DOD Updates Cloud Security Standards

On Tuesday, the Defense Department released updated security requirements for hosting military data in the cloud.

The Cloud Computing Security Requirements Guide (SRG) builds on Federal Risk and Authorization Management Program (FedRAMP) standards and applies to both commercial and DOD cloud service providers. The document incorporates feedback from industry and DOD stakeholders and is expected to be updated quarterly, according to a Jan. 12 memo about the new requirements developed by the Defense Information Systems Agency.

The biggest change is a reduction in the number of DOD impact levels from six to four. (See page 10 of the SRG for more details.) Impact levels are used to classify the sensitivity of data stored in the cloud, and each level requires more rigorous standards. The next SRG update will focus on requirements for impact level 5 and considerations for hosting DoD workloads outside of US facilities. The revised impact levels are listed below:

Level 2: Non-controlled unclassified information, including all data cleared for public release.

Level 4: Controlled Unclassified Information

Level 5: Controlled Unclassified Information

Level 6: Classified Information up to SECRET

The revised cloud security requirements were prompted by a 45-day study commissioned by acting DOD CIO Terry Halvorsen. “When we started developing this SRG we took the cloud security model and added some front matter… and expanded on that,” Ronald Rice, an IT specialist with DISA Field Security Operations (FSO), said last month during a conference call for industry and DOD officials to raise questions about the document.