Cloud Computing Mission Owner Security Requirements Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
- RMF Control
- AC-2
- Severity
- H
- CCI
- CCI-000015
- Version
- SRG-OS-000001-CLD-000010
- Vuln IDs
-
- SRG-OS-000001-CLD-000010
- Rule IDs
-
- SRG-OS-000001-CLD-000010_rule
Checks: C-SRG-OS-000001-CLD-000010_chk
If the DoD account owners are required to use the CSP’s IdAM system to administer user accounts and service configurations, this is not a finding. Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the cloud Mission Owner Authorizing Official has not configured the cloud service offering for access using PKI, this is a finding.
Fix: F-SRG-OS-000001-CLD-000010_fix
Have the Mission Owner's AO appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals using PKI to access and configure services and virtual instances.
- RMF Control
- AU-4
- Severity
- L
- CCI
- CCI-001851
- Version
- SRG-OS-000342-CLD-000020
- Vuln IDs
-
- SRG-OS-000342-CLD-000020
- Rule IDs
-
- SRG-OS-000342-CLD-000020_rule
Checks: C-SRG-OS-000342-CLD-000020_chk
Verify the Mission Owner has implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform. If the Mission Owner has not implemented a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform, this is a finding.
Fix: F-SRG-OS-000342-CLD-000020_fix
Implement a solution for centralized logging and SIEM services to capture and store the log records produced by the VM management and applications on the virtual enclave/platform.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000030
- Vuln IDs
-
- SRG-OS-000480-CLD-000030
- Rule IDs
-
- SRG-OS-000480-CLD-000030_rule
Checks: C-SRG-OS-000480-CLD-000030_chk
If this is an Impact Level 2, off-premise implementation, this requirement is not applicable. Review the architecture for the virtual enclave/platform. Verify that for dedicated infrastructure mission Impact Levels 4-6 and on Premise Level 2, the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection. For Virtual Enclave Levels 4-6 or on Premise Impact Level 2 implementations, if the virtual enclave does not implement a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection, this is a finding.
Fix: F-SRG-OS-000480-CLD-000030_fix
For dedicated infrastructure with an ICAP/BCAP connection (Levels 4-6 and on Premise Impact Level 2), ensure that the virtual enclave implements a security stack that restricts traffic flow inbound and outbound to/from the virtual enclave to the BCAP or ICAP connection.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000040
- Vuln IDs
-
- SRG-OS-000480-CLD-000040
- Rule IDs
-
- SRG-OS-000480-CLD-000040_rule
Checks: C-SRG-OS-000480-CLD-000040_chk
If this is Impact Level 2, this is not a finding. Review the configuration of the virtual enclave router. Verify that virtual Internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the Internet. If virtual Internet-facing applications permit direct access to the CSP or the Internet, this is a finding.
Fix: F-SRG-OS-000480-CLD-000040_fix
Configure virtual Internet-facing applications to traverse the CAP and VDSS prior to communicating with the Internet.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000060
- Vuln IDs
-
- SRG-OS-000480-CLD-000060
- Rule IDs
-
- SRG-OS-000480-CLD-000060_rule
Checks: C-SRG-OS-000480-CLD-000060_chk
Review the configuration of the virtual enclave. Verify that the IP address of an ACAS server is configured. Verify the ACAS data is also being communicated to the CNDSP. If the virtual enclave does not implement scanning using an ACAS server, this is a finding.
Fix: F-SRG-OS-000480-CLD-000060_fix
Configure scanning using an ACAS server by configuring the IP address of the elected server.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000070
- Vuln IDs
-
- SRG-OS-000480-CLD-000070
- Rule IDs
-
- SRG-OS-000480-CLD-000070_rule
Checks: C-SRG-OS-000480-CLD-000070_chk
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable. If the cloud IaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable, this is a finding.
Fix: F-SRG-OS-000480-CLD-000070_fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the implemented systems/applications and the DoD OCSP responders on NIPRNet or SIPRNet as applicable.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000080
- Vuln IDs
-
- SRG-OS-000480-CLD-000080
- Rule IDs
-
- SRG-OS-000480-CLD-000080_rule
Checks: C-SRG-OS-000480-CLD-000080_chk
If the CSP's infrastructure is used, this is not applicable. Verify the virtual enclave/platform is configured to maintain logical separation of all management, user, and data traffic using encryption. If the virtual enclave/platform does not maintain separation of all management, user, and data traffic, this is a finding.
Fix: F-SRG-OS-000480-CLD-000080_fix
Configure the virtual enclave/platform/OS to maintain separation of all management, user, and data traffic.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000090
- Vuln IDs
-
- SRG-OS-000480-CLD-000090
- Rule IDs
-
- SRG-OS-000480-CLD-000090_rule
Checks: C-SRG-OS-000480-CLD-000090_chk
If the implementation is categorized as Impact Level 4-6, this not applicable. Review the approval documentation. Verify that the cloud service offering is listed in either the FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. If Unclassified, public-releasable DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in either the FedRAMP or DISA PA DoD Cloud Catalog, this is a finding.
Fix: F-SRG-OS-000480-CLD-000090_fix
Select and configure a cloud service offering listed in FedRAMP or DISA PA DoD Cloud Catalog when hosting Unclassified, public-releasable, DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000100
- Vuln IDs
-
- SRG-OS-000480-CLD-000100
- Rule IDs
-
- SRG-OS-000480-CLD-000100_rule
Checks: C-SRG-OS-000480-CLD-000100_chk
If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the cloud service offering is listed in the DISA PA DoD Cloud Catalog. Verify the offering is listed as Impact Level 4 or higher. If sensitive but unclassified information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 4 or higher, this is a finding.
Fix: F-SRG-OS-000480-CLD-000100_fix
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 4 or higher. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- SRG-OS-000480-CLD-000110
- Vuln IDs
-
- SRG-OS-000480-CLD-000110
- Rule IDs
-
- SRG-OS-000480-CLD-000110_rule
Checks: C-SRG-OS-000480-CLD-000110_chk
If the implementation is categorized as Impact Level 2-5, this not a finding. Review the approval documentation and the DISA PA Cloud Catalog. Verify that the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog. Verify the Cloud Service Offering is listed in the DISA PA DoD Cloud Catalog at Level 6 when hosting Classified DoD information. If Classified DoD information is being hosted in the virtual enclave/platform and the cloud service offering is not listed in the DISA PA DoD Cloud Catalog, Impact Level 6 or higher, this is a finding.
Fix: F-SRG-OS-000480-CLD-000110_fix
Select and configure a cloud service offering listed in the DISA PA DoD Cloud Catalog for use with Impact Level 6 when hosting Classified DoD information. Specify in the SLA with the CSP and third-party providers compliance with applicable STIG configurations.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- SRG-OS-000368-CLD-000120
- Vuln IDs
-
- SRG-OS-000368-CLD-000120
- Rule IDs
-
- SRG-OS-000368-CLD-000120_rule
Checks: C-SRG-OS-000368-CLD-000120_chk
Request the cloud service cloud approval documentation. Verify the virtual enclave/platform/software is registered in the service/application with the DoD whitelist for both inbound and outbound traffic. If the Mission Owner has configured/used ports and protocols that have not been registered with the DoD whitelist, this is a finding.
Fix: F-SRG-OS-000368-CLD-000120_fix
Register the virtual enclave/platform/software service/application with the DoD whitelist for both inbound and outbound traffic. Configure the DoD whitelist with the ports and protocols needed to support applications and services used in the cloud environment.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- SRG-OS-000368-CLD-000130
- Vuln IDs
-
- SRG-OS-000368-CLD-000130
- Rule IDs
-
- SRG-OS-000368-CLD-000130_rule
Checks: C-SRG-OS-000368-CLD-000130_chk
Verify the CSP’s cloud service offering is registered in SNAP for the connection approval and it is the one being used in the cloud management portal. If the cloud service is not registered in SNAP, this is a finding. If the IP address that is registered in SNAP is not configured for use with the approved cloud environment, this is a finding.
Fix: F-SRG-OS-000368-CLD-000130_fix
Register the virtual enclave/platform/software CSP’s cloud service offering in SNAP for the connection approval. Configure the IP address that is registered in SNAP for use by the cloud service offering using the cloud management portal.
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- SRG-OS-000368-CLD-000140
- Vuln IDs
-
- SRG-OS-000368-CLD-000140
- Rule IDs
-
- SRG-OS-000368-CLD-000140_rule
Checks: C-SRG-OS-000368-CLD-000140_chk
If cloud services are managed by the CSP, verify separation requirements are addressed in the SLA. Verify the virtual enclave/virtual platform is configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. If the virtual enclave/virtual platform has not been configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements, this is a finding.
Fix: F-SRG-OS-000368-CLD-000140_fix
Configure the virtual enclave/virtual platform to be configured to either disable or remove cloud services and helper VMs that are no longer required based on mission requirements. Cloud services are added, removed, and updated by the cloud service portal management entity via the management plane.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- SRG-OS-000096-CLD-000150
- Vuln IDs
-
- SRG-OS-000096-CLD-000150
- Rule IDs
-
- SRG-OS-000096-CLD-000150_rule
Checks: C-SRG-OS-000096-CLD-000150_chk
If this is a Level 2 cloud, this is not a finding. For dedicated infrastructure with a DODIN connection (Levels 4-6), review the architecture diagrams. Verify that the virtual firewall ACLs, IPS rules, and/or routing tables that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection comply with the boundary requirements of DoDI 8551. Verify all traffic from the CSP enclave and other sources are blocked by these methods. If the cloud IaaS/PaaS is not configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, this is a finding.
Fix: F-SRG-OS-000096-CLD-000150_fix
For dedicated infrastructure with a DODIN connection (Levels 4-6), configure the IaaS/PaaS virtual firewall, IPS, and/or routing methods that restrict traffic flow inbound and outbound to/from the virtual enclave to the DODIN connection IAW DoDI 8551 and block all traffic from all other sources.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- SRG-OS-000104-CLD-000160
- Vuln IDs
-
- SRG-OS-000104-CLD-000160
- Rule IDs
-
- SRG-OS-000104-CLD-000160_rule
Checks: C-SRG-OS-000104-CLD-000160_chk
Verify the virtual enclave/platform is configured to use an identity provider. If the virtual enclave/virtual platform has not implemented an identify provider, this is a finding.
Fix: F-SRG-OS-000104-CLD-000160_fix
Configure the virtual enclave/platform to use an identity provider. Mission Owners may choose to use the CSP's CAC services (based on level), use a DoD federated offering, or install a virtual AD.
- RMF Control
- SC-11
- Severity
- M
- CCI
- CCI-001135
- Version
- SRG-OS-000164-CLD-000170
- Vuln IDs
-
- SRG-OS-000164-CLD-000170
- Rule IDs
-
- SRG-OS-000164-CLD-000170_rule
Checks: C-SRG-OS-000164-CLD-000170_chk
Review the configuration of the virtual enclave/platform. Verify that the IP address of an HBSS agent control server on NIPRNet is configured. Verify that a FIPS 140-2 compliant communication protocol is configured for communication with the server. Verify the HBSS data is also being communicated to the CNDSP. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the HBSS agents and their control server, this is a finding.
Fix: F-SRG-OS-000164-CLD-000170_fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the virtual OS's HBSS agents and their control server. Configure visibility by the Mission Owner’s CNDSP.
- RMF Control
- SC-11
- Severity
- M
- CCI
- CCI-001135
- Version
- SRG-OS-000164-CLD-000180
- Vuln IDs
-
- SRG-OS-000164-CLD-000180
- Rule IDs
-
- SRG-OS-000164-CLD-000180_rule
Checks: C-SRG-OS-000164-CLD-000180_chk
Verify that a FIPS 140-2 compliant communication protocol is configured for communication between the ACAS server and its assigned ACAS Security Center. If the cloud IaaS does not implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center, this is a finding.
Fix: F-SRG-OS-000164-CLD-000180_fix
Configure the virtual enclave/virtual platform to implement an encrypted path that is FIPS 140-2 compliant between the ACAS server and its assigned ACAS Security Center.
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-001233
- Version
- SRG-OS-000191-CLD-000190
- Vuln IDs
-
- SRG-OS-000191-CLD-000190
- Rule IDs
-
- SRG-OS-000191-CLD-000190_rule
Checks: C-SRG-OS-000191-CLD-000190_chk
Verify the virtual platform employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If the cloud IaaS/PaaS does not employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP, this is a finding.
Fix: F-SRG-OS-000191-CLD-000190_fix
Configure the virtual platform to use automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal enclave scans not covered by HBSS; and annually, for external scans by CNDSP.
- RMF Control
- SI-4
- Severity
- H
- CCI
- CCI-002656
- Version
- SRG-NET-000383-CLD-000200
- Vuln IDs
-
- SRG-NET-000383-CLD-000200
- Rule IDs
-
- SRG-NET-000383-CLD-000200_rule
Checks: C-SRG-NET-000383-CLD-000200_chk
If this is a premise or Level 2 implementation, this requirement is not applicable. Review SLA and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify that it is placed to monitor and protect the virtual enclave, platform, and interconnected host VMs. Inspect the virtual IDPS configuration. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CNDSP responsible for the mission system/application. If the Mission Owner has not configured the virtual enclave or platform IDPS to monitor and protect the virtual enclave(s) and interconnected VMs, this is a finding.
Fix: F-SRG-NET-000383-CLD-000200_fix
Configure a virtual IDPS to monitor and protect Mission Owner enclaves and applications hosted in an off-premise cloud.
- RMF Control
- SI-4
- Severity
- M
- CCI
- CCI-002661
- Version
- SRG-NET-000390-CLD-000210
- Vuln IDs
-
- SRG-NET-000390-CLD-000210
- Rule IDs
-
- SRG-NET-000390-CLD-000210_rule
Checks: C-SRG-NET-000390-CLD-000210_chk
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for inbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor inbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Fix: F-SRG-NET-000390-CLD-000210_fix
Configure the firewall and IDPS for continuous monitoring of all communications inbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
- RMF Control
- SI-4
- Severity
- M
- CCI
- CCI-002662
- Version
- SRG-NET-000391-CLD-000220
- Vuln IDs
-
- SRG-NET-000391-CLD-000220
- Rule IDs
-
- SRG-NET-000391-CLD-000220_rule
Checks: C-SRG-NET-000391-CLD-000220_chk
If this is a premise or Level 2 implementation, this requirement is not applicable. Inspect the ACLs for outbound interfaces from other enclaves for the firewalls. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the virtual enclave does not continuously monitor outbound communications from other virtual enclaves within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
Fix: F-SRG-NET-000391-CLD-000220_fix
Configure the firewall and IDPS for continuous monitoring of all communications outbound to the virtual enclave or platform. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
- RMF Control
- SC-28
- Severity
- H
- CCI
- CCI-002475
- Version
- SRG-OS-000404-CLD-002720
- Vuln IDs
-
- SRG-OS-000404-CLD-002720
- Rule IDs
-
- SRG-OS-000404-CLD-002720_rule
Checks: C-SRG-OS-000404-CLD-002720_chk
If this is Impact Level 2, this is not applicable. Verify the virtual platform is configured to use encryption to protect all DoD files housed in the virtual storage service. If the virtual platform is not configured to use encryption to protect all DoD files housed in the virtual storage service, this is a finding.
Fix: F-SRG-OS-000404-CLD-002720_fix
Configure the cloud instance to use encryption to protect all DoD files housed in the virtual storage service.