DISA drafts new cloud security requirements
The Defense Information Systems Agency released a draft of a security requirements guide for cloud computing across the Defense Department. When finalized, this SRG will supersede and rescind current guidance under the Cloud Security Model.
The SRG addresses processes for authorizing a particular cloud service provider’s offerings and outlines security requirements to be addressed in authorizing and operating cloud capabilities, such as information assurance, continuous monitoring, identification and authentication. It also provides guidance on computer network defense and incident response.
While the SRGs define high-level requirements for various technology families and organizations, the Security Technical Implementation Guides (STIGs) are the detailed guidelines for specific products. The applicable SRGs and STIGs are available from the Information Assurance Support Environment website.
When this draft guidance is published, cloud providers being assessed against the Cloud Security Model requirements must comply with the new SRG "in coordination" with their next annual FedRAMP reauthorization, the draft states.
DISA, the agency in charge of the IT infrastructure underpinning DOD missions, has been updating its security guidelines to clarify for commercial cloud providers what it will take to operate sensitive and classified DOD information.
Comments from industry and others interested in the draft SRG are due Dec. 29 and should be sent to disa.letterkenny.FSO.firstname.lastname@example.org.
On a related note, Acting Defense Department CIO Terry Halvorsen issued a memo outlining changes to the Pentagon’s cloud procurement policy that will allow the military services and other DOD agencies to procure commercial cloud services rather than leaving that authority to the DISA.
A version of this story originally appeared on FCW, GCN’s sister site.
Connect with the GCN staff on Twitter @GCNtech.