Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Cloud Computing Mission Owner Security Requirements Guide

  • Version/Release: V1R0.1
  • Published: 2019-12-17
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The Mission Owner must configure the customer portal credentials and the Mission Owner application/system privileged accounts for least privilege.
AC-2 - High - CCI-000015 - SRG-OS-000001-CLD-000010 - SRG-OS-000001-CLD-000010_rule
RMF Control
AC-2
Severity
High
CCI
CCI-000015
Version
SRG-OS-000001-CLD-000010
Vuln IDs
  • SRG-OS-000001-CLD-000010
Rule IDs
  • SRG-OS-000001-CLD-000010_rule
Specific individuals or entities must be appointed by the DoD Mission Owner’s Authorizing Official (AO) to establish plans and policies for the control of privileged user access (to include root account credentials) used to establish, configure, and control a Mission Owner’s Virtual Private Cloud (VPC) configuration once connected to the DISN. These individuals or entities established and manage Least-Privilege Attribute-Based Access Control (ABAC) accounts and credentials used by privileged DoD users and systems to administer and control DoD cloud service offering configurations. This role is intended to operate at all DoD information Impact Levels. However, it may not apply to some SaaS solutions where DoD account owners are not required to use the CSP’s Identity and Access Management (IdAM) system to administer user accounts and service configurations.
Checks: C-SRG-OS-000001-CLD-000010_chk

If the DoD account owners are required to use the CSP’s IdAM system to administer user accounts and service configurations, this is not a finding. Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the cloud Mission Owner Authorizing Official has not configured the cloud service offering for access using PKI, this is a finding.

Fix: F-SRG-OS-000001-CLD-000010_fix

Have the Mission Owner's AO appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals using PKI to access and configure services and virtual instances.

a
The Mission Owner must implement and configure a solution for centralized logging to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.
AU-4 - Low - CCI-001851 - SRG-OS-000342-CLD-000020 - SRG-OS-000342-CLD-000020_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001851
Version
SRG-OS-000342-CLD-000020
Vuln IDs
  • SRG-OS-000342-CLD-000020
Rule IDs
  • SRG-OS-000342-CLD-000020_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. For cloud service environments, the SIEM capability is implemented by both Boundary and Mission CND service providers to interpret system, user, and application events. Services such as SCCA also help with aggregation and normalizing capabilities.
Checks: C-SRG-OS-000342-CLD-000020_chk

Verify the Mission Owner has implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform. If the Mission Owner has not implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform, this is a finding.

Fix: F-SRG-OS-000342-CLD-000020_fix

Implement a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.

c
The virtual enclave must implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.
CM-6 - High - CCI-000366 - SRG-OS-000480-CLD-000030 - SRG-OS-000480-CLD-000030_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000030
Vuln IDs
  • SRG-OS-000480-CLD-000030
Rule IDs
  • SRG-OS-000480-CLD-000030_rule
DoD users on the Internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing DoD private applications. A CSE may be composed of an array of cloud service offerings from a particular CSP. The DISN security architecture provides connectivity to the cloud service environment to the users. The architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. CSP Infrastructure (dedicated to DoD) located inside the B/C/P/S “fence line” (i.e., on-premises) connects via an ICAP. The architecture of ICAPs may vary and may leverage existing capabilities such as the IA stack protecting a DoD Data center today or perhaps a Joint Regional Security Stack (JRSS). On the other hand, an ICAP may have special capabilities to support specific missions, CSP types (commercial or DoD), or cloud services. CSP infrastructure (shared with non-DoD or dedicated to DoD) located outside the B/C/P/S fence line that connects to the DODIN/NIPRNet does so via one or more BCAPs. The BCAP terminates dedicated circuits and VPN connections originating within the CSP’s network infrastructure and/or Mission Owner’s virtual networks. All connections between a CSP’s network infrastructure or Mission Owner’s virtual networks that is accessed via or from the NIPRNet/SIPRNet must connect to the DODIN via a BCAP. For dedicated infrastructure with a DODIN connection (Levels 4-6), the Mission Owner will ensure a virtual security stack is configured IAW DoDI 8551.
Checks: C-SRG-OS-000480-CLD-000030_chk

If this is an Impact Level 2, off-premise implementation, this requirement is not applicable. Review the architecture for the virtual enclave/platform. Verify that for dedicated infrastructure mission Impact Levels 4-6 and on Premise Level 2, the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection. For Virtual Enclave Levels 4-6 or on Premise Impact Level 2 implementations, if the virtual enclave does not implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection, this is a finding.

Fix: F-SRG-OS-000480-CLD-000030_fix

For dedicated infrastructure with an ICAP/BCAP connection (Levels 4-6 and on Premise Impact Level 2), ensure that the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.

c
The Mission Owner virtual Internet facing applications must be configured to traverse the Cloud Access Point (CAP) and VDSS prior to communicating with the Internet.
CM-6 - High - CCI-000366 - SRG-OS-000480-CLD-000040 - SRG-OS-000480-CLD-000040_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000040
Vuln IDs
  • SRG-OS-000480-CLD-000040
Rule IDs
  • SRG-OS-000480-CLD-000040_rule
This architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. All traffic bound for the Internet will traverse the BCAP/ICAP and IAP. Mission applications may be Internet facing; Internet facing applications can be non-restricted or restricted (requiring CAC authentication). DoD users on the Internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing Mission Owner enclave or private applications.
Checks: C-SRG-OS-000480-CLD-000040_chk

If this is Impact Level 2, this is not a finding. Review the configuration of the virtual enclave router. Verify that virtual Internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the Internet. If virtual Internet-facing applications permit direct access to the CSP or the Internet, this is a finding.

Fix: F-SRG-OS-000480-CLD-000040_fix

Configure virtual Internet-facing applications to traverse the CAP and VDSS prior to communicating with the Internet.

b
The Mission Owner of the virtual enclave must configure scanning using an Assured Compliance Assessment Solution (ACAS) server.
CM-6 - Medium - CCI-000366 - SRG-OS-000480-CLD-000060 - SRG-OS-000480-CLD-000060_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000060
Vuln IDs
  • SRG-OS-000480-CLD-000060
Rule IDs
  • SRG-OS-000480-CLD-000060_rule
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning using an ACAS server IAW USCYBERCOM TASKORD 13-670.
Checks: C-SRG-OS-000480-CLD-000060_chk

Review the configuration of the virtual enclave. Verify that the IP address of an ACAS server is configured. Verify the ACAS data is also being communicated to the CNDSP. If the virtual enclave does not implement scanning using an ACAS server, this is a finding.

Fix: F-SRG-OS-000480-CLD-000060_fix

Configure scanning using an ACAS server by configuring the IP address of the elected server.

b
The Mission Owner of the virtual enclave must implement an encrypted, FIPS 140-2 compliant path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.
CM-6 - Medium - CCI-000366 - SRG-OS-000480-CLD-000070 - SRG-OS-000480-CLD-000070_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000070
Vuln IDs
  • SRG-OS-000480-CLD-000070
Rule IDs
  • SRG-OS-000480-CLD-000070_rule
The mission own must use identity services to include an Online Certificate Status Protocol (OCSP) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the cloud service environment.
Checks: C-SRG-OS-000480-CLD-000070_chk

Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable. If the cloud IaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable, this is a finding.

Fix: F-SRG-OS-000480-CLD-000070_fix

Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.

b
The virtual enclave/platform must be configured to maintain separation of all management, user, and data traffic.
CM-6 - Medium - CCI-000366 - SRG-OS-000480-CLD-000080 - SRG-OS-000480-CLD-000080_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000080
Vuln IDs
  • SRG-OS-000480-CLD-000080
Rule IDs
  • SRG-OS-000480-CLD-000080_rule
The Virtual Datacenter Management system provides a management plane for privileged access and communications. Separation of management and user traffic included access to the Customer Portal is provided to the DoD Mission Owner by the CSP for the purpose of provisioning and configuring cloud service offerings. Additionally, service end-points for Application Program Interfaces (API) and Command Line Interfaces (CLI) are also available as part of the Customer Portal network. These systems can be accessed through the internet by DoD privileged users only (e.g., DoD system and network administrators). The BCAP/ICAP maintains logical network separation of Internet-sourced traffic for internet facing applications from NIPRNet-sourced traffic. However, the Mission Owner must not configure the virtual instances to circumvent this logical separation.
Checks: C-SRG-OS-000480-CLD-000080_chk

If the CSP's infrastructure is used, this is not applicable. Verify the virtual enclave/platform is configured to maintain logical separation of all management, user, and data traffic using encryption. If the virtual enclave/platform does not maintain separation of all management, user, and data traffic, this is a finding.

Fix: F-SRG-OS-000480-CLD-000080_fix

Configure the virtual enclave/platform/OS to maintain separation of all management, user, and data traffic.

b
The Mission Owner must select and configure a cloud service offering listed in either the FedRAMP or DISA PA DoD Cloud Catalog to host Unclassified, public-releasable, DoD information.
CM-6 - Medium - CCI-000366 - SRG-OS-000480-CLD-000090 - SRG-OS-000480-CLD-000090_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000090
Vuln IDs
  • SRG-OS-000480-CLD-000090
Rule IDs
  • SRG-OS-000480-CLD-000090_rule
Federal Risk Authorization and Management Program (FedRAMP) is the minimum security baseline for all DoD cloud services. Components and Mission Owners may host Unclassified DoD information that is publicly releasable on FedRAMP approved cloud services. They may also select and configure an offering from the DISA PA DoD Cloud Catalog at any impact level for use.
Checks: C-SRG-OS-000480-CLD-000090_chk

If the implementation is categorized as Impact Level 4-6, this not applicable. Review the approval documentation. Verify that the cloud service offering is listed in either the FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. If Unclassified, public-releasable DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in either the FedRAMP or DISA PA DoD Cloud Catalog, this is a finding.

Fix: F-SRG-OS-000480-CLD-000090_fix

Select and configure a cloud service offering listed in FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.

b
The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog for use with Impact Levels 4 or higher when hosting Controlled Unclassified information (CUI).
CM-6 - Medium - CCI-000366 - SRG-OS-000480-CLD-000100 - SRG-OS-000480-CLD-000100_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000100
Vuln IDs
  • SRG-OS-000480-CLD-000100
Rule IDs
  • SRG-OS-000480-CLD-000100_rule
Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data. Designating information as CUI or mission critical data to be protected at Level 4 is the responsibility of the owning organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO. Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other Government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS-specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). As such, NSS must be implemented at Level 5.
Checks: C-SRG-OS-000480-CLD-000100_chk

If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the cloud service offering is listed in the DISA PA DoD Cloud Catalog. Verify the offering is listed as Impact Level 4 or higher. If sensitive but unclassified information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 4 or higher, this is a finding.

Fix: F-SRG-OS-000480-CLD-000100_fix

Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 4 or higher. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.

c
The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information.
CM-6 - High - CCI-000366 - SRG-OS-000480-CLD-000110 - SRG-OS-000480-CLD-000110_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SRG-OS-000480-CLD-000110
Vuln IDs
  • SRG-OS-000480-CLD-000110
Rule IDs
  • SRG-OS-000480-CLD-000110_rule
Impact Level 6 is reserved for the storage and processing of classified information. Impact Level 6 information up to the SECRET level must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of classified information, rated at or above the highest level of classification of the information being stored and/or processed.
Checks: C-SRG-OS-000480-CLD-000110_chk

If the implementation is categorized as Impact Level 2-5, this not a finding. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog. Verify the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information. If Classified DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 6 or higher, this is a finding.

Fix: F-SRG-OS-000480-CLD-000110_fix

Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 6 when hosting Classified DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.

b
The Mission Owner must configure/use only the ports and protocols that have been registered with the DoD whitelist.
CM-7 - Medium - CCI-001764 - SRG-OS-000368-CLD-000120 - SRG-OS-000368-CLD-000120_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
SRG-OS-000368-CLD-000120
Vuln IDs
  • SRG-OS-000368-CLD-000120
Rule IDs
  • SRG-OS-000368-CLD-000120_rule
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software and guest VMs. Using only authorized software decreases risk by limiting the number of potential vulnerabilities and by preventing the execution of malware. Cloud Approval documentation should include allowed approved ports and protocols communications to include whitelisted mission application traffic and services access from Internet via the DISN Internet Access Point (IAP).
Checks: C-SRG-OS-000368-CLD-000120_chk

Request the cloud service cloud approval documentation. Verify the virtual enclave/platform/software is registered in the service/application with the DoD whitelist for both inbound and outbound traffic. If the Mission Owner has configured/used ports and protocols that have not been registered with the DoD whitelist, this is a finding.

Fix: F-SRG-OS-000368-CLD-000120_fix

Register the virtual enclave/platform/software service/application with the DoD whitelist for both inbound and outbound traffic. Configure the DoD whitelist with the ports and protocols needed to support applications and services used in the cloud environment.

b
The Mission Owner must configure the IP address range for the cloud service environment which is registered in SNAP.
CM-7 - Medium - CCI-001764 - SRG-OS-000368-CLD-000130 - SRG-OS-000368-CLD-000130_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
SRG-OS-000368-CLD-000130
Vuln IDs
  • SRG-OS-000368-CLD-000130
Rule IDs
  • SRG-OS-000368-CLD-000130_rule
SNAP registration documentation should include designating a certified CNDSP as the Tier 2 CND. DoD policy and the Domain Name Service (DNS) STIG require all DoD ISs to use the DoD authoritative DNS servers, not public or commercial DNS servers. Additionally it requires all DoD IS to be addressed in the .mil domain. Mission Owners are not authorized to utilize DNS services offered by the CSP or any other non-DoD DNS provider. The IP address of the cloud service must be configured IAW the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration.
Checks: C-SRG-OS-000368-CLD-000130_chk

Verify the CSP’s cloud service offering is registered in SNAP for the connection approval and it is the one being used in the cloud management portal. If the cloud service is not registered in SNAP, this is a finding. If the IP address that is registered in SNAP is not configured for use with the approved cloud environment, this is a finding.

Fix: F-SRG-OS-000368-CLD-000130_fix

Register the virtual enclave/platform/software CSP’s cloud service offering in SNAP for the connection approval. Configure the IP address that is registered in SNAP for use by the cloud service offering using the cloud management portal.

a
The Mission Owner of the virtual enclave/platform must be remove orphaned or unused VM instances.
CM-7 - Low - CCI-001764 - SRG-OS-000368-CLD-000140 - SRG-OS-000368-CLD-000140_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-001764
Version
SRG-OS-000368-CLD-000140
Vuln IDs
  • SRG-OS-000368-CLD-000140
Rule IDs
  • SRG-OS-000368-CLD-000140_rule
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the VM level. Some of the service and helper VMs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of such VMs is not always possible; therefore, establishing a method of preventing VM activation is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of VMs in certain environments, while preventing execution in other environments; or limiting execution of certain VM functionality based on organizationally defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).
Checks: C-SRG-OS-000368-CLD-000140_chk

If cloud services are managed by the CSP, verify separation requirements are addressed in the SLA. Verify the virtual enclave/virtual platform is configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. If the virtual enclave/virtual platform has not been configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements, this is a finding.

Fix: F-SRG-OS-000368-CLD-000140_fix

Configure the virtual enclave/virtual platform to be configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. Cloud services are added, removed, and updated by the cloud service portal management entity via the management plane.

b
The Mission Owner must configure the cloud instance to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - SRG-OS-000096-CLD-000150 - SRG-OS-000096-CLD-000150_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SRG-OS-000096-CLD-000150
Vuln IDs
  • SRG-OS-000096-CLD-000150
Rule IDs
  • SRG-OS-000096-CLD-000150_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Checks: C-SRG-OS-000096-CLD-000150_chk

If this is a Level 2 cloud, this is not a finding. For dedicated infrastructure with a DODIN connection (Levels 4-6), review the architecture diagrams. Verify that the virtual firewall ACLs, IPS rules, and/or routing tables that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection comply with the boundary requirements of DoDI 8551. Verify all traffic from the CSP enclave and other sources are blocked by these methods. If the cloud IaaS/PaaS is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, this is a finding.

Fix: F-SRG-OS-000096-CLD-000150_fix

For dedicated infrastructure with a DODIN connection (Levels 4-6), configure the IaaS/PaaS virtual firewall, IPS, and/or routing methods that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection IAW DoDI 8551 and block all traffic from all other sources.

b
The Mission Owner of the virtual enclave/virtual platform must be configured with an identity provider that uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - SRG-OS-000104-CLD-000160 - SRG-OS-000104-CLD-000160_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
SRG-OS-000104-CLD-000160
Vuln IDs
  • SRG-OS-000104-CLD-000160
Rule IDs
  • SRG-OS-000104-CLD-000160_rule
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable CAC authentication of non-privileged DoD users to cloud hosted DoD (e.g., IaaS and PaaS) or SaaS provided systems and services is the responsibility of the cloud service offering procuring DoD Component or Program Office. Mission Owners may choose to use the CSP's CAC services (based on Level), use a DoD federated offering, or install a virtual Active Directory. For Levels 2-5, the CSPs must preferably have either a DoD PKI certificate or a DoD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person that needs to communicate with DoD via encrypted email. CSPs serving Level 6 systems will already have SIPRNet tokens / NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet.
Checks: C-SRG-OS-000104-CLD-000160_chk

Verify the virtual enclave/platform is configured to use an identity provider. If the virtual enclave/virtual platform has not implemented an identify provider, this is a finding.

Fix: F-SRG-OS-000104-CLD-000160_fix

Configure the virtual enclave/platform to use an identity provider. Mission Owners may choose to use the CSP's CAC services (based on level), use a DoD federated offering, or install a virtual AD.

b
The Mission Owner of the virtual enclave/virtual platform must implement an encrypted path that is FIPS 140-2 compliant between the virtual OSs HBSS agents and their control server.
SC-11 - Medium - CCI-001135 - SRG-OS-000164-CLD-000170 - SRG-OS-000164-CLD-000170_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
SRG-OS-000164-CLD-000170
Vuln IDs
  • SRG-OS-000164-CLD-000170
Rule IDs
  • SRG-OS-000164-CLD-000170_rule
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement Host Based Security System (HBSS) IAW DoD policy. - Implement HBSS agents on all VMs with a supported general purpose OS (required by OS level STIG) for each Host VM OS. - Use an HBSS agent control server within NIPRNet. - Implement a secure (encrypted) connection or path between the HBSS agents and their control server. - Provide visibility by the Mission Owner’s CNDSP entities.
Checks: C-SRG-OS-000164-CLD-000170_chk

Review the configuration of the virtual enclave/platform. Verify that the IP address of an HBSS agent control server on NIPRNet is configured. Verify that a FIPS 140-2 compliant communication protocol is configured for communication with the server. Verify the HBSS data is also being communicated to the CNDSP. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the HBSS agents and their control server, this is a finding.

Fix: F-SRG-OS-000164-CLD-000170_fix

Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the virtual OS's HBSS agents and their control server. Configure visibility by the Mission Owner’s CNDSP.

b
The Mission Owner of the virtual enclave must implement a secure (encrypted) connection or path between the Assured Compliance Assessment Solution (ACAS) server and its assigned ACAS Security Center.
SC-11 - Medium - CCI-001135 - SRG-OS-000164-CLD-000180 - SRG-OS-000164-CLD-000180_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
SRG-OS-000164-CLD-000180
Vuln IDs
  • SRG-OS-000164-CLD-000180
Rule IDs
  • SRG-OS-000164-CLD-000180_rule
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement scanning using an Assured Compliance Assessment Solution (ACAS) server IAW USCYBERCOM TASKORD 13-670. - Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. - Provide visibility by the Mission Owner’s CNDSP entities.
Checks: C-SRG-OS-000164-CLD-000180_chk

Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the ACAS server and its assigned ACAS Security Center. If the cloud IaaS does not implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center, this is a finding.

Fix: F-SRG-OS-000164-CLD-000180_fix

Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the ACAS server and its assigned ACAS Security Center.

b
The virtual platform must be configured to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SI-2 - Medium - CCI-001233 - SRG-OS-000191-CLD-000190 - SRG-OS-000191-CLD-000190_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-001233
Version
SRG-OS-000191-CLD-000190
Vuln IDs
  • SRG-OS-000191-CLD-000190
Rule IDs
  • SRG-OS-000191-CLD-000190_rule
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. To support this requirement, HBSS must be installed on in the cloud service environment. Use the applicable OS or network device STIGs to ensure HBSS is also installed on each virtual VM.
Checks: C-SRG-OS-000191-CLD-000190_chk

Verify the virtual platform employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If the cloud IaaS/PaaS does not employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP, this is a finding.

Fix: F-SRG-OS-000191-CLD-000190_fix

Configure the virtual platform to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP.

c
The Mission Owner must configure an IDPS to protect Mission Owner enclaves and applications hosted in an off-premise cloud service offering.
SI-4 - High - CCI-002656 - SRG-NET-000383-CLD-000200 - SRG-NET-000383-CLD-000200_rule
RMF Control
SI-4
Severity
High
CCI
CCI-002656
Version
SRG-NET-000383-CLD-000200
Vuln IDs
  • SRG-NET-000383-CLD-000200
Rule IDs
  • SRG-NET-000383-CLD-000200_rule
Without coordinated reporting between cloud service environments used for DoD mission, it is not possible to identify the true scale and possible target of an attack. protect Mission Owner enclaves and applications hosted in an off-premise cloud service offering and may be deployed within the cloud service environment, the MeetMe Point, cloud access point, or supporting Core Data Center (CDC). When the infrastructure has direct Internet access, implement virtual IDPS capabilities configured in compliance with the applicable DoD STIG or SRG. The Mission Owner and/or their CNDSP must be able to monitor the virtual network boundary and report/integrate with Tier 1. For dedicated infrastructure with a DODIN connection (Levels 4-6): implement IPS that monitors and works with the virtual security infrastructure (e.g., firewall, routing tables, WAF, etc.) to protect traffic flow inbound and outbound to/from the virtual network to the DODIN connection.
Checks: C-SRG-NET-000383-CLD-000200_chk

If this is a premise or Level 2 implementation, this requirement is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the virtual enclave, platform, and interconnected host VMs. Inspect the virtual IDPS configuration. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CNDSP responsible for the mission system/application. If the Mission Owner has not configured the virtual enclave or platform IDPS to monitor and protect the virtual enclave(s) and interconnected VMs, this is a finding.

Fix: F-SRG-NET-000383-CLD-000200_fix

Configure a virtual IDPS to monitor and protect Mission Owner enclaves and applications hosted in an off-premise cloud.

b
The Mission Owner of the virtual enclave or platform must continuously monitor and protect inbound communications from other enclaves for unusual or unauthorized activities or conditions.
SI-4 - Medium - CCI-002661 - SRG-NET-000390-CLD-000210 - SRG-NET-000390-CLD-000210_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002661
Version
SRG-NET-000390-CLD-000210
Vuln IDs
  • SRG-NET-000390-CLD-000210
Rule IDs
  • SRG-NET-000390-CLD-000210_rule
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
Checks: C-SRG-NET-000390-CLD-000210_chk

If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for inbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor inbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.

Fix: F-SRG-NET-000390-CLD-000210_fix

Configure the firewall and IDPS for continuous monitoring of all communications inbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.

b
The Mission Owner of the virtual enclave must continuously monitor outbound communications from other enclaves for unusual or unauthorized activities or conditions.
SI-4 - Medium - CCI-002662 - SRG-NET-000391-CLD-000220 - SRG-NET-000391-CLD-000220_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002662
Version
SRG-NET-000391-CLD-000220
Vuln IDs
  • SRG-NET-000391-CLD-000220
Rule IDs
  • SRG-NET-000391-CLD-000220_rule
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
Checks: C-SRG-NET-000391-CLD-000220_chk

If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for outbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor outbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.

Fix: F-SRG-NET-000391-CLD-000220_fix

Configure the firewall and IDPS for continuous monitoring of all communications outbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.

c
The Mission Owner must configure the cloud instance to use encryption to protect all DoD files housed in the cloud instance for storage service offerings.
SC-28 - High - CCI-002475 - SRG-OS-000404-CLD-002720 - SRG-OS-000404-CLD-002720_rule
RMF Control
SC-28
Severity
High
CCI
CCI-002475
Version
SRG-OS-000404-CLD-002720
Vuln IDs
  • SRG-OS-000404-CLD-002720
Rule IDs
  • SRG-OS-000404-CLD-002720_rule
Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). A CSP may offer one or more services or methods to accomplish this. Data-at-rest encryption may help mitigate issues with data/information spillage.
Checks: C-SRG-OS-000404-CLD-002720_chk

If this is Impact Level 2, this is not applicable. Verify the virtual platform is configured to use encryption to protect all DoD files housed in the virtual storage service. If the virtual platform is not configured to use encryption to protect all DoD files housed in the virtual storage service, this is a finding.

Fix: F-SRG-OS-000404-CLD-002720_fix

Configure the cloud instance to use encryption to protect all DoD files housed in the virtual storage service.