DISA released a new Cloud Computing Security Requirements Guide (SRG) on Jan. 14 to help provide guidance and policy to commercial Cloud Service Providers (CSP) and Defense Department mission partners.
The SRG establishes DoD security objectives to host missions up to, and including, secret on commercial service offerings, DISA explained. Missions above secret are not covered by the SRG and must follow existing policies.
The Cloud Computing SRG “incorporates, supersedes, and rescinds the previously published Cloud Security Model and applies to all CSP offerings, regardless of who owns or operates the environments,” DISA said.
“The SRG is designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk,” Mark Orndorff, DISA risk management executive, said in a statement.
The SRG serves multiple purposes, including providing security requirements and guidance to non-DoD owned/operated CSPs that want to have their services included in the Cloud Service Catalog. It also establishes a basis for DoD to assess the security posture of non-department CSP service offerings and defines policies and requirements.architecture for the use and implementation of commercial cloud services by DoD mission owners.
The guide also gives guidance to mission owners and assessment and authorization officials (formerly known as certification and accreditation) for planning and authorizing the use of a CSP.