Cloud Computing Mission Owner Security Requirements Guide

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R0

Published: 2019-12-17

Updated At: 2020-01-27 23:26:43

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SRG-OS-000001-CLD-000010_rule SRG-OS-000001-CLD-000010 CCI-000015 HIGH The Mission Owner must configure the customer portal credentials and the Mission Owner application/system privileged accounts for least privilege. Specific individuals or entities must be appointed by the DoD Mission Owner’s Authorizing Official (AO) to establish plans and policies for the control of privileged user access (to include root account credentials) used to establish, configure, and con
    SRG-OS-000342-CLD-000020_rule SRG-OS-000342-CLD-000020 CCI-001851 LOW The Mission Owner must implement and configure a solution for centralized logging to capture and store the log records produced by the VM management and applications on the virtual enclave/platform. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. For cloud service environments, the SIEM capability is implemented by both Boundary and Mission CND service providers to interpret system, user, and appli
    SRG-OS-000480-CLD-000030_rule SRG-OS-000480-CLD-000030 CCI-000366 HIGH The virtual enclave must implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection. DoD users on the Internet may first connect into their assigned DISN Virtual Private Network (VPN) network before accessing DoD private applications. A CSE may be composed of an array of cloud service offerings from a particular CSP. The DISN security arc
    SRG-OS-000480-CLD-000040_rule SRG-OS-000480-CLD-000040 CCI-000366 HIGH The Mission Owner virtual Internet facing applications must be configured to traverse the Cloud Access Point (CAP) and VDSS prior to communicating with the Internet. This architecture mitigates potential damages to the DISN and will provide the ability to detect and prevent an attack before reaching the DISN. All traffic bound for the Internet will traverse the BCAP/ICAP and IAP. Mission applications may be Internet
    SRG-OS-000480-CLD-000060_rule SRG-OS-000480-CLD-000060 CCI-000366 MEDIUM The Mission Owner of the virtual enclave must configure scanning using an Assured Compliance Assessment Solution (ACAS) server. Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. Implement scanning usi
    SRG-OS-000480-CLD-000070_rule SRG-OS-000480-CLD-000070 CCI-000366 MEDIUM The Mission Owner of the virtual enclave must implement an encrypted, FIPS 140-2 compliant path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable. The mission own must use identity services to include an Online Certificate Status Protocol (OCSP) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the cloud service
    SRG-OS-000480-CLD-000080_rule SRG-OS-000480-CLD-000080 CCI-000366 MEDIUM The virtual enclave/platform must be configured to maintain separation of all management, user, and data traffic. The Virtual Datacenter Management system provides a management plane for privileged access and communications. Separation of management and user traffic included access to the Customer Portal is provided to the DoD Mission Owner by the CSP for the purpose
    SRG-OS-000480-CLD-000090_rule SRG-OS-000480-CLD-000090 CCI-000366 MEDIUM The Mission Owner must select and configure a cloud service offering listed in either the FedRAMP or DISA PA DoD Cloud Catalog to host Unclassified, public-releasable, DoD information. Federal Risk Authorization and Management Program (FedRAMP) is the minimum security baseline for all DoD cloud services. Components and Mission Owners may host Unclassified DoD information that is publicly releasable on FedRAMP approved cloud services. Th
    SRG-OS-000480-CLD-000100_rule SRG-OS-000480-CLD-000100 CCI-000366 MEDIUM The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog for use with Impact Levels 4 or higher when hosting Controlled Unclassified information (CUI). Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission criti
    SRG-OS-000480-CLD-000110_rule SRG-OS-000480-CLD-000110 CCI-000366 HIGH The Mission Owners must select and configure a Cloud Service Offering listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information. Impact Level 6 is reserved for the storage and processing of classified information. Impact Level 6 information up to the SECRET level must be stored and processed in a dedicated cloud infrastructure located in facilities approved for the processing of cl
    SRG-OS-000368-CLD-000120_rule SRG-OS-000368-CLD-000120 CCI-001764 MEDIUM The Mission Owner must configure/use only the ports and protocols that have been registered with the DoD whitelist. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software and guest VMs. Using only authorized software decreases risk by limiting the number of potential vulnerabilities and by preventing the
    SRG-OS-000368-CLD-000130_rule SRG-OS-000368-CLD-000130 CCI-001764 MEDIUM The Mission Owner must configure the IP address range for the cloud service environment which is registered in SNAP. SNAP registration documentation should include designating a certified CNDSP as the Tier 2 CND. DoD policy and the Domain Name Service (DNS) STIG require all DoD ISs to use the DoD authoritative DNS servers, not public or commercial DNS servers. Addition
    SRG-OS-000368-CLD-000140_rule SRG-OS-000368-CLD-000140 CCI-001764 LOW The Mission Owner of the virtual enclave/platform must be remove orphaned or unused VM instances. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some VMs may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functi
    SRG-OS-000096-CLD-000150_rule SRG-OS-000096-CLD-000150 CCI-000382 MEDIUM The Mission Owner must configure the cloud instance to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), Mission Owners must disable or restrict unused or unnecessary physical and logical p
    SRG-OS-000104-CLD-000160_rule SRG-OS-000104-CLD-000160 CCI-000764 MEDIUM The Mission Owner of the virtual enclave/virtual platform must be configured with an identity provider that uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable CAC authentication of non-privile
    SRG-OS-000164-CLD-000170_rule SRG-OS-000164-CLD-000170 CCI-001135 MEDIUM The Mission Owner of the virtual enclave/virtual platform must implement an encrypted path that is FIPS 140-2 compliant between the virtual OSs HBSS agents and their control server. Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement Host Based
    SRG-OS-000164-CLD-000180_rule SRG-OS-000164-CLD-000180 CCI-001135 MEDIUM The Mission Owner of the virtual enclave must implement a secure (encrypted) connection or path between the Assured Compliance Assessment Solution (ACAS) server and its assigned ACAS Security Center. Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - Implement scanning u
    SRG-OS-000191-CLD-000190_rule SRG-OS-000191-CLD-000190 CCI-001233 MEDIUM The virtual platform must be configured to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. To support this requir
    SRG-NET-000383-CLD-000200_rule SRG-NET-000383-CLD-000200 CCI-002656 HIGH The Mission Owner must configure an IDPS to protect Mission Owner enclaves and applications hosted in an off-premise cloud service offering. Without coordinated reporting between cloud service environments used for DoD mission, it is not possible to identify the true scale and possible target of an attack. protect Mission Owner enclaves and applications hosted in an off-premise cloud service o
    SRG-NET-000390-CLD-000210_rule SRG-NET-000390-CLD-000210 CCI-002661 MEDIUM The Mission Owner of the virtual enclave or platform must continuously monitor and protect inbound communications from other enclaves for unusual or unauthorized activities or conditions. Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example,
    SRG-NET-000391-CLD-000220_rule SRG-NET-000391-CLD-000220 CCI-002662 MEDIUM The Mission Owner of the virtual enclave must continuously monitor outbound communications from other enclaves for unusual or unauthorized activities or conditions. Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic t
    SRG-OS-000404-CLD-002720_rule SRG-OS-000404-CLD-002720 CCI-002475 HIGH The Mission Owner must configure the cloud instance to use encryption to protect all DoD files housed in the cloud instance for storage service offerings. Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to prote