Welcome back to the final blog post in our series on FedRAMP+ and DoD cloud computing impact levels. If you missed any, you can use these links to access any of previous blogs in the series that covered FedRAMP+, DoD IL2, or DoD IL4-5.
The final Impact Level (IL) referenced in the Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) is IL6. IL6 allows Cloud Service Providers (CSPs) to store information up to SECRET or below. CSPs can utilize their own infrastructure or deploy their cloud service offering (CSO) in an equivalent IL6-authorized cloud service. All physical locations used to host IL6 data must provide dedicated cloud infrastructure which processes classified information and therefore cannot be considered a “commercial” provider of cloud services.
CSPs must implement policies defined within the National Industrial Security Program (NISP) Operating Manual (DoD 5220.22-M) to ensure that classified information is properly safeguarded. No additional NIST 800-53 security controls are added on from the IL5 baseline. However, if the IL6 CSO is housed in a DoD data center or installation (i.e., Base, Camp, Post, or Station), the CSP must follow the Classified Information Overlay as defined in Appendix F of the Committee on National Security Systems Instruction (CNSSI). Appendix F of the CNSSI introduces 94 security controls or security control enhancements required for receiving a Provisional Authorization (PA) at IL6. CSPs are strongly advised to consult with their DoD Mission Owner on the shared responsibilities of the 94 additional security controls before implementing.
IL6 Additional Requirements
One of the most notable changes from IL4 or IL5 comes from how a CSO is accessed. CSOs are not accessed via a Non-classified Internet Protocol Router Network (NIPRNet), but instead via a Secret Internet Protocol Router Network (SIPRNet). The CSP is also responsible for ensuring that DoD and National Security System (NSS) Public Key Infrastructure (PKI) certificates are enforced for CSP or DoD authentication. Just as with IL4 or IL5, the CSO must also meet the Jurisdiction/Location Requirements by ensuring all data stored and processed for or by the DoD resides in a facility under the exclusive legal jurisdiction of the US. What does change however, is that the facilities themselves will need to be classified to store, process, and transmit SECRET data. A CSO infrastructure at IL6 is a SIPRNet enclave and is considered a closed self-contained environment for the CSO processing, storage, and management planes only connected to SIPRNet. Facilities must follow the DoD Manual (DoDM) 5200.01 Volume 3, DoD Information Security Program: Protection of Classified Information.
Personnel requirements for CSPs also change considerably at IL6. CSP personnel operating the IL6 CSO must all be US citizens who have gone through a favorably adjusted Single Scope Background Investigation (SSBI). The CSP personnel must also possess a clearance at the appropriate level for the classified information stored, processed, or transmitted. Finally, awareness and training requirements for CSP personnel may require additional implementations as defined in DoD 8570.01-M, Information Assurance Workforce Improvement Program. DoD 8570.01-M can be optional, per the DoD CC SRG, “The determination to not levy DoD 8570.01-M on commercial CSPs is based on the complexities of attempting to change how a commercial CSP that serves customers outside of DoD hires and trains personnel.” Therefore, CSPs must work with their DoD Mission Owner to appropriately define awareness and training requirements outside of the standard role-based security training which is provided to CSP personnel operating the IL6 CSO.
For more information on our FedRAMP advisory solutions you can visit https://www.coalfire.com/Solutions/Audit-and-Assessment/FedRAMP/Consulting-Advisory, or please contact 3PAO@coalfire.com for more information on how we can help.