The U.S. Department of Defense (DOD) Chief Information Office (CIO) through the Defense Information Systems Agency (DISA) released an update to the Cloud Computing Security Requirements Guide (CC SRG) on March 25, designated v1r2, the agency said Monday.

The update both incorporates and supersedes CC SRG v1r1 and applies to all cloud security provider (CSP) offerings, regardless of who owns or operates the network environments. It applies to all department components and their usage of cloud services, DISA said.

Defense Information Systems Agency (DISA) logo. Image: U.S. Department of Defense
Defense Information Systems Agency (DISA) logo. Image: U.S. Department of Defense

The CC SRG provides security objectives guidance and policy to commercial and department cloud service providers (CSP), department components using cloud, and other mission partners in the department as they develop cloud computing solutions and use cases. The security objectives are applicable to host department missions up to and including Secret-level classification on commercial service offerings. Missions above Secret-level must follow other existing applicable DoD policies not covered by the SRG.

“The CC SRG v1r2 is a result of the feedback we received from our mission and industry partners about the previous version released in January 2015. The new version fittingly represents the evolution we are going through to refine our processes and better position the department to enable secure options to migrate systems and data to the cloud,” John Hickey, Chief Information Officer (CIO) of DISA and risk management executive, said in a statement.

The updated SRG came with a published revision history to allow interested parties to understand the changes and how to best apply the information. The department also published a comment matrix to facilitate the opportunity for ongoing mission partner comments. This will allow issues and concerns to be raised at any time so major issues can be corrected quickly, DISA said.

“This on-going public comment period will allow our mission partners to offer changes as they become necessary. This is in direct support of the DoD CIO’s vision of ‘agile policy development,’” Robert Vietmeyer, associate director for cloud computing and agile development in the enterprise capabilities directorate at the DoD CIO’s office, added.

DISA said the updated SRG continues to serve four purposes:

  • Provides security requirements and guidance to DoD and non-DoD owned and operated CSPs that wish to have their service offerings included in the Cloud Service Catalog;
  • Establishes a basis on which DoD will assess the security posture of a DoD or non-DoD CSP service offering, supporting the decision to grant a DoD Provisional Authorization that allows a non-DoD CSP to host DoD missions;
  • Defines the policies, requirements, and architectures for the use and implementation of DoD or commercial cloud services by DoD mission owners; and
  • Provides guidance to DoD mission owners and assessment and authorization officials in planning and authorizing the use of a cloud service offering.