Cloud Computing Mission Owner SRG
Cloud Computing Mission Owner Security Requirements Guide. Version v1 r0.1, released Oct. 27, 2022.
SRG-NET-000370-CLD-000120: The IaaS/PaaS/SaaS must register the service/application with the DOD allowlist for both internet-facing, inbound and outbound traffic.
Request the cloud service Provisional Approval (PA) and registration documentation. Verify the IaaS/PaaS/software is registered in the service/application with the DOD allowlist for both inbound and outbound traffic when traffic will cross the IAPs. If system/service/application is not registered with the DOD allowlist for both inbound and outbound internet facing traffic, this is a finding.
Discussion
Register the service/application with the DOD DMZ Whitelist for both inbound and outbound traffic if traffic will cross the IAPs. Utilizing a allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest VMs. Using only authorized software decreases risk by limiting the number of potential vulnerabilities and by preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications to include allowlisted mission application traffic and services access from Internet via the DISN Internet Access Point (IAP). If all or a portion of the mission owners cloud-based level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system’s/application’s URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for level 2 off-premises systems/applications and for user plane traffic to/from level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Coordinate with CSSP during cloud architecture development to ensure required security relevant data will be accessible via CSP/CSO, third-party security service subscription, and/or native API capability. Register the IaaS/PaaS/SaaS service/application with the DOD allowlist for both inbound and outbound traffic. Configure the DOD allowlist with the ports and protocols needed to support applications and services used in the cloud environment.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000390-CLD-000210: The Mission Owner of the virtual enclave or platform must continuously monitor and protect inbound communications from other enclaves for unusual or unauthorized activities or conditions.
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for inbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor inbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Discussion
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
Fix
Configure the firewall and IDPS for continuous monitoring of all communications inbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000100: The Mission Owner must select and configure an Impact Level 4/5 CSO listed in the DISA PA DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).
If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the cloud service offering is listed in the DISA PA DOD Cloud Catalog. Verify the Cloud Catalog offering is listed as Impact Level 4/5. If sensitive but unclassified information is being hosted in the IaaS/PaaS and the cloud service offering is not listed in the DISA PA DOD Cloud Catalog, Impact Level 4/5, this is a finding.
Discussion
Impact Level 4 accommodates CUI. CUI is unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data. Designating information as CUI is the responsibility of the data owner and their organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO. Impact Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other Government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS-specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). NSS must be implemented at Level 5.
Fix
This applies to Impact Level 4/5. FedRAMP Moderate, High. Select and configure a CSO listed in the DISA PA DOD Cloud Catalog for use with Impact Level 4/5 or higher. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000480-CLD-000030: The virtual enclave must implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.
If this is an Impact Level 2, off-premise implementation, this requirement is not applicable. Review the architecture for the virtual enclave/platform. Verify that for dedicated infrastructure mission Impact Levels 4-6 and on Premise Level 2, the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection. For Virtual Enclave Levels 4-6 or on Premise Impact Level 2 implementations, if the virtual enclave does not implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection, this is a finding.
Discussion
DoD users on the Internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing DoD private applications. A CSE may be composed of an array of cloud service offerings from a particular CSP. The DISN security architecture provides connectivity to the cloud service environment to the users. The architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. CSP Infrastructure (dedicated to DoD) located inside the B/C/P/S “fence line” (i.e., on-premises) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities such as the IA stack protecting a DoD Data center today or perhaps a Joint Regional Security Stack (JRSS). On the other hand, an ICAP may have special capabilities to support specific missions, CSP types (commercial or DoD), or cloud services. CSP infrastructure (shared with non-DoD or dedicated to DoD) located outside the B/C/P/S fence line that connects to the DODIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP’s network infrastructure and/or Mission Owner’s virtual networks. All connections between a CSP’s network infrastructure or Mission Owner’s virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DODIN via a BCAP. For dedicated infrastructure with a DODIN connection (Levels 4-6), the Mission Owner will ensure a virtual security stack is configured IAW DoDI 8551.
Fix
For dedicated infrastructure with an ICAP/BCAP connection (Levels 4-6 and on Premise Impact Level 2), ensure that the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000480-CLD-000110: The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information.
If the implementation is categorized as Impact Level 2-5, this not a finding. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog. Verify the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information. If Classified DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 6 or higher, this is a finding.
Discussion
Impact Level 6 is reserved for the storage and processing of classified information. Impact Level 6 information up to the SECRET level must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information, rated at or above the highest level of classification of the information being stored and/or processed.
Fix
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 6 when hosting Classified DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-NET-000205-CLD-000080: The IaaS/PaaS must be configured to maintain separation of all management and data traffic.
Applies to all impact levels. Verify the IaaS/PaaS is configured to maintain logical separation of all management and data traffic. If the IaaS/PaaS does not maintain separation of all management and data traffic, this is a finding.
Discussion
The Virtual Datacenter Management system provides a management plane for privileged access and communications. Separation of management and user traffic, including access to the Customer Portal, is provided to the DOD Mission Owner by the CSP for the purpose of provisioning and configuring cloud service offerings. Additionally, service end-points for Application Program Interfaces (API) and Command Line Interfaces (CLI) are also available as part of the Customer Portal network. These systems can be accessed through the internet by DOD privileged users only (e.g., DOD system and network administrators).
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to maintain separation of all management and data traffic.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000368-CLD-000130: For IaaS and PaaS, the Mission Owner must register with SNAP.
Verify the CSP’s cloud service offering is registered in SNAP for the connection approval and it is the one being used in the cloud management portal. If the IP address that is registered in SNAP is not configured for use with the approved cloud environment, this is a finding.
Discussion
SNAP registration documentation should include designating a certified Cybersecurity Service Provider (CSSP) as the Tier 2 CND. If applicable, the IP address of the cloud service must be configured IAW the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Register the IaaS/PaaS CSP’s cloud service offering in SNAP for the connection approval. Also register the IP address that for use by the cloud service offering using the cloud management portal.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000391-CLD-000220: The Mission Owner of the IaaS must continuously monitor outbound communications to other systems and enclaves for unusual or unauthorized activities or conditions.
If this is a SaaS, this is not applicable. Inspect the firewall and/or IDPS ACLs and filtering rules that filter traffic on any outbound interface from the IaaS's and systems. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor outbound communications to other enclaves and systems for unusual or unauthorized activities or conditions, this is a finding.
Discussion
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. This function may be deployed within the cloud service environment, the MeetMe Point, cloud access point, or supporting Core Data Center (CDC).
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications outbound from the virtual IaaS or PaaS. Configure any ACLS and filtering rules on outbound interfaces to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000368-CLD-000140: The Mission Owner of the virtual enclave/platform must be remove orphaned or unused VM instances.
If cloud services are managed by the CSP, verify separation requirements are addressed in the SLA. Verify the virtual enclave/virtual platform is configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. If the virtual enclave/virtual platform has not been configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements, this is a finding.
Discussion
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the VM level. Some of the service and helper VMs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of such VMs is not always possible; therefore, establishing a method of preventing VM activation is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of VMs in certain environments, while preventing execution in other environments; or limiting execution of certain VM functionality based on organizationally defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
Fix
Configure the virtual enclave/virtual platform to be configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. Cloud services are added, removed, and updated by the cloud service portal management entity via the management plane.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
SRG-OS-000342-CLD-000020: The Mission Owner must implement and configure a solution for centralized logging to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.
Verify the Mission Owner has implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform. If the Mission Owner has not implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform, this is a finding.
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. For cloud service environments, the SIEM capability is implemented by both Boundary and Mission CND service providers to interpret system, user, and application events. Services such as SCCA also help with aggregation and normalizing capabilities.
Fix
Implement a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
SRG-NET-000390-CLD-000210: The Mission Owner of the IaaS or PaaS must continuously monitor and protect inbound communications from external systems, other IaaS within the same cloud service environment, or collocated mission applications for unusual or unauthorized activities or conditions.
If this is a SaaS, this is not applicable. Inspect the Firewall and/or IDPS ACLs and filters on the firewall inbound interfaces. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor inbound communications from external systems, other IaaS, or collocated mission applications within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Discussion
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. This function may be deployed within the cloud service environment cloud access point or supporting Core Data Center (CDC).
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications inbound to the virtual IaaS or PaaS. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000580-CLD-000070: The Mission Owner of the IaaS/PaaS must implement an encrypted, FIPS 140-2/3 compliant path between the implemented systems/applications and the DOD OCSP responders.
Applies to all impact levels. Verify that a FIPS 140-2/3 compliant communication protocol is configured for communication between the implemented systems/applications and the DOD OCSP responders. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DOD OCSP responders, this is a finding.
Discussion
The Mission Owner must use identity services, to include an Online Certificate Status Protocol (OCSP) responder, for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged (all Impact levels) and/or nonprivileged users (Impact levels 4–6) to systems instantiated within the cloud service environment.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to implement an encrypted path that is FIPS 140-3 compliant between the implemented systems/applications and the DOD OCSP responders.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000580-CLD-000070: The Mission Owner of the IaaS/PaaS must utilize valid DOD OCSP responders.
Applies to all impact levels. Verify that a valid DOD OCSP responder is configured for the implemented systems/applications If the cloud IaaS/PaaS does not utilize an approved DOD OCSP responder, this is a finding.
Discussion
To provide assurances that certificates are validated by the correct responders. The Mission Owner must ensure they are using a valid DOD Online Certificate Status Protocol (OCSP) responder, for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged users to systems instantiated within the cloud service environment.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to utilize an approved DOD OCSP responders.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000368-CLD-000130: The Mission Owner must configure the IP address range for the cloud service environment which is registered in SNAP.
Verify the CSP’s cloud service offering is registered in SNAP for the connection approval and it is the one being used in the cloud management portal. If the cloud service is not registered in SNAP, this is a finding. If the IP address that is registered in SNAP is not configured for use with the approved cloud environment, this is a finding.
Discussion
SNAP registration documentation should include designating a certified CNDSP as the Tier 2 CND. DoD policy and the Domain Name Service (DNS) STIG require all DoD ISs to use the DoD authoritative DNS servers, not public or commercial DNS servers. Additionally it requires all DoD IS to be addressed in the .mil domain. Mission Owners are not authorized to utilize DNS services offered by the CSP or any other non-DoD DNS provider. The IP address of the cloud service must be configured IAW the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration.
Fix
Register the virtual enclave/platform/software CSP’s cloud service offering in SNAP for the connection approval. Configure the IP address that is registered in SNAP for use by the cloud service offering using the cloud management portal.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000404-CLD-002720: The Mission Owner must configure the cloud instance to use encryption to protect all DoD files housed in the cloud instance for storage service offerings.
If this is Impact Level 2, this is not applicable. Verify the virtual platform is configured to use encryption to protect all DoD files housed in the virtual storage service. If the virtual platform is not configured to use encryption to protect all DoD files housed in the virtual storage service, this is a finding.
Discussion
Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). A CSP may offer one or more services or methods to accomplish this. Data-at-rest encryption may help mitigate issues with data/information spillage.
Fix
Configure the cloud instance to use encryption to protect all DoD files housed in the virtual storage service.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000342-CLD-000020: The IaaS/PaaS must perform centralized logging to capture and store log records.
If this is an SaaS implementation, this is not a finding. Verify the IaaS/PaaS is configured to use centralized logging and SIEM server to capture and store the log records produced by the VM management on the IaaS/PaaS. If IaaS/PaaS does not perform centralized logging and SIEM services to capture and store the log records produced by the VM management, this is a finding.
Discussion
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. For cloud service environments, the SIEM or syslog capability must be implemented by both Boundary and Mission CND service providers to log audit information. Services such as SCCA also help with aggregation and normalizing capabilities. This requirement can be met by the operating system continuously sending records to a centralized logging server.
Fix
This applies to all Impact Levels. FedRAMP - Does not match DOD requirement explicitly. Allows up to seven days for offloading. Moderate, High Implement a solution for centralized logging and SIEM services to capture and store the log records produced on the IaaS/PaaS.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000383-CLD-000200: For IaaS/PaaS, the Mission Owner must configure an Intrusion Detection and Prevention System (IDPS) to protect DOD VMs, services, and applications.
If this is a SaaS, this is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the IaaS, PaaS, and interconnected host VMs. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CSSP responsible for the mission system/application. If the Mission Owner has not configured the IaaS or PaaS IDPS to monitor and protect the IaaS and interconnected VMs, this is a finding.
Discussion
Network environments and applications installed using an I/PaaS cloud service offering where the Mission Owner has control over the environment must comply with DOD network infrastructure and host policies. Putting an application in the cloud does not take care of all security responsibilities. Without coordinated reporting between cloud service environments used for DOD mission, it is not possible to identify the true scale and possible target of an attack. An IDPS protects Mission Owner enclaves and applications hosted in an off-premise cloud service offering and may be deployed within the cloud service environment, cloud access point, or supporting Core Data Center (CDC). Additionally, an IDPS facilitates the reporting of incidents and aid in the coordination of response actions between all stakeholders of the cloud service offering and/or mission owner applications. The Mission Owner and/or their Cybersecurity Service Provider (CSSP) must be able to monitor the virtual network boundary. For dedicated infrastructure with a DODIN connection (Levels 4–6), implement an IDPS that monitors and works with the virtual security infrastructure (e.g., firewall, routing tables, WAF, etc.) to protect traffic flow inbound and outbound to/from the virtual network to the DODIN connection.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure a virtual IDPS to monitor and protect the DOD VMs, services, and applications.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000001-CLD-000010: The Mission Owner must configure the customer portal credentials and the Mission Owner application/system privileged accounts for least privilege.
If the DoD account owners are required to use the CSP’s IdAM system to administer user accounts and service configurations, this is not a finding. Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the cloud Mission Owner Authorizing Official has not configured the cloud service offering for access using PKI, this is a finding.
Discussion
Specific individuals or entities must be appointed by the DoD Mission Owner’s Authorizing Official (AO) to establish plans and policies for the control of privileged user access (to include root account credentials) used to establish, configure, and control a Mission Owner’s Virtual Private Cloud (VPC) configuration once connected to the DISN. These individuals or entities established and manage Least-Privilege Attribute-Based Access Control (ABAC) accounts and credentials used by privileged DoD users and systems to administer and control DoD cloud service offering configurations. This role is intended to operate at all DoD information Impact Levels. However, it may not apply to some SaaS solutions where DoD account owners are not required to use the CSP’s Identity and Access Management (IdAM) system to administer user accounts and service configurations.
Fix
Have the Mission Owner's AO appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals using PKI to access and configure services and virtual instances.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000191-CLD-000190: The virtual platform must be configured to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
Verify the virtual platform employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If the cloud IaaS/PaaS does not employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP, this is a finding.
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. To support this requirement, HBSS must be installed on in the cloud service environment. Use the applicable OS or network device STIGs to ensure HBSS is also installed on each virtual VM.
Fix
Configure the virtual platform to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000090: The Mission Owner must select and configure a cloud service offering listed in either the FedRAMP or DISA PA DoD Cloud Catalog to host Unclassified, public-releasable, DoD information.
If the implementation is categorized as Impact Level 4-6, this not applicable. Review the approval documentation. Verify that the cloud service offering is listed in either the FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. If Unclassified, public-releasable DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in either the FedRAMP or DISA PA DoD Cloud Catalog, this is a finding.
Discussion
Federal Risk Authorization and Management Program (FedRAMP) is the minimum security baseline for all DoD cloud services. Components and Mission Owners may host Unclassified DoD information that is publicly releasable on FedRAMP approved cloud services. They may also select and configure an offering from the DISA PA DoD Cloud Catalog at any impact level for use.
Fix
Select and configure a cloud service offering listed in FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000205-CLD-000030: The IaaS/PaaS must implement a security stack that restricts traffic flow inbound and outbound between the IaaS and the BCAP or ICAP connection.
If this is an Impact Level 2 IaaS/PaaS implementation, this requirement is not applicable. Review the architecture for the IaaS. Verify that for dedicated infrastructure mission Impact Levels 4–5 the IaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection. For IaaS Levels 4–5 if the IaaS does not implement a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection, this is a finding.
Discussion
DOD users on the internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing DOD private applications. The virtual environment may be composed of an array of cloud service offerings from a particular CSP. The DISN security architecture provides connectivity to the cloud service environment to the users. The architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. Note: Off-premise CSP infrastructure having a Level 2 PA is directly connected to the internet, all traffic to and from a Level 2 CSO serving Level 2 missions and their mission virtual networks will connect via the internet. CSP Infrastructure (dedicated to DOD) located inside the B/C/P/S “fence line” (i.e., on-premises) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities such as the IA stack protecting a DOD Data center today or perhaps a Joint Regional Security Stack (JRSS). On the other hand, an ICAP may have special capabilities to support specific missions, CSP types (commercial or DOD), or cloud services. CSP infrastructure (shared with non-DOD or dedicated to DOD) located outside the B/C/P/S fence line that connects to the DODIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP’s network infrastructure and/or Mission Owner’s virtual networks. All connections between a CSP’s network infrastructure or Mission Owner’s virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DODIN via a BCAP. For dedicated infrastructure with a DODIN connection (Levels 4–6), the Mission Owner will ensure a virtual security stack is configured IAW DODI 8551.
Fix
FedRAMP Moderate, High. For dedicated infrastructure with an ICAP/BCAP connection (Levels 4–5 and on Premise Impact Level 2), ensure that the IaaS/PaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000480-CLD-000040: The Mission Owner virtual Internet facing applications must be configured to traverse the Cloud Access Point (CAP) and VDSS prior to communicating with the Internet.
If this is Impact Level 2, this is not a finding. Review the configuration of the virtual enclave router. Verify that virtual Internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the Internet. If virtual Internet-facing applications permit direct access to the CSP or the Internet, this is a finding.
Discussion
This architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. All traffic bound for the Internet will traverse the BCAP/ICAP and IAP. Mission applications may be Internet facing; Internet facing applications can be non-restricted or restricted (requiring CAC authentication). DoD users on the Internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing Mission Owner enclave or private applications.
Fix
Configure virtual Internet-facing applications to traverse the CAP and VDSS prior to communicating with the Internet.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-NET-000383-CLD-000200: The Mission Owner must configure an IDPS to protect Mission Owner enclaves and applications hosted in an off-premise cloud service offering.
If this is a premise or Level 2 implementation, this requirement is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the virtual enclave, platform, and interconnected host VMs. Inspect the virtual IDPS configuration. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CNDSP responsible for the mission system/application. If the Mission Owner has not configured the virtual enclave or platform IDPS to monitor and protect the virtual enclave(s) and interconnected VMs, this is a finding.
Discussion
Without coordinated reporting between cloud service environments used for DoD mission, it is not possible to identify the true scale and possible target of an attack. protect Mission Owner enclaves and applications hosted in an off-premise cloud service offering and may be deployed within the cloud service environment, the MeetMe Point, cloud access point, or supporting Core Data Center (CDC). When the infrastructure has direct Internet access, implement virtual IDPS capabilities configured in compliance with the applicable DoD STIG or SRG. The Mission Owner and/or their CNDSP must be able to monitor the virtual network boundary and report/integrate with Tier 1. For dedicated infrastructure with a DODIN connection (Levels 4-6): implement IPS that monitors and works with the virtual security infrastructure (e.g., firewall, routing tables, WAF, etc.) to protect traffic flow inbound and outbound to/from the virtual network to the DODIN connection.
Fix
Configure a virtual IDPS to monitor and protect Mission Owner enclaves and applications hosted in an off-premise cloud.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000164-CLD-000170: The Mission Owner of the virtual enclave/virtual platform must implement an encrypted path that is FIPS 140-2 compliant between the virtual OSs HBSS agents and their control server.
Review the configuration of the virtual enclave/platform. Verify that the IP address of an HBSS agent control server on NIPRNet is configured. Verify that a FIPS 140-2 compliant communication protocol is configured for communication with the server. Verify the HBSS data is also being communicated to the CNDSP. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the HBSS agents and their control server, this is a finding.
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement Host Based Security System (HBSS) IAW DoD policy. - Implement HBSS agents on all VMs with a supported general purpose OS (required by OS level STIG) for each Host VM OS. - Use an HBSS agent control server within NIPRNet. - Implement a secure (encrypted) connection or path between the HBSS agents and their control server. - Provide visibility by the Mission Owner’s CNDSP entities.
Fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the virtual OS's HBSS agents and their control server. Configure visibility by the Mission Owner’s CNDSP.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000368-CLD-000140: The Mission Owner of the IaaS/PaaS must remove orphaned or unused VM instances.
If cloud VM's are managed by the CSP, verify separation requirements are addressed in the SLA. Verify the IaaS/PaaS is configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. If the IaaS/PaaS has not been disable or remove cloud services and helper VMs that are no longer required based on mission requirements, this is a finding.
Discussion
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the VM level. Some of the service and helper VMs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of such VMs is not always possible; therefore, establishing a method of preventing VM activation is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of VMs in certain environments, while preventing execution in other environments; or limiting execution of certain VM functionality based on organizationally defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. For IaaS/PaaS, disable or remove cloud services and helper VMs that are no longer required based on mission requirements. Cloud services and VM's are added, removed, and updated by the cloud service portal management entity via the management plane.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000205-CLD-000060: The Mission Owner of the PaaS/IaaS must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements.
If this is a SaaS, this is not applicable. This applies to all Impact Levels. Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the Cybersecurity Service Provider (CSSP). If the PaaS/IaaS does not implement scanning using an ACAS server or CSP provided solution that meets DOD scanning and reporting requirements, this is a finding.
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server IAW USCYBERCOM TASKORD 13-670. - Use an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same CSO. - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. Impact Level 2: Applies to IaaS/PaaS CSOs where the Mission Owner has control over the environment. In this case, Mission Owners must provide their own enclave boundary protections or leverage an enterprise level application protection service (i.e., the Virtual Datacenter Security Stack [VDSS]/Virtual Datacenter Management Suite [VDMS] portion of the SCCA) instantiated within the same CSO.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IP address of an ACAS server or another solution that meets DOD scanning and reporting requirements.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000090: The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized CSO when hosting Unclassified, public-releasable, DOD information.
If the Cloud Service implementation is categorized as Impact Level 4/5/6, this is not applicable. Review the approval documentation. Verify that the cloud service offering is listed in either the FedRAMP or DISA PA DOD Cloud Catalog when hosting Unclassified, public-releasable, DOD information. If Unclassified, publicly-releasable DOD information is being hosted in the IaaS/PaaS and the cloud service offering is not listed in the FedRAMP Marketplace as FedRAMP moderate (at a minimum), or the DISA PA DOD Cloud Catalog, this is a finding.
Discussion
FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host Unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any impact level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, process low confidentiality impact (sensitivity) PII in a CSO minimally possessing a FedRAMP Moderate P-ATO listed on the FedRAMP Marketplace and a DOD Level 2 PA, with Privacy Officer approval.
Fix
This requirement applies to Impact Level 2. FedRAMP Moderate, High. Select and configure an Impact Level 2 cloud service offering listed in the FedRAMP Marketplace, as FedRAMP moderate, or DISA PA DOD Cloud Catalog when hosting Unclassified, public-releasable, DOD information.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000404-CLD-002720: For storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance. Add a requirement for KMS specifically.
Unless encryption and KMS is required by the information owner, for Impact Level 2 public cloud with non-privileged user access to publicly releasable information, this is not applicable. Verify the cloud storage service is configured to use encryption and KMS to protect all DOD files housed in the virtual storage service. If the cloud storage service is not configured to use encryption to protect all DOD files housed in the virtual storage service, this is a finding.
Discussion
Mission systems at all impact levels must have the capability for DOD data to be encrypted at rest with exclusive DOD control of encryption keys and key management. Some CSOs may facilitate this by providing a Hardware Security Module (HSM) or offering customer dedicated HSM devices as a service. CSOs that do not provide such a capability may require Mission Owners to use encryption hardware/software on the DISN or a cloud encryption service that provides DOD control of keys and key management. Some CSOs may offer a KMS service that can suffice for management of customer keys by the customer while preventing CSP access to the keys. An NSA validated CSP KMS is required. Data-at-rest (DAR) encryption with customer controlled keys and key management protects the DOD data stored in CSOs with the following benefits: - Maintains the integrity of publicly released information and websites at Level 2 where confidentiality is not an issue. - Maintains the confidentiality and integrity of CUI at levels 4 and 5 with the following benefits: - Limits the insider threat vector of unauthorized access by CSP personnel through increasing the work necessary to compromise/access unencrypted DOD data. Mission Owners and their AOs should consider the benefits of DAR encryption as well as a cryptography-based process for data destruction and/or spill remediation at Impact Level 2 in addition to the benefit of maintaining integrity of the information.
Fix
This applies to Impact Levels 4/5/6. Applies to Impact Level 2 where Mission Owner has control of the environment. FedRAMP Moderate, High. Configure the cloud instance to use encryption to protect all DOD files housed in the virtual storage service.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-NET-000205-CLD-000040: The Mission Owner's internet-facing applications must be configured to traverse the CAP and VDSS prior to communicate with the internet.
If this is a SaaS, this is not a finding. If Impact Level 2, but CSP has control over the environment, this is not a finding. Verify that virtual internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the internet. If virtual internet-facing applications permit direct access to the CSP or the internet, this is a finding.
Discussion
The Cloud Access Point (CAP) and Virtual Datacenter Security Stack (VDSS) architectures mitigate potential damages to the DISN and provide the ability to detect and prevent an attack before reaching the DISN. All traffic bound for the internet will traverse the BCAP/ICAP and IAP. Mission applications may be internet-facing; internet-facing applications can be non-restricted or restricted (requiring CAC authentication). DOD users on the internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing Mission Owner enclave or private applications.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure virtual internet-facing applications to traverse the CAP and VDSS prior to communicating with the internet.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000368-CLD-000120: The Mission Owner must configure/use only the ports and protocols that have been registered with the DoD whitelist.
Request the cloud service cloud approval documentation. Verify the virtual enclave/platform/software is registered in the service/application with the DoD whitelist for both inbound and outbound traffic. If the Mission Owner has configured/used ports and protocols that have not been registered with the DoD whitelist, this is a finding.
Discussion
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software and guest VMs. Using only authorized software decreases risk by limiting the number of potential vulnerabilities and by preventing the execution of malware. Cloud Approval documentation should include allowed approved ports and protocols communications to include whitelisted mission application traffic and services access from Internet via the DISN Internet Access Point (IAP).
Fix
Register the virtual enclave/platform/software service/application with the DoD whitelist for both inbound and outbound traffic. Configure the DoD whitelist with the ports and protocols needed to support applications and services used in the cloud environment.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000080: The virtual enclave/platform must be configured to maintain separation of all management, user, and data traffic.
If the CSP's infrastructure is used, this is not applicable. Verify the virtual enclave/platform is configured to maintain logical separation of all management, user, and data traffic using encryption. If the virtual enclave/platform does not maintain separation of all management, user, and data traffic, this is a finding.
Discussion
The Virtual Datacenter Management system provides a management plane for privileged access and communications. Separation of management and user traffic included access to the Customer Portal is provided to the DoD Mission Owner by the CSP for the purpose of provisioning and configuring cloud service offerings. Additionally, service end-points for Application Program Interfaces (API) and Command Line Interfaces (CLI) are also available as part of the Customer Portal network. These systems can be accessed through the internet by DoD privileged users only (e.g., DoD system and network administrators). The BCAP/ICAP maintains logical network separation of Internet-sourced traffic for internet facing applications from NIPRNet-sourced traffic. However, the Mission Owner must not configure the virtual instances to circumvent this logical separation.
Fix
Configure the virtual enclave/platform/OS to maintain separation of all management, user, and data traffic.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000023-CLD-001220: The Mission Owner must configure the CSO-provided customer logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting access to users that must logon.
Determine if the cloud service offering login function is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Verify the use of the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If such a banner is not presented for all virtual machines and applications, this is a finding.
Discussion
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for operating system that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Fix
Applies to Impact Levels. FedRAMP Moderate, High. Configure the CSO provided customer logon banner capability and any Mission Owner provided logon capability to virtual machines in accordance with DTM-08-060 for all privileged and non-privileged customer users that must logon. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-NET-000391-CLD-000220: The Mission Owner of the virtual enclave must continuously monitor outbound communications from other enclaves for unusual or unauthorized activities or conditions.
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for outbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor outbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Discussion
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
Fix
Configure the firewall and IDPS for continuous monitoring of all communications outbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000164-CLD-000180: The Mission Owner of the virtual enclave must implement a secure (encrypted) connection or path between the Assured Compliance Assessment Solution (ACAS) server and its assigned ACAS Security Center.
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the ACAS server and its assigned ACAS Security Center. If the cloud IaaS does not implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center, this is a finding.
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement scanning using an Assured Compliance Assessment Solution (ACAS) server IAW USCYBERCOM TASKORD 13-670. - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. - Provide visibility by the Mission Owner’s CNDSP entities.
Fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the ACAS server and its assigned ACAS Security Center.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000070: The Mission Owner of the virtual enclave must implement an encrypted, FIPS 140-2 compliant path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable. If the cloud IaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable, this is a finding.
Discussion
The mission own must use identity services to include an Online Certificate Status Protocol (OCSP) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the cloud service environment.
Fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000095-CLD-003240: The Mission Owner of the IaaS or PaaS must remove all upgraded or replaced software and firmware components that are no longer required for operation.
If this is a SaaS, this is not a finding. If the Mission Owner of the IaaS or PaaS has not removed all upgraded or replaced software and firmware components that are no longer required for operation, this is a finding.
Discussion
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Remove all upgraded or replaced software and firmware components that are no longer required for operation from the IaaS/PaaS.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000060: The Mission Owner of the virtual enclave must configure scanning using an Assured Compliance Assessment Solution (ACAS) server.
Review the configuration of the virtual enclave. Verify that the IP address of an ACAS server is configured. Verify the ACAS data is also being communicated to the CNDSP. If the virtual enclave does not implement scanning using an ACAS server, this is a finding.
Discussion
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server IAW USCYBERCOM TASKORD 13-670.
Fix
Configure scanning using an ACAS server by configuring the IP address of the elected server.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000100: The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog for use with Impact Levels 4 or higher when hosting Controlled Unclassified information (CUI).
If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the cloud service offering is listed in the DISA PA DoD Cloud Catalog. Verify the offering is listed as Impact Level 4 or higher. If sensitive but unclassified information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 4 or higher, this is a finding.
Discussion
Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data. Designating information as CUI or mission critical data to be protected at Level 4 is the responsibility of the owning organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO. Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other Government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS-specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). As such, NSS must be implemented at Level 5.
Fix
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 4 or higher. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000104-CLD-000160: The Mission Owner of the virtual enclave/virtual platform must be configured with an identity provider that uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Verify the virtual enclave/platform is configured to use an identity provider. If the virtual enclave/virtual platform has not implemented an identify provider, this is a finding.
Discussion
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable CAC authentication of non-privileged DoD users to cloud hosted DoD (e.g., IaaS and PaaS) or SaaS provided systems and services is the responsibility of the cloud service offering procuring DoD Component or Program Office. Mission Owners may choose to use the CSP's CAC services (based on Level), use a DoD federated offering, or install a virtual Active Directory. For Levels 2-5, the CSPs must preferably have either a DoD PKI certificate or a DoD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person that needs to communicate with DoD via encrypted email. CSPs serving Level 6 systems will already have SIPRNet tokens / NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet.
Fix
Configure the virtual enclave/platform to use an identity provider. Mission Owners may choose to use the CSP's CAC services (based on level), use a DoD federated offering, or install a virtual AD.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000104-CLD-000160: The CSO must be configured to use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Unless I&A is required by the information owner, for Impact Level 2 public cloud with non-privileged user access to publicly releasable information, this is not applicable. Verify the CSO is configured to use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) . If the CSO does not use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
Discussion
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable CAC authentication of non-privileged DOD users to cloud hosted DOD (e.g., IaaS and PaaS) or SaaS provided systems and services is the responsibility of the cloud service offering, procuring DOD Component or Program Office. Mission Owners may choose to use the CSP's CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2-5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person that needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens / NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104, SRG-OS-000377
Fix
Applies to Impact Level 4/5/6. FedRAMP Moderate, High. Mission Owners may choose to use the CSP's CAC services (based on level), use a DOD federated offering or install a virtual Directory Service.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000480-CLD-000110: The Mission Owners must select and configure a CSO listed in the DISA PA DOD Cloud Catalog at Level 6 when hosting Classified DOD information.
If the implementation is categorized as Impact Level 2-5, this not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the Cloud Service Offering is listed in the DISA PA DOD Cloud Catalog. Verify the Cloud Service Offering is listed in the DISA PA DOD Cloud Catalog at Level 6 when hosting Classified DOD information. If Classified DOD information is being hosted in the IaaS/PaaS and the cloud service offering is not listed in the DISA PA DOD Cloud Catalog, Impact Level 6, this is a finding.
Discussion
Impact Level 6 is reserved for the storage and processing of classified information. Impact Level 6 information up to the SECRET level must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information, rated at or above the highest level of classification of the information being stored and/or processed.
Fix
This applies Impact Level 6. FedRAMP Moderate, High. Configure a cloud service offering listed in the DISA PA DOD Cloud Catalog for use with Impact Level 6 when hosting Classified DOD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
SRG-OS-000096-CLD-000150: The Mission Owner must configure the IaaS/PaaS to prohibit or restrict the use of functions, ports, protocols, and/or services.
If this is an Impact Level 2 CSO, this is not a finding. For dedicated infrastructure with a DODIN connection (Levels 4–6), review the architecture diagrams. Verify that the virtual firewall ACLs that restrict traffic flow inbound and outbound to/from the cloud service to the DODIN connection comply with the boundary requirements. Verify all traffic from the CSP enclave and other sources are blocked by these methods. If the cloud service offering is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Ports, Protocols, and Services Management (PPSM) when implementing and operating their systems/applications in an IaaS/PaaS CSO. (incomplete sentence) SaaS solutions: Register the Protocols and Services along with their related UDP/TCP IP Ports used by the SaaS service that will traverse the DISN in the DOD PPSM registry. This includes all user and management plane traffic for Levels 4, 5, and 6 as well as management plane traffic for Level 2 if managed/monitored from within a DOD network.
Fix
Applies to Impact Level 4/5/6. FedRAMP Moderate, High. For dedicated infrastructure with a DODIN connection (Levels 4–6), configure the IaaS/PaaS virtual firewall that restricts traffic flow inbound and outbound to/from the cloud service to the DODIN connection and block all traffic from all other sources.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000096-CLD-000150: The Mission Owner must configure the cloud instance to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
If this is a Level 2 cloud, this is not a finding. For dedicated infrastructure with a DODIN connection (Levels 4-6), review the architecture diagrams. Verify that the virtual firewall ACLs, IPS rules, and/or routing tables that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection comply with the boundary requirements of DoDI 8551. Verify all traffic from the CSP enclave and other sources are blocked by these methods. If the cloud IaaS/PaaS is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Fix
For dedicated infrastructure with a DODIN connection (Levels 4-6), configure the IaaS/PaaS virtual firewall, IPS, and/or routing methods that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection IAW DoDI 8551 and block all traffic from all other sources.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-OS-000001-CLD-000010: The Mission Owner must configure the customer portal credentials for least privilege.
Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the Mission Owner has not configured the customer portal credentials and the Mission Owner application/system privileged accounts for least privilege, this is a finding.
Discussion
Specific individuals or entities must explicitly be appointed by the DOD Mission Owner to establish plans and policies for the control of privileged user access (to include root account credentials) used to establish, configure, and control a Mission Owner’s Virtual Private Cloud (VPC) configuration once connected to the DISN. These individuals or entities establish and manage Least-Privilege Attribute-Based Access Control (ABAC) accounts and credentials used by privileged DOD users and systems to administer and control DOD cloud service offering configurations. This role is intended to operate at all DOD information Impact Levels. However, it may not apply to some SaaS solutions where DOD account owners are not required to use the CSP’s Identity and Access Management (IdAM) system to administer user accounts and service configurations.
Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals to access and configure services and virtual instances.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None