Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What Are the DoD Cloud Computing Security Assessment Requirements?

Published 01/26/2023

Home
Industry Insights
What Are the DoD Cloud Computing Security Assessment Requirements?

Originally published by Schellman.

Written by Jon Coffelt, Schellman.

When you compare the two tallest mountains in the world—K2 and Everest—some of the facts might surprise you. For instance, did you know that K2’s climbing route is more technical than that of the tallest mountain in the world?

In fact, in terms of the journey from foot to peak, the K2 summit is actually farther than Mount Everest. That’s why roughly only 300 people have climbed it, compared to approximately four thousand summits on Everest.

To put this in federal compliance terms, if FedRAMP is the prominent Everest, then Department of Defense (DoD) requirements are K2.

Everybody knows FedRAMP by this point, but when preparing an initial cloud service offering (CSO) for use by the DoD, you must implement controls above and beyond those baselines, including NIST SP 800-53 controls, Non-NIST based DoD requirements, and DoD General Readiness requirements. Not only that but your DoD Mission Owner (MO)—or your DoD sponsor entity—may select DoD Service Level Agreement (SLAs) and Privacy Overlay controls (NIST 800-53-based) as well DoD agency requirements or data classifications/usage applicable to your CSO.

So what does it take to “summit” what can be incredibly complex DoD requirements? As a seasoned 3PAO, we’re going to pass some insight on to you.

In this article, we’ll break down the different DoD Assessment requirements as laid out by the Defense Information Systems Agency (DISA), along with the necessary deliverables needed for review and what must happen after the initial package gets approved or if any changes are made.

Read on to understand how this all works so you can better simplify what are incredibly complex compliance requirements.

A Breakdown of Required DoD Compliance Controls

In-Scope DoD NIST SP 800-53 Controls by Impact Level

DoD requires a FedRAMP System Security Plan (SSP) and DoD SSP Addendum for all Impact Levels (IL4-IL6) CSO packages. This addendum is structured similarly to the FedRAMP SSP—it covers the descriptions of security control implementations for DoD-impacted controls (IL4, IL5, IL6 controls):

IL2

Moderate: 325

IL4

Moderate: 363

High: 421

IL5

Moderate: 372

High: 430

IL6

Moderate: 372*

High: 430*

*Control CA-3(1) is not applicable at impact level 6. Moderate and High IL6 adds SC-7(14).

NOTE: DoD adds several control parameter changes to FedRAMP control baselines.

For details of controls in the above table, see Table 5-1 DoD FedRAMP+ Security Controls/Enhancements in the SRG v1r4.

NIST SP 800-53 DoD Service Level Agreement (SLAs) and Privacy Overlay Controls

The DoD SSP Addendum is also used to document control implementations for DoD Mission Owner Service Level Agreements (SLAs) and Privacy Overlay controls if in scope.

To confirm whether these are required as part of your baseline and need to be assessed, check with your DoD Mission Owner and DISA. If they are, see sections table D-2 and Appendix E, respectively, within the DoD SRG v1r4 for details.

Non-NIST-Based DoD Requirements

Here’s a high-level (i.e., not exhaustive) summary of what those address:

  • Supply Chain Risk Management Plan (SCRM Plan), including anti-counterfeit plan.
  • Multi-factor authentication with virtual/soft tokens (IL2 and IL4) or physical/hard tokens (IL5 – IL6) is required.
  • Physical separation of IL5 tenant data from non-federal tenant data. Logical separation must exist between the federal agency and DoD tenants for IL2 and IL4.
  • System components must be hardened using DISA STIGs, when available.
DoD General Readiness Requirements

The DoD SSP Addendum also covers DoD General Readiness requirements, which are outlined in section 11.1 DoD General Readiness Requirements (GR):

GR-#QuestionRequirements
GR-1DoD PKI Authentication
  • Enforce DoD PKI (in accordance with DoDI 8520.03) for the authentication of both privileged and non-privileged users.
  • Enable DoD PK for customer orders/service management portals for all service offerings
  • SaaS providers must be DoD PK-enabled for general DoD user access.
GR-2DoD IP addressing
  • Describe your plan for implementation and support of DoD IP addressing.
GR-3Data Locations
  • Provide a list of the physical locations where your data could be stored at any given time and how it is ensured that the data remains under U.S. jurisdiction at all times.
GR-4Management Plane Connectivity
  • Explain how your CSO management/monitoring systems are integrated with your corporate or general network.
GR-5CSO Personnel
  • Confirm your position sensitivity risk determinations based on OPM guidance and the Position Sensitivity Tool.
  • Restrict potential access to DoD information to U.S. citizens.
  • Verify that all CSO roles with access to DoD CUI that are categorized as critically sensitive have been subject to a satisfactory Single Scope Background Investigation or other background investigation for high risk.
  • Verify that the other CSO roles with moderate risk position designations and access to non-critical sensitive information have been subject to a satisfactory moderate risk background investigation or a National Agency Check with Law and Credit.
GR-6Private Connection Availability Between CSP’S/CSO’s Network and DoD Network
  • Explain how you will obtain a private connection capability between the off-premises network and DoD networks in support of connections through the boundary cloud access point (BCAP) and meet-me points.
GR-7Reliance on Internet-Based Capabilities
  • Describe the CSO or user experience reliance on internet-based capabilities such as the public DNS or content delivery networks.
  • Detail how such capabilities are available via the CSO infrastructure and the connections to it via the DISA BCAPs.
GR-8Reliance of Internet Access
  • Explain the reliance on internet access to reach your management/service-ordering portal or API endpoints from either NIPRNet or from within the CSO.
  • Detail how all such capabilities are available via the CSO infrastructure and the connections to it via the DISA BCAPs.
GR-9CSP/CSO's Protection
  • Describe the protections in place in your network and CSO to prevent the CSO from becoming a backdoor to the NIPRNet via the private connection through the BCAP.
GR-10Defense in Depth Architecture
  • Explain your required robust boundary protection (defense-in-depth security/protective measures) implemented between the internet and the CSO.

DoD Security Assessment Deliverables

Testing of what’s applicable above all rolls up into your 3PAO-developed DoD assessment package, which includes the following required deliverables to be submitted to DISA:

  • Security Assessment Plan Package (SAP):
    • Includes control testing approach, methodology, testing scope, and penetration testing plan and/or rules of behavior.
  • Security Assessment Report Package (SAR):
    • Includes control testing results (FedRAMP controls, aforementioned DoD IL controls and parameters, SLAs, Privacy, and GR requirements), penetration testing report, data used for the assessment (e.g., raw scan output), and a Risk Exposure Table (RET).

DISA also requires a DoD Readiness Assessment Report (RAR) to be submitted for review as part of your initial assessment. As a summary of your security control capabilities, this is used for DoD’s easier digestion of your security assessment results as a whole.

Continuous Monitoring (Ongoing Assessment) Phase

Once the package has been reviewed and approved, your CSO obtains a DISA Provisional Authorization (PA) and MO ATO, after which you enter the continuous monitoring (annual assessment) phase.

Requirements for this recurring, annual assessment are reduced and typically include:

  • Core FedRAMP controls (with DoD parameters)
  • About one-third of discretionary controls (one-third of the total control baseline minus core controls):
    • Testing one-third of discretionary controls occurs in a rolling fashion (SLAs, Privacy included) so that all discretionary controls are tested by the end of the third annual assessment year.
  • All Non-NIST based requirements must be maintained.
  • DoD General Readiness Requirements are tested again during the third annual assessment.
    • Note: Some DoD MOs do not require this retesting of GRs at all, while some may want them retested on an annual basis.

Your annual assessments should occur before the DISA Provisional Authorization (PA) and MO ATO expiration date—talk to your MO for guidance to ensure your latest SAR will be delivered before due.

NOTE: A RAR is not a requirement for annual continuous monitoring (ongoing assessment).

DoD Requirements for Significant Changes

Of course, information systems aren’t static and you’ll probably introduce updates at some point—including after obtaining ATO. But like FedRAMP, DISA requires full planning, documentation, visibility and awareness, and security testing regarding changes deemed to affect your security posture or alter security control implementation.

A.K.A. “significant changes,” these are defined as the following:

“a change that is likely to affect the security state of an information system.” Examples are provided as follows: “Significant changes to an information system may include for example: (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform; (iv) modifications to cryptographic modules or services; or (v) modifications to security controls. Examples of significant changes to the environment of operation may include for example: (i) moving to a new facility; (ii) adding new core missions or business functions; (iii) acquiring specific and credible threat information that the organization is being targeted by a threat source; or (iv) establishing new/modified laws, directives, policies, or regulations.”

Talk to your FedRAMP/DoD advisor, DISA representative, and DoD MO to determine if your proposed change fits into this category and if so, here’s what has to happen:

  • You must complete a Security Impact Analysis (SIA) for DISA before implementing the change (typically before the change is assessed as well).
    • The SIA form can be found on the NIPRNet—ask your DISA representative or DoD MO for the location
  • You must give a 30-day notice before implementing significant changes so DISA has time to review the change and align the SIA.
    • DISA can revoke the DoD PA if proper notice is not given or if a change is implemented without authorization.
  • Specific policy guidance for significant changes can be found within the SRG Section 5.3.2 Change Control.

When submitting your Significant Change SIA, here’s a simple breakdown of where to send yours:

Submit to FedRAMP JAB if you are a:

Submit to DISA and DoD MO if you are a:
  • FedRAMP JAB P-ATO CSPs
  • FedRAMP Agency ATO CSP
  • Non-FedRAMP CSPs with DoD PA or ATO

No matter where you submit the form, DISA and/or the DoD MO will ultimately have a chance to review and approve all significant changes.

Next Steps for DoD Compliance

Like climbing K2, obtaining a DoD PA or ATO is possible despite the complications and requisite intensity. But with this “base camp” of information, you can move forward with DoD compliance using your new understanding of key details.

To learn more about federal compliance, check out our other articles delve into the various complexities:

ComplianceLegal

Share this content on your favorite social network today!

Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management

Published: 11/22/2024

It’s Time to Split the CISO Role if We Are to Save It

Published: 11/22/2024

Establishing an Always-Ready State with Continuous Controls Monitoring

Published: 11/21/2024

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Published: 11/20/2024