On July 24, 2015, the Defense Information Security Agency (“DISA”) issued three draft documents (available here for download) concerning the adoption of secure cloud computing systems by the Department of Defense (“DoD”). DISA is tasked with developing DoD’s security requirements guides for cybersecurity policies, standards, architectures, security controls, and validation procedures. Here, the just-released, draft documents are: (1) a Security Requirements Guide; (2) a Cloud Access Point Functional Requirements Document; and (3) a Concept of Operations for Cloud Computer Network Defense. Any comments on these draft documents must be submitted to DISA by August 22, 2015.
Additional information regarding each of these three documents is provided below.
* * * *
Security Requirements Guide
The “Security Requirements Guide” is a comprehensive framework for authorizing a cloud offering, and for identifying the specific security requirements for that offering. Its target audience includes (1) Cloud Service Providers (“Cloud Provider” or “CSP”), including contractors, that would sell or provide a Cloud Service Offering (“Cloud Offering” or “CSO”) to DoD; and (2) DoD officials and customers that would purchase or use a Cloud Offering—i.e., “Mission Owners,” a term defined by National Institute of Standards and Technology Special Publication 500-292. At nearly 100 pages, plus appendices, the Security Requirements Guide is the longest and densest of DISA’s three documents.
At minimum, any contractor that is (or aims to be) a Cloud Provider should understand DISA’s criteria for issuing a Provisional Authorization (“PA”) to a Cloud Offering. According to Section 2.6, a PA is issued “based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks.” Having a PA allows a Cloud Offering to be listed in DoD’s Cloud Service Catalog. Furthermore, DoD can refuse to award a contract if a Cloud Provider’s Cloud Offering does not have a PA, or if it fails to satisfy relevant PA security requirements at the time of award. These standards extend even to “integrators and resellers  responding to RFPs.” In addition, it is “highly recommended” that Cloud Providers “subcontract to other CSPs that have a DoD PA.”
As outlined in Sections 3 and 4, the PA assessment process entails DISA’s evaluation of the risks presented by a Cloud Offering storing and processing information under certain enhanced security requirements. These enhanced security requirements are referred to as “Impact Levels.” There are four Impact Levels. As described in Section 4, when a Mission Owner elects to use a Cloud Offering, that Cloud Offering must “possess a DoD PA at the information impact level corresponding to the categorization of the information to be processed or stored in the CSO.” Notably, DISA introduced the concept of “Impact Levels” over one year ago, in its now-superseded Cloud Security Model. In that March 2014 document, DISA identified six Impact Levels—Level 1 through Level 6. But now, DISA has consolidated Level 1 into Level 2, and Level 3 into Level 4, thus leaving the following four Impact Levels: Level 2, Level 4, Level 5, and Level 6. These levels and their security standards are as follows:
- Level 2 includes the least-sensitive categories of information. It includes all data cleared for public release, as well as some unclassified information not otherwise designated as controlled unclassified information (“CUI”). For Level 2, DISA prescribes the “Moderate” security control baseline from the Federal Risk and Authorization Program (“FedRAMP”)—i.e., the standardized, government-wide approach for assessing, authorizing, and monitoring cloud products and services.
- Level 4 includes “critical mission data” and CUI that requires protection from unauthorized disclosure (as established by Executive Order 13556, Controlled Unclassified Information (Nov. 2010)). Such CUI can include data subject to export controls or protected health information. Starting at Level 4, DISA prescribes FedRAMP security, plus certain “Security Controls/Enhancements”—i.e., “FedRAMP+,” a combination of the FedRAMP Moderate baseline, plus additional, DoD-specific controls and requirements.
- Level 5 includes CUI that requires a higher level of protection deemed necessary by the information owner, public law, or other government regulations. Level 5 is the minimum standard for unclassified National Security Systems. Here, FedRAMP+ also is required, but with Control/Control Enhancements (“C/CEs”) that exceed the controls and requirements for Level 4.
- Level 6 includes classified national security information, and is the minimum standard for information classified as SECRET. According to Section 3.2.6, Level 6 “requires a similar set of tailored controls as Level 5 and includes the CNSSI [Committee on National Security Systems Instruction] 1253, Appendix F, Attachment 5, Classified Information Overlay C/CEs.”
Information at a classification level higher than SECRET is beyond the scope of the Security Requirements Guide, so security for such information will continue to be governed by other policies. Notably, a PA appears to be expressly “provisional” because, according to Section 2.6, “[a] DoD PA is revocable in the event a CSP/CSO loses its FedRAMP PA or if the CSP does not maintain compliance with its security responsibilities identified in this [Security Requirements Guide], associated requirements found in other referenced documents, or contract requirements.”
Cloud Access Point Functional Requirements Document
DISA also is responsible for developing the requirements for, and implementing, a Cloud Access Point (“CAP”). According to Section 5.10.1 of the Security Requirements Guide, the CAP is a “system of network boundary protection and monitoring devices” that DISA will implement to protect the DoD Information Network (“DoDIN”) at points where the DoDIN connects with a Cloud Offering. CAP requirements vary depending on whether the cloud infrastructure is “on” or “off” DoD premises. “On-premises” is defined as a DoD data center; a DoD base, camp, post, or station; or any commercial or government facility (or portion thereof) under the direct control of DoD personnel and security policies.
The “Cloud Access Point Functional Requirements Document” builds upon Section 5.10.1 of the Security Requirements Guide, and it outlines specific CAP performance requirements that go beyond the scope of the Security Requirements Guide. However, Section 2.14 of this Functional Requirements Document—the section titled “Performance Requirements”—is still incomplete. It includes the following caveat: “This section is still being developed.”
Concept of Operations for Cloud Network Defense
Section 6 of the Security Requirements Guide addresses “the defense and protection of networks and Information Systems, detection of threats, and response to incidents.” Cumulatively, these measures are referred to as Computer Network Defense (“Network Defense” or “CND”). DoD broadly delegates Network Defense responsibilities. Section 6.1 of the Security Requirements Guide outlines a three-tiered “Command and Control” structure: Tier 1, the top tier, consists of U.S. Cyber Command and Joint Forces Headquarters DoDIN; Tier 2 consists of Network Defense Service Providers accredited by U.S. Cyber Command; and Tier 3 consists of DoD information systems operated and managed by Mission Owners. As noted in Section 6.3, a contractor that operates as a Cloud Provider “will function as an extension of the  Tier 3 entity,” so even it must provide, monitor, and maintain Network Defense services.
The “Concept of Operations for Cloud Network Defense” builds upon Section 6.3 of the Security Requirements Guide. According to its Executive Summary, the Concept of Operations adds and substantiates “reporting and data-sharing relationships between the CND and Cloud organizations.” In addition, it introduces a “Cyber Event and Incident Response Matrix,” which “assigns procedures to be performed in response to incidents and events as categorized by DoD.”
The Concept of Operations is intended to be just a baseline for Network Defense. As suggested in Section 2.A, DoD is not able to identify and map specific defensive and responsive measures for every possible cyber event or incident. Instead, the Concept of Operations recognizes 10 categories of cyber incidents and reportable events, and it outlines a “reference procedure” with “conditional” steps and workflows for each category. These procedures are purposefully flexible so that they encompass any cyber incident or event, but also respect the many potential cloud variations available to Mission Owners. Importantly, the Concept of Operations is meant to “evolve as the procedures are put into practice and new best practices emerge.”
* * * *
In all, these three documents affirm DoD’s intent to utilize commercial cloud products. However, these documents should be closely reviewed by any contractor that intends to offer a cloud product to DoD. As noted, public comments are due to DISA by August 22, 2015.