As discussed in the previous blog post on FedRAMP+, there are four authorization levels defined in the Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG). In this post we will give a brief rundown of the lowest authorization level, DoD Impact Level (IL) 2, and the security requirements and key takeaways for Cloud Service Providers (CSPs) looking to receive a DoD IL2 Provisional Authorization (PA). As stated in section 3 of the DoD CC SRG, the DoD defines the IL “by the combination of: 1) the sensitivity or confidentiality level of information (e.g., public, private, classified, etc.) to be stored and processed in the Cloud Service Provider (CSP) environment; and 2) the potential impact of an event that results in the loss of confidentiality, integrity, or availability of that information.” The DoD’s categorization of the IL for cloud service offerings (CSO) is similar to how the Federal Risk and Authorization Management Program (FedRAMP) defines security objectives for confidentiality, integrity, and availability of cloud systems in accordance with the Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. Security objectives for each IL are only based on confidentiality and integrity, specifically starting at the Moderate baseline. While security objectives for availability are not explicitly addressed in any of the IL’s, DoD Mission Owners must work with CSPs to define Service Level Agreement (SLA) requirements during procurement of a CSO.
DoD IL2 is the lowest authorization level under the DoD CC SRG and is applicable to any CSO storing, processing, or transmitting public or non-critical mission information. A CSO authorized at DoD IL2 can deploy as a public cloud solution accessible from the public Internet by DoD personnel. The DoD IL2 baseline is equivalent to FedRAMP Moderate, requiring implementation of 325 NIST 800-53 Rev. 4 controls from the FedRAMP Moderate baseline to achieve authorization. The concept of reciprocity between FedRAMP Moderate and DoD IL2 was established to enable DoD mission partners and components to use a CSO if it has successfully achieved a FedRAMP Moderate authorization.
In 2019 the Defense Information Systems Agency (DISA) issued a PA enabling DoD IL2 data to be hosted on CSOs authorized at the FedRAMP Moderate Baseline without waiting for explicit DoD written authorization. In short, any FedRAMP Moderate Agency or JAB authorized solution can be used to host data categorized as public or non-critical mission information. This reciprocity includes a few contingencies including data residency requirements including:
- the CSO must be listed as “Authorized” in the FedRAMP Marketplace
- datacenters leveraged by the CSO must be in the United States or its territories
- the CSO must adhere to continuous monitoring practices without having the authorization suspended, revoked, restricted, or limited in any manner
CSPs looking to market their CSO to the DoD must consider the sensitivity of the data which will be stored, processed, or transmitted. Data which is categorized above public or non-critical mission information, such as Controlled Unclassified Information (CUI) or information which typically resides in a National Security System (NSS) must exist within a cloud environment authorized at a higher IL than IL2. In the next series of posts we will discuss the IL4, IL5, and IL6 requirements applicable to the DoD CC SRG and what CSPs must know in regard to their distinguishing requirements and characteristics.
For more information on our FedRAMP advisory solutions you can visit https://www.coalfire.com/Solutions/Audit-and-Assessment/FedRAMP/Consulting-Advisory or please contact 3PAO@coalfire.com for more information on