Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Cloud Computing Mission Owner Operating System Security Requirements Guide
Profiles
I - Mission Critical Classified
I - Mission Critical Classified
An XCCDF Profile
Details
Items
Prose
16 rules organized in 16 groups
SRG-OS-000023
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must configure the cloud service offering (CSO)-provided customer logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting access to users that must log on.
Medium Severity
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for operating system that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000096
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.
Medium Severity
<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000104
1 Rule
<GroupDescription></GroupDescription>
The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Medium Severity
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable Common Access Card (CAC) authentication of nonprivileged DOD users to cloud-hosted DOD (e.g., Infrastructure as a Service [IaaS] and Platform as a Service [PaaS]) or Software as a Service (SaaS) provided systems and services is the responsibility of the CSO, procuring DOD Component, or Program Office. Mission Owners may choose to use the cloud service providers (CSP's) CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2–5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person who needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens/NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104,SRG-OS-000377</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000342
1 Rule
<GroupDescription></GroupDescription>
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must perform centralized logging to capture and store log records.
Medium Severity
<VulnDiscussion>Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure that in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. For cloud service environments, security information and event management (SIEM) or syslog capability must be implemented by both Boundary and Mission Computer Network Defense (CND) service providers to log audit information. This requirement can be met by the operating system continuously sending records to a centralized logging server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000368
1 Rule
<GroupDescription></GroupDescription>
For Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.
Medium Severity
<VulnDiscussion>Register all cloud-based systems and applications, including the cloud service provider (CSP)/cloud service offering (CSO) name, Mission Cyberspace Defense (MCD), and connection method in the DISA SNAP database Cloud Module. SNAP registration will enable cloud services to be connected to the DISA Information Systems Network (DISN) and is crucial for situational awareness. SNAP registration documentation must include designating a certified cybersecurity service provider (CSSP) as the Tier 2 Computer Network Defense (CND). If applicable, the IP address of the cloud service must be configured in accordance with the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration. SNAP: https://snap.dod.mil/gcap/home.do Connection Approval: https://www.disa.mil/Network-Services/Enterprise-Connections/Connection-Approval</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000368
1 Rule
<GroupDescription></GroupDescription>
For Impact Level 6, the Mission Owner must process connection approval to the SIPRNet through the DISA classified connection approval process.
Medium Severity
<VulnDiscussion>The DOD Mission Owner systems/applications instantiated in these Impact Level 6 CSO enclaves will be assessed and authorized in the same way as any other DOD SIPRNet enclave connection in accordance with the DISA CPG. Approval for connection to the SIPRNet will be processed through the DISA classified connection approval process as with any other SIPRNet enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000368
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must remove orphaned or unused virtual machine (VM) instances.
Medium Severity
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the VM level. Some of the service and helper VMs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of such VMs is not always possible; therefore, establishing a method of preventing VM activation is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of VMs in certain environments while preventing execution in other environments or limiting execution of certain VM functionality based on organizationally defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000370
1 Rule
<GroupDescription></GroupDescription>
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.
Medium Severity
<VulnDiscussion>Register the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic if traffic will cross the internet access points (IAPs). Using an allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest virtual machines (VMs). Using only authorized software decreases risk by limiting the number of potential vulnerabilities and preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications, including allowlisted mission application traffic and services access from the internet via the Defense Information Systems Network (DISN) IAP. If all or a portion of the mission owners cloud-based Level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system's/application's URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for Level 2 off-premises systems/applications and for user plane traffic to/from Level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000404
1 Rule
<GroupDescription></GroupDescription>
For storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance.
High Severity
<VulnDiscussion>Mission systems at all Impact Levels must have the capability for DOD data to be encrypted at rest with exclusive DOD control of encryption keys and key management. Some cloud service offerings (CSOs) may facilitate this by providing a Hardware Security Module (HSM) or offering customer-dedicated HSM devices as a service. CSOs that do not provide such a capability may require Mission Owners to use encryption hardware/software on the Defense Information Systems Network (DISN) or a cloud encryption service that provides DOD control of keys and key management. Some CSOs may offer a key management service that can suffice for management of customer keys by the customer while preventing cloud service provider (CSP) access to the keys. An NSA-validated CSP key management service is required. Data-at-rest (DAR) encryption with customer-controlled keys and key management protects the DOD data stored in CSOs with the following benefits: - Maintains the integrity of publicly released information and websites at Level 2 where confidentiality is not an issue. - Maintains the confidentiality and integrity of CUI at Levels 4 and 5 with the following benefits: - Limits the insider threat vector of unauthorized access by CSP personnel by increasing the work necessary to compromise/access unencrypted DOD data. Mission Owners and their Authorizing Officials should consider the benefits of DAR encryption and a cryptography-based process for data destruction and/or spill remediation at Impact Level 2 in addition to the benefit of maintaining information integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000438
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner of the Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) must remove all upgraded or replaced software and firmware components that are no longer required for operation.
Medium Severity
<VulnDiscussion>Adversaries may exploit previous versions of software components that are not removed from the information system after updates have been installed. Some information technology products may remove older versions of software from the information system automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.
Medium Severity
<VulnDiscussion>The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.
Medium Severity
<VulnDiscussion>FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must select and configure an Impact Level 4/5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).
High Severity
<VulnDiscussion>Impact Level 4 accommodates Controlled Unclassified Information (CUI). This information must be protected from unauthorized disclosure. Designating information as CUI is the responsibility of the data owner and their organization. Determining the appropriate Impact Level for a specific mission with CUI will be the responsibility of the mission AO. Impact Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).
High Severity
<VulnDiscussion>U-NSI must be housed on an Impact Level 5 CSO. This is Unclassified National Security Systems (NSS) information and data. This is because NSS-specific security requirements are included in FedRAMP+.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission Owners must select and configure a cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog at Level 6 when hosting classified DOD information.
High Severity
<VulnDiscussion>Impact Level 6 is reserved for the storage and processing of classified information. Impact Level 6 information up to the SECRET level must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information, rated at or above the highest level of classification of the information being stored and/or processed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
SRG-OS-000480
1 Rule
<GroupDescription></GroupDescription>
The Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.
Medium Severity
<VulnDiscussion>The Mission Owner may tailor the SLA/contract to include any of the controls in the Cloud Computing Mission Owner SRG Overview, Table-3-1, beyond the FedRAMP and DOD Baseline and FedRAMP+ security controls. The Mission Owner is responsible for defining any parameter values associated with any added security control. These values should be based on current DOD Risk Management Framework (RMF) Technical Advisory Group (TAG) values or Committee on National Security Systems Instruction (CNSSI) 1253 values. Any change of ownership involving a CSP, whether the primary CSP or an underlying CSP on which a cloud service offering (CSO) was built, will be reviewed by the DISA Authorizing Official (AO) to assess the impacts and risks associated with the continuation of the DOD Provisional Authorization (PA). Any existing Impact Level 5/National Security System (NSS) systems will have two years from publication date of the Cloud Computing SRG, V1R1, to update to the National Institute of Standards and Technology Special Publication 800-53 Rev 5. They must submit a Plan of Acton and Milestones (POA&M) within 30 days, outlining actions to move to the High baseline requirement. When new updates for the Cloud Computing SRG are published, the Mission Owners and their Authorizing Officials (AOs) must review the controls to determine if the risk is acceptable until such time the CSP is required to comply and/or include the required compliance in the SLA/contract.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>