DoD Cloud Computing SRG: Changes in Revision 4

Version 4 of the DoD Cloud Computing SRG (Security Requirements Guide) brought several changes and clarifying guidance. This blog details key changes between v1 revision 3 and v1 revision 4. 

Key Definitions

  • Impact Levels (IL)
    • Impact Level 2 (IL2): Non-Controlled Unclassified Information
    • Impact Level 4 (Il4): Controlled Unclassified Information (CUI)
    • Impact Level 5 (IL5): CUI and Unclassified National Security Information (U-NSI)
  • Impact Level 6 (IL6): Classified Information Up to SECRET
  • Cloud Service Offering (CSO)
  • Cloud Service Provider (CSP)
  • Demilitarized Zone (DMZ)
  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Provisional Authorization (PA) – DoD’s acknowledgement of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks.

PII/PHI in the Cloud

Version 4 of the Cloud SRG expanded on the required protections for Personally Identifiable Information (PII) and Protected Health Information (PHI) in the cloud.  It established new requirements for PII at Level 2, further clarified the CNSSI 1253 Privacy Overlay and addressed the effects of the Privacy Overlay on CSPs and Mission Owners. It also clarified that DISA is not going to assess CSO privacy controls, as that responsibility will be on the Mission Owners performing privacy overlay assessments.  

Typically, PII/PHI is categorized as CUI and in the cloud must be protected in an IL4 CSO, at minimum. However in accordance with the updated guidance, low sensitive PII may now be published or collected in IL2 CSOs. “Level 2 will be the minimum cybersecurity requirement for DoD system/applications containing low confidentiality impact level PII as determined in accordance with NIST SP 800-122” according to the DoD CIO memo, “Treatment of PII within Level 2 Commercial CSOs for DoD.”

Cloud SRG r4 also establishes new requirements for low PII published, collected, stored, or processed in commercial CSOs:

  • Mission owners will only publish, collect, store and process low confidentiality impact (sensitivity) PII in a CSO minimally processing a FedRAMP Moderate P-ATO listed on the FedRAMP Marketplace and a DoD Level 2 PA, with privacy officer approval.
  • Mission Owner PII impact level determination will consider all relevant factors together. One factor by itself might indicate a low impact level, but another factor could indicate a high impact level, and thus override the first factor.
  • Prior to authorizing the system, the AO must review the PIA and ensure that the appropriate cyber assessments are performed per DoDI 8510.01 and the CC SRG, and that required CSSP cybersecurity support services are provided per DoDI 8530.01.
  • Low impact/sensitivity PII, when published or collect in a CSO with a Level 2 PA, must be minimally protected in accordance with NIST SP 800-122 and privacy laws as supported by a FedRAMP Moderate P-ATO, and the low PII overlay of the privacy overlay.

CNSSI 1253 provides all federal government departments, offices, agencies, and bureaus with a roadmap for security categorization of National Security Systems (NSS).  As the need to protect PII and PHI has grown, CNSSI developed the CNSSI 1253 Privacy Overlay to protect PII and PHI in NSS.  

The CNSSI 1253 Privacy Overlay does address low, moderate, and high sensitivity PII and PHI by providing an overlay for each. But it also customizes many of the security controls and security control enhancements in the FedRAMP Moderate and FedRAMP+ baselines.  This overlay is explicit for all systems and CSOs that process or store PII/PHI for the Department of Defense.  A Privacy Impact Assessment (PIA) will need to be completed to determine the overall impacted confidentiality prior to selecting the relevant overlay (L, M, H, PHI).

Jurisdiction/Location Requirements

CSPs stretch across the globe and depending on where the data resides, they may be required to meet the legal jurisdiction and location requirements of hosting countries. CSPs wanting to work with DoD and the U.S government are required to enforce jurisdiction/location requirements as referenced in the Cloud Computing SRG.

To put it simply, all data stored and processed by and for the DoD has to reside in a facility under the exclusive legal jurisdiction of the U.S. The reason for this is to protect against seizure and improper use by non-U.S. persons and government entities. There is one caveat to this and that is DoD and military bases on foreign soil operating under Status of Forces Agreements (SOFAs). 

CSPs that work with DoD or U.S. Federal Agencies must provide a list of all physical locations where their data could be stored at any given time. If CSPs add new locations, they will be required to update that list of new physical locations and make it available to DoD or Federal Agencies. In addition to providing the list of physical locations, the contracting officer and/or the mission owner must review the CSP terms and conditions to ensure that data stored and processed in U.S. data centers does not fall under the legal jurisdiction of another country.

CSP Service Architecture

The DoD understands that mission owners of cloud offerings will occasionally require a portion of their CSO to be internet facing. For these instances, DoD has made allowances for the CSP to have internet facing applications, with the caveat that there remains a logical separation between NIPRNet and internet facing applications, to include separate web servers and IP addresses. To this end, Cloud SRG r4 has updated guidance on Off-Premises IL 4/5. Additional information provided includes the requirement for CSP’s to provide a listing of their public IP subnets for registration as DoD DMZ addresses and adding into the DoD DMZ/IAP whitelist. Updates to IL 4/5 Commercial IP Addressing and Routing include a target audience of SaaS and Some PaaS, with requirements that commercial IP subnets advertised on NIPRNet must be DoD dedicated with separation from internet accessible IP subnets. 

DoD has also updated guidance for data-at-rest and data-in-transit encryption protections to include FIPS 140-3 validated modules in addition to the already listed FIPS 140-2. The FIPS 140-3 standard includes hardware module, firmware module, software module, hybrid-software module, and hybrid-firmware module and will have no restriction as to the level at which a hybrid module may be validated in the new standard. 

Hybrid Cloud-Interconnections Between CSOs

A new section has been added to the Cloud SRG r4 that speaks to the interconnections between CSOs of differing ILs. Specifically, CSOs of differing levels may be connected, with the following caveats:

  • When interconnecting a higher impact level CSO with a lower impact level CSO, the transfer of the higher impact information to the lower impact level CSO must be prevented unless an approved cross domain solution (CDS) is used, and appropriate approval procedures are followed. 
  • This is similar to organizations interconnecting “classified” and “unclassified” networks, with the notable caveat of this being in a cloud environment vs on premise. 
  • For Mission Owners leveraging multiple CSOs in their use case, connections between CSOs from different CSPs will traverse the CSOs connections to the meet-me router(s). 
  • For CSO’s leveraging external services 
  • It is the Mission owner’s responsibility to require this. CSPs should work with their customer(s) to ensure full compliance with all guidance. 
  • CSOs seeking an IL4/5 PA must ensure that sensitive DoD data is not transmitted to, or via, such external services unless that service has a DoD PA or is addressed in the CSOs PA. If the CSO is an IL4/5 CSO, traffic to and from such services will not traverse the DISN BCAP assuming the CSO serves non-DoD customers. The CSP must ensure that such external service connections, likely to be via the internet, do not permit access to NIPRNet via the BCAP from such connections.
  • This is new guidance that allows CSPs to leverage services from non-authorized cloud providers, with the understanding that the interconnections must be monitored such that unauthorized traffic and information transfer is avoided. CSPs should work with 38North Security and their customers to ensure all interconnections and data is compliant and secure. 

Contact Us to Get Started 

Contact 38North to understand how this revised guidance impacts your existing security and compliance approach for your US DoD customers.