Cloud Computing Mission Owner Operating System Security Requirements Guide

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for operating system that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable Common Access Card (CAC) authentication of nonprivileged DOD users to cloud-hosted DOD (e.g., Infrastructure as a Service [IaaS] and Platform as a Service [PaaS]) or Software as a Service (SaaS) provided systems and services is the responsibility of the CSO, procuring DOD Component, or Program Office. Mission Owners may choose to use the cloud service providers (CSP's) CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2–5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person who needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens/NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104,SRG-OS-000377

Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure that in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. For cloud service environments, security information and event management (SIEM) or syslog capability must be implemented by both Boundary and Mission Computer Network Defense (CND) service providers to log audit information. This requirement can be met by the operating system continuously sending records to a centralized logging server.

Register all cloud-based systems and applications, including the cloud service provider (CSP)/cloud service offering (CSO) name, Mission Cyberspace Defense (MCD), and connection method in the DISA SNAP database Cloud Module. SNAP registration will enable cloud services to be connected to the DISA Information Systems Network (DISN) and is crucial for situational awareness. SNAP registration documentation must include designating a certified cybersecurity service provider (CSSP) as the Tier 2 Computer Network Defense (CND). If applicable, the IP address of the cloud service must be configured in accordance with the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration. SNAP: https://snap.dod.mil/gcap/home.do Connection Approval: https://www.disa.mil/Network-Services/Enterprise-Connections/Connection-Approval

The DOD Mission Owner systems/applications instantiated in these Impact Level 6 CSO enclaves will be assessed and authorized in the same way as any other DOD SIPRNet enclave connection in accordance with the DISA CPG. Approval for connection to the SIPRNet will be processed through the DISA classified connection approval process as with any other SIPRNet enclave.

Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the VM level. Some of the service and helper VMs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of such VMs is not always possible; therefore, establishing a method of preventing VM activation is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of VMs in certain environments while preventing execution in other environments or limiting execution of certain VM functionality based on organizationally defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).

Register the service/application with the DOD DMZ/IAP allowlist for both inbound and outbound traffic if traffic will cross the internet access points (IAPs). Using an allowlist provides a configuration management method for allowing the execution of only authorized software, ports, protocols, and guest virtual machines (VMs). Using only authorized software decreases risk by limiting the number of potential vulnerabilities and preventing the execution of malware. Cloud approval documentation should include allowed approved ports and protocols communications, including allowlisted mission application traffic and services access from the internet via the Defense Information Systems Network (DISN) IAP. If all or a portion of the mission owners cloud-based Level 4/5 systems/applications connected through the BCAP are to be internet accessible, traffic is required to traverse the DISN IAPs. The system's/application's URLs/IP addresses must be registered with the DOD DMZ allowlist. Traffic that will typically traverse the IAP is management traffic for Level 2 off-premises systems/applications and for user plane traffic to/from Level 4/5 systems/applications that are internet-facing. Such traffic and IP addresses may be blocked if not registered in the allowlist.

Adversaries may exploit previous versions of software components that are not removed from the information system after updates have been installed. Some information technology products may remove older versions of software from the information system automatically.

The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.

FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.

The Mission Owner may tailor the SLA/contract to include any of the controls in the Cloud Computing Mission Owner SRG Overview, Table-3-1, beyond the FedRAMP and DOD Baseline and FedRAMP+ security controls. The Mission Owner is responsible for defining any parameter values associated with any added security control. These values should be based on current DOD Risk Management Framework (RMF) Technical Advisory Group (TAG) values or Committee on National Security Systems Instruction (CNSSI) 1253 values. Any change of ownership involving a CSP, whether the primary CSP or an underlying CSP on which a cloud service offering (CSO) was built, will be reviewed by the DISA Authorizing Official (AO) to assess the impacts and risks associated with the continuation of the DOD Provisional Authorization (PA). Any existing Impact Level 5/National Security System (NSS) systems will have two years from publication date of the Cloud Computing SRG, V1R1, to update to the National Institute of Standards and Technology Special Publication 800-53 Rev 5. They must submit a Plan of Acton and Milestones (POA&M) within 30 days, outlining actions to move to the High baseline requirement. When new updates for the Cloud Computing SRG are published, the Mission Owners and their Authorizing Officials (AOs) must review the controls to determine if the risk is acceptable until such time the CSP is required to comply and/or include the required compliance in the SLA/contract.