US Government and Department of Defense agencies are continuing to modernize and transform operations using modern commercial cloud computing services. A recent report on the Federal Cloud Computing Market predicts that demand for commercial cloud computing goods and services will grow to nearly $19 Billion by 2024. A significant growth market in the next 5 years is going to be the US Department of Defense propelled by the recent award of the $9 Billion Joint Warfighting Cloud Capability (JWCC) contracts to Amazon Web Services (AWS), Google Cloud, Microsoft Corporation, and Oracle. JWCC is a multiple-award contract vehicle that will provide the DoD the opportunity to acquire commercial cloud capabilities and services.
Commercial Cloud Service Providers (CSP) looking to offer services to Department of Defense (DoD) components must become familiar with the Department of Defense (DoD) Cloud Authorization Process.
DoD Cloud Authorization Process and Impact Levels (IL)
Just like the FedRAMP PMO implements the Federal Risk and Authorization Management Program (FedRAMP) that provides a standardized approach to security authorizations for Cloud Service Offerings in accordance with FISMA and OMB Circular A-130. The DISA Cloud Assessment Division provides support to DoD Component Sponsors/Mission Owners ensuring that Cloud Service Providers (CSP) meet DoD cloud security requirements. The DISA Cloud Assessment Division works in partnership with DoD Mission Owners (sponsors) and provides pre-screening, assessment, validation, authorization, and continuous monitoring of Cloud Service Offerings (CSO).
Cloud Service Providers (CSP) must comply with DoD security requirements as defined by the DoD Cloud Computing (CC) Security Requirements Guide (SRG). The DOD CC SRG outlines the security model by which DoD will leverage cloud computing, along with the security controls and requirements necessary for using cloud-based solutions. The guidance applies to DoD-provided cloud services and those provided by a contractor on behalf of the department, i.e., a commercial cloud service provider or integrator.
Cloud Service Providers must meet one of defined primary security levels commonly referred to as Impact Levels 2, 4, 5 or 6 (IL2, IL4, IL5 or IL6). Cloud security information impact levels are defined by the combination of: 1) the sensitivity or confidentiality level of information (e.g., public, private, classified, etc.) to be stored and processed in the CSP environment; and 2) the potential impact of an event that results in the loss of confidentiality, integrity, or availability of that information. Each of the Impact Levels are defined below.
Impact Level 2 (IL2): Non-Controlled Unclassified Information
DoD Impact level 2 (IL2) caters to cloud services that host publicly releasable data or non-public unclassified data where the unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations and assets, or individuals. This includes all data cleared for public release as well as some low confidentiality unclassified information NOT designated as CUI or military/contingency operations mission data. However, the information may require some minimal level of access control (e.g., user ID and password). This IL accommodates non-CUI information categorizations based on CNSSI-1253 up to low confidentiality and moderate integrity.
Impact Level 4 (IL4) : Controlled Unclassified Information
Impact level 4 (DoD IL4) is used for systems with non-public, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations and assets, or individuals. This encompasses CUI and/or other mission data, including that used in direct support of military or contingency operations. CUI is information the federal government creates or possesses that a law, regulation, or government-wide policy requires, or specifically permits, an agency to handle by means of safeguarding or dissemination controls.
Impact Level 5 (IL5): CUI and Unclassified National Security Information (U-NSI)
Impact level 5 (DoD IL5) is used to host non-public, unclassified National Security System (NSS) system data (i.e., U-NSI) or non-public, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. This includes CUI and/or other mission data that may require a higher level of protection than that afforded by IL4 as deemed necessary by the information owner, public law, or other government regulation.
Impact Level 6 (IL6): Classified Information Up to SECRET
Impact level 6 (DoD IL6) is used for non-public, classified NSS system data (i.e., classified national security information [NSI]) or non-public, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals). Access to the CSO is via one or more private SIPRNet (SECRET Internet Protocol Router Network) connections.
The actual impact level applicable for a given Cloud Service Provider must be determined by the DoD mission owner looking to utilize the cloud service offering. DoD mission owners rely on DoDI 8510.01 and CNSSI 1253 to identify the cloud information impact level that most closely aligns with the defined categorization and information sensitivity.
DoD Authorization To Operate (ATO) Pathways
Commercial organizations looking to provide commercial cloud services to Department of Defense (DoD) components must go through the authorization process which is based on FISMA and NIST RMF processes using FedRAMP, supplemented with DoD controls. There are three paths to obtaining a DoD ATO (Authorization to Operate):
– Uplift/Leverage FedRAMP JAB PATO
– Uplift/Leverage FedRAMP Agency ATO
– DoD Component Assessed ATO
In order to proceed with the DoD ATO process, the following documentation must be submitted:
– Readiness Assessment Report (RAR) or FedRAMP baseline documentation, as applicable
– System Security Plan (SSP)
– DoD SSP Addendum, for the appropriate Impact Level (IL)
– Security Assessment Plan (SAP)
– Cloud Service Offering Architecture Briefing
Preparing for a DoD ATO
Commercial organizations looking to provide commercial cloud services to Department of Defense (DoD) components need to engineer and architect their offerings that meet specific and strict security requirements. Most organizations begin with using a previously accredited and authorized cloud service like AWS, Google or Microsoft. It is critical to ensure that only accredited services be utilized that conform to the specific Impact Level (IL) that must be met. Please feel to contact us to schedule a free briefing with our DoD ATO Acceleration team to learn more. You may also view some other helpful resources such as the “Achieving DOD Impact Level 4 – Lessons Learned & Much More” video.