are performed in accordance with DoDI 8510.01 and the CC SRG. This ensures compliance with cybersecurity support services as per DoDI 8530.01.
  4. Publication and Processing: Mission owners are only permitted to publish, collect, store, and process low confidentiality impact (sensitivity) PII in CSOs that meet specific criteria, including FedRAMP Moderate P-ATO and DoD Level 2 PA, with privacy officer approval.
  5. Privacy Overlay: The CNSSI 1253 Privacy Overlay is referenced for protection of PII and PHI in National Security Systems (NSS), providing customized security controls and enhancements. A Privacy Impact Assessment (PIA) determines the appropriate overlay (L, M, H, PHI) based on confidentiality impact.

In summary, Version 4 of the DoD Cloud Computing SRG strengthens the requirements and guidelines for handling PII and PHI in the cloud, providing more clarity and specificity for mission owners and Cloud Service Providers (CSPs) to ensure compliance and protection of sensitive information.

2. Can you elaborate on the specific factors that determine the impact level of PII for Mission Owners when considering its publication, collection, storage, or processing in commercial Cloud Service Offerings (CSOs)?

Certainly, the impact level of Personally Identifiable Information (PII) for Mission Owners when considering its publication, collection, storage, or processing in commercial Cloud Service Offerings (CSOs) depends on several factors. These factors include:

  1. Confidentiality Sensitivity: The sensitivity of the PII itself plays a crucial role. Mission Owners must assess the level of sensitivity associated with the PII data. Factors such as the nature of the information (e.g., financial, medical, personal identifiers) and the potential harm if disclosed or compromised determine its impact level.
  2. Legal and Regulatory Requirements: Mission Owners must consider the legal and regulatory requirements applicable to the PII being processed. Certain types of PII, such as health information (Protected Health Information or PHI), are subject to specific regulations like the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR), which may influence the impact level.
  3. Data Usage and Access Controls: The intended use and access controls for the PII within the CSOs are significant factors. Mission Owners need to evaluate who will have access to the PII, how it will be used, and whether additional security measures are required to prevent unauthorized access or disclosure.
  4. Risk Assessment: Mission Owners conduct risk assessments to identify potential threats and vulnerabilities associated with the PII. Factors such as the likelihood of unauthorized access, data breaches, or misuse of the PII contribute to determining its impact level.
  5. Compliance Requirements: Compliance with relevant cybersecurity standards, such as NIST SP 800-122, FedRAMP, and the Cloud Computing SRG, influences the impact level. Mission Owners must ensure that the CSOs meet the necessary compliance requirements for handling PII at different impact levels.
  6. Privacy Impact Assessment (PIA): Mission Owners may conduct Privacy Impact Assessments (PIAs) to evaluate the impact of collecting, storing, and processing PII within CSOs. The findings of the PIA help determine the appropriate safeguards and controls needed to protect the PII effectively.

Overall, Mission Owners need to consider a combination of factors, including the sensitivity of the PII, legal requirements, access controls, risk assessments, compliance standards, and PIAs, to determine the impact level of PII when utilizing commercial CSOs. This comprehensive evaluation ensures that appropriate security measures are implemented to protect PII adequately.

3. What are the requirements and considerations regarding jurisdiction and location of data storage for Cloud Service Providers (CSPs) working with the Department of Defense (DoD) and U.S. Federal Agencies?

The requirements and considerations regarding jurisdiction and location of data storage for Cloud Service Providers (CSPs) working with the Department of Defense (DoD) and U.S. Federal Agencies are crucial for ensuring data security, compliance, and legal jurisdiction. Here are the key aspects:

  1. Exclusive Legal Jurisdiction: All data stored and processed by and for the DoD and U.S. Federal Agencies must reside in facilities under the exclusive legal jurisdiction of the United States. This requirement aims to protect against seizure and improper use by non-U.S. persons and government entities.
  2. Status of Forces Agreements (SOFAs): There is a caveat for DoD and military bases on foreign soil operating under Status of Forces Agreements (SOFAs). In such cases, data storage and processing may occur in facilities outside the U.S. but must still adhere to the legal jurisdiction agreements outlined in the SOFA.
  3. CSP Disclosure: CSPs working with the DoD and U.S. Federal Agencies must provide a comprehensive list of all physical locations where data could be stored at any given time. This list ensures transparency and enables agencies to verify compliance with legal jurisdiction requirements.
  4. Update Requirements: CSPs are required to promptly update the list of physical locations where data is stored whenever new locations are added. This ensures that agencies have up-to-date information on the location of their data and can verify compliance.
  5. Contract Review: Contracting officers and/or mission owners must review the terms and conditions provided by CSPs to ensure that data stored and processed in U.S. data centers does not fall under the legal jurisdiction of another country. This review ensures alignment with legal jurisdiction requirements and mitigates risks associated with data sovereignty.
  6. Compliance Monitoring: Agencies must actively monitor CSPs to ensure compliance with jurisdiction and location requirements. This may involve periodic audits, assessments, or reviews to verify that data storage and processing practices align with contractual agreements and legal jurisdiction regulations.

By adhering to these requirements and considerations, CSPs can ensure that data storage and processing activities comply with legal jurisdiction regulations and meet the security and compliance needs of the DoD and U.S. Federal Agencies. This helps to safeguard sensitive information and mitigate risks associated with data sovereignty and jurisdictional issues.

About the Authors
Andrew Hennigan
Jesus Varela | 38North Security | compliance | cybersecurity
Jesus Varela
Technical Project Lead, Cloud Security Advisory

Jesus secured and managed US DoD and Federal systems for over 15 years before transitioning to commercial advisory. He has extensive experience building new systems, and improving existing systems, to meet a variety of cloud security frameworks.

Meet the Author