The Defense Information Services Agency has released new cloud computing security requirements for DoD and contractors to follow.
The DoD Cloud Computing Security Requirements Guide (SRG), Version 1 supersedes the Cloud Security Model (CSM) V2.1.
The new SRG includes details on how to transition from the CSM for cloud service providers that are currently being assessed, or that have a provisional authorization. It also applies to all CSP offerings, regardless of who owns or operates the environments, according to DISA.
It said the SRG establishes a basis on which DoD will assess the security posture of a non-DoD CSP’s service offering, defines the criteria for the use of commercial services by DoD mission owners, and provides guidance on planning and using CSPs.
“The SRG is designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk,” said Mark Orndorff, DISA Risk Management Executive.
The Cloud Computing SRG establishes the DoD security objectives to host DoD missions up to and including SECRET on commercial service offerings. Missions above SECRET must follow existing applicable DoD policies and are not covered by the SRG.
The SRG is available on the IASE website: http://iase.disa.mil/Pages/index.aspx