the Component CIO and a copy submitted
to
the DoD CIO. DISA provided cloud
services must be considered
as
part
ofthe
BCA.
4.
The Federal Risk Authorization and Management Program (FedRAMP) will serve as
the minimum security baseline for all DoD cloud services
as
described in reference (d).
Per current policy, components may host Unclassified DoD information that has been
publicly released on FedRAMP approved cloud services.
5.
For more sensitive DoD unclassified data or missions (called Sensitive Data below),
DoD has developed cloud security requirements and guidance that go beyond
FedRAMP. A draft
of
this DoD Cloud Computing Security Requirements Guide (the
Guide) is currently out for DoD public comment, with official release scheduled for
January 7, 2015. The Guide is intended
to
give cloud providers a stable security
requirement, and to help DoD cloud customers move more rapidly and securely into the
cloud. The Guide defines several classes
of
Sensitive Data, with increasing security
requirements for each. Additional detail on the Guide and the Guide development
process can be found in paragraph
11.
6. Any cloud service provider that is interested in hosting Sensitive Data will submit
evidence to DISA that the provider meets specific requirements
of
the Guide. DISA
will evaluate this evidence and
if
the provider meets the requirements, DISA will issue
a DoD Provisional Authorization (PA). The
PA
will describe the types
of
information
and mission that can be hosted by a particular cloud service.
7.
Per the BCA
of
paragraph three, using the customer guidance in the Guide and the
information in the
PA
, the CIO
of
each Component will determine which cloud service
provider
to
use for a particular set
of
information or mission. DoD Components may
only host Sensitive Data in cloud service providers that have an appropriate
PA.
8.
Commercial cloud services used for Sensitive Data must be connected to customers
through a Cloud Access Point (CAP) provided by DISA or through a CAP provided by
another DoD Component. All CAPs must be approved by DoD CIO. The current Navy
CAP is an example
of
an approved provisional cloud access point. In the future, in
order
to
standardize cyber defenses, our goal is that all DoD access to commercial
cloud services be via a DISA provided CAP. This CAP will protect all DoD missions
from incidents that affect a particular cloud service provider, and will provide perimeter
defenses and sensing for applications hosted in the commercial cloud service.
9.
Operations in a cloud environment are diverse and will require different concepts
of
operations (CONOPS), business strategies, etc. Components are responsible for
cyberspace defense
of
all information and missions hosted
in
commercial cloud
services, and will share cyberspace defense information as necessary and appropriate
with cloud service providers, in accordance with reference (e). DoD Components that
acquire or use cloud services are still responsible for ensuring that end to end security
requirements are met.
To
operate and defend successfully, this will require
collaboration and information sharing among the Component, DISA and the cloud
service provider.
2