Cloud Computing Mission Owner SRG Version Comparison

There are 13 differences between versions v1 r0.1 (Oct. 27, 2022) (the "left" version) and v1 r0.1 (Oct. 27, 2022) (the "right" version).

Check SRG-NET-000383-CLD-000200 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The For IaaS/PaaS, the Mission Owner must configure an Intrusion Detection and Prevention System IDPS (IDPS) to protect Mission Owner enclaves DOD VMs, services, and applications applications. hosted in an off-premise cloud service offering.

Check Content

If this is a SaaS, premise or Level 2 implementation, this requirement is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the IaaS, PaaS, virtual enclave, platform, and interconnected host VMs. Verify VMs. Inspect the virtual IDPS configuration. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CNDSP CSSP responsible for the mission system/application. If the Mission Owner has not configured the IaaS virtual enclave or platform PaaS IDPS to monitor and protect the IaaS virtual enclave(s) and interconnected VMs, this is a finding.

Discussion

Without Network environments and applications installed using an I/PaaS cloud service offering where the Mission Owner has control over the environment must comply with DOD network infrastructure and host policies. Putting an application in the cloud does not take care of all security responsibilities. Without coordinated reporting between cloud service environments used for DoD DOD mission, it is not possible to identify the true scale and possible target of an attack. An IDPS protect protects Mission Owner enclaves and applications hosted in an off-premise cloud service offering and may be deployed within the cloud service environment, the MeetMe Point, cloud access point, or supporting Core Data Center (CDC). When (CDC). Additionally, an IDPS facilitates the reporting of incidents and aid infrastructure has direct Internet access, implement virtual IDPS capabilities configured in compliance with the applicable DoD STIG or SRG. The coordination of response actions between all stakeholders of the cloud service offering and/or mission owner applications. The Mission Owner and/or their CNDSP Cybersecurity Service Provider (CSSP) must be able to monitor the virtual network boundary boundary. and report/integrate with Tier 1. For dedicated infrastructure with a DODIN connection (Levels 4-6): 4–6), implement an IPS IDPS that monitors and works with the virtual security infrastructure (e.g., firewall, routing tables, WAF, etc.) to protect traffic flow inbound and outbound to/from the virtual network to the DODIN connection.

Fix

Configure This applies to all Impact Levels. FedRAMP Moderate, High. Configure a virtual IDPS to monitor and protect Mission Owner enclaves the DOD VMs, services, and applications applications. hosted in an off-premise cloud.