DoD Cloud Authorization Process - Cyber
UNCLASSIFIEDDoD Cloud Authorization ProcessDISA Cloud Assessment DivisionDISA RME/RE2August 2021UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!1
DISA Cloud Assessment DivisionUNCLASSIFIED The DISA Cloud Assessment Division provides support to DoDComponent Sponsors/Mission Owners through the pre-screening,assessment, validation, authorization, and continuous monitoring ofCloud Service Offerings (CSO). They ensure the Cloud Service Provider (CSP) and CSO meet DoD cloudsecurity requirements for a DoD Provisional Authorization (PA). They serve as technical reviewers on the FedRAMP Joint AuthorizationBoard (JAB).UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!2
What You Must KnowUNCLASSIFIEDFedRAMP authorization processesDoD cloud authorization processShared responsibility modelCloud security requirements exist for CSPs and DoD mission owners.The DoD provisional authorization is not the Authorization to Operate(ATO). The connection approval process for the mission owner and the CSPoccurs after the PA is issued. Continuous monitoring requirements must be performed before andafter authorization based on FedRAMP and DoD requirements. UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!3
UNCLASSIFIEDFedRAMP The Federal Risk and Authorization Management Program (FedRAMP)provides a standardized approach to security authorizations for CloudService Offerings in accordance with FISMA and OMB Circular A-130. Two authorization paths for the CSO: Joint Authorization Board (JAB)Individual agency Visit the FedRAMP.gov detailed information and requirements.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!4
DoD Cloud AuthorizationUNCLASSIFIED The authorization process for commercial and non-DoD CSPs is basedon FISMA and NIST RMF processes through the use of FedRAMP,supplemented with DoD considerations. DISA assesses CSP’s service offerings and 3PAO results forconsideration in issuing a DoD PA. The DISA AO is responsible for approving and revoking DoD PAs. There are three paths to obtaining a DoD PA:1. Leverage FedRAMP JAB PATO2. Leverage FedRAMP Agency ATO3. DoD Component Assessed Review the CC SRG for detailed information about the authorizationprocess.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!5
Cloud Computing Security RequirementsUNCLASSIFIEDUNCLASSIFIED The Cloud Computing (CC)Security Requirements Guide(SRG) outlines the security modeland requirements by which DoDwill leverage cloud computing. The minimum baseline for a DODPA is the FedRAMP ModerateBaseline. Download the CC SRG from theDoD Cyber Exchange ST IN DISA: MISSION FIRST, PEOPLE ALWAYS!6
Leveraging FedRAMP Authorized ServicesUNCLASSIFIED FedRAMP Plus is the concept of leveraging the work done as part of theFedRAMP assessment and adding specific security controls andrequirements necessary to meet and assure DoD’s critical missionrequirements. For IL2, there are no additional security controls required for a DoD PA. For IL4/IL5, DISA leverages the FedRAMP authorization and assessesthe additional controls and requirements. The DISA AO issued a reciprocity memo for IL2 CSOs. Using the IL2 reciprocity memo a DoD component may leverage any CSOassessed, authorized, and listed in the FedRAMP marketplace at a minimum ofthe FedRAMP Moderate Baseline. Download the IL2 Reciprocity memo SOCatalog.aspxUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!7
Reuse of Authorized CSP PackagesUNCLASSIFIED Both the FedRAMP and DoD authorization processes promote reuse ofsecurity authorization packages. A CSP goes through the authorization process once, and after achievingauthorization for a CSO, the security package can be reused. The FedRAMP Marketplace has a list of FedRAMP authorized cloudservices – JAB and Agency. The DoD Cloud Authorization Services (DCAS) site has a list of cloudservices with DoD PAs. FedRAMP quick guide for reusing authorizations /Reusing Authorizations for Cloud Products Quick Guide.pdf Review the DoD CC SRG for DoD-specific guidance.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!8
System/Data CategorizationUNCLASSIFIED DoD Mission Owners must categorize mission information systems inaccordance with DoDI 8510.01 and CNSSI 1253. Mission owners must identify the cloud information impact level thatmost closely aligns with the defined categorization and informationsensitivity. Information types and requirements for each impact level are outlined inthe CC SRG.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!9
Summary Requirements per Information Impact LevelUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!UNCLASSIFIED10
UNCLASSIFIEDFedRAMP/FedRAMP Security Control aseline421DoD ImpactLevel 4Baseline325 38DoD ImpactLevel 5Baseline325 38 9UNCLASSIFIED325 Controls/Control Enhancements (C/CE)325421FedRAMP MBL 96 additional C/CE 421 HBL C/CE363FedRAMP MBL 38 FedRAMP C/CE 363 IL4 C/CE DoD General Readiness & DoD Unique RequirementsIL4 9 FedRAMP C/CE 372 IL5 C/CE / DoD General Readiness & DoD Unique RequirementsTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!37211
DoD Component Sponsorship for DoD PAUNCLASSIFIED The DoD Component sponsoring the CSP must: Be committed to useAlign with a CSSPProvide a minimum of two qualified support analysts to complete review of theCSP's security authorization package.Understand and be capable of responsibility for the customer’s portion ofcontrols under the shared responsibility model for cloud use. One DISA SCA-R and the DoD Component-sponsored support analystsmake up the Joint Validation Team (JVT). A mission owner leveraging the DoD PA is responsible for missionowner requirements and responsibilities, including continuousmonitoring.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!12
Prioritization for Security Assessment Top Priority: CSPs with a DoD sponsor that supports a high priority DoD mission asrecognized by a DoD Chief Information Officer or J6 General Officer. In the event multipleCSPs fall into this category, resolution of priorities will be determined by a designated SecDefor JCS senior.CSP renewing an expiring Provisional Authorization that currently hosts DoD IT Projects.CSP with a DoD sponsor with these prerequisites:1)2)3)4) UNCLASSIFIEDCSP has completed the FedRAMP authorization process;CSP has an existing contract;CSP rates high on readiness checklist;CSP Sponsor has reviewers to help with the analysis of the 3PAO's assessment products.CSP with DoD sponsor currently operating in a DoD private cloud scenario and has a secondDoD sponsor seeking its services.CSP with a DoD sponsor not meeting the above conditions.Least Priority: CSPs without a DoD sponsor but have a capability aligned to a recognizedDoD interest.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!13
UNCLASSIFIEDUplift from a JAB P-ATO A FedRAMP JAB P-ATO is issued by the JAB to a CSP for a CSO. The CSP’s security authorization package is reviewed by JAB Reviewersfrom three agencies (DoD, DHS, GSA). This is the DoD preferred path to a DoD PA because the DoD CIO and theDISA Cloud Security Control Assessor (SCA) team are involved in FedRAMPJAB assessment and authorization activities. The CSP and 3PAO submit documentation (SSP/SAP/SAR/POAM, etc.) toDISA for review and validation by the JVT. For IL4/IL5, DoD leverages the documentation and artifacts produced for theJAB P-ATO in addition to documentation developed for any additional DoDrequirements not addressed by FedRAMP.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!14
UNCLASSIFIEDUplift from an Agency ATO An Agency Authorization to Operate (ATO) is issued by a Federal AgencyAuthorizing Official (AO) to a CSP for a CSO based on compliance with FedRAMPrequirements.A Federal Agency ATO listed in the FedRAMP Marketplace can be leveraged for aDoD PA.For IL4/IL5, DoD will leverage the Federal Agency ATO authorized baseline, toinclude all relevant continuous monitoring documentation, in addition todocumentation developed for any additional DoD requirements not addressedthrough the FedRAMP authorization process.A FedRAMP-approved 3PAO must perform any required additional assessment.The CSP and 3PAO submit documentation (SSP/SAP/SAR/POAM, etc.) to the DISACloud SCA for review and validation toward issuing a DoD PA.The DISA Cloud SCA will request all baseline documentation and applicablecontinuous monitoring artifacts.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!15
UNCLASSIFIEDDoD Assessed PA Without a FedRAMP JAB P-ATO or Agency ATO, a DoD Component assessment of a CSP’s CSOmay only be performed under two circumstances: If a DoD organization has a validated mission requirement that only the specific CSP’s CSO can fulfill requiring it tobe authorized.If a DoD organization acting as a CSP develops and instantiates a CSO.The CSP’s CSO is fully assessed by a FedRAMP-approved 3PAO against a FedRAMP Moderate orHigh Baseline and DoD’s FedRAMP requirements.The DoD sponsoring organization must provide personnel for the full assessment and validationin coordination with the DISA Cloud SCA organization.It may take five to eight to complete assessment and validation.The CSP/3PAO submits assessment documentation (RAR/SSP/SAP/SAR/POAM, etc.) to the DISACloud SCA.The CSP’s assessment package may be shared with FedRAMP and be available through theFedRAMP secure repository if needed to be leveraged by other Federal Agencies.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!16
UNCLASSIFIEDThe PA and the ATO DoD Provisional Authorization (PA) is issued by the DISA Authorizing Official (AO) to a CSP for a CSObased on FedRAMP and additional DoD security requirements (Impact Levels 4/5/6)A DoD PA is primarily issued for enterprise use Typically leverages a CSP’s JAB P-ATO or Federal Agency ATO A reciprocity memo was issued at Impact Level 2 for CSOs on the FedRAMP Marketplace The CSP’s security authorization package is reviewed by reviewers from DISA and the DoD Componentsponsoring the CSPDoD Component ATO Issued by a DoD Component AO to a Mission Owner for its system/data that makes use of the CSP’s CSOMust leverage a CSP’s DoD PAIL2 requests where IL2 reciprocity memo is not leveraged must apply FedRAMP Agency AuthorizationProcess directly with FedRAMP PMO. Provisional Authorization Focuses on CSO Risk Granted by the FedRAMP JAB and/orthe DISA AO To a CSP for a CSOUNCLASSIFIEDATO Focuses on Mission Risk Granted by a DoD Component’s AO To a DoD Mission Owner for asystemTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!17
Mission Owner AO ResponsibilityUNCLASSIFIED Inherit/Leverage – Maximize use of existing body of evidence Scope of testing adequate? If so, review the 3PAO’s Security Assessment Plan(SAP)Review test results: 3PAO’s Security Assessment Report (SAR)Residual risk: Review POA&Ms, continuous monitoring data, DISA’sAuthorization Recommendation and Provisional Authorization memosIdentify and proceed with any additional testing required (with CSP and 3PAO) If risk is acceptable, issue an IATT or ATO UNCLASSIFIEDAccept risk and liabilities identified in the DoD PA for the Mission Owner’sunique system and missionImpose any conditions deemed necessary for the secure operation of the CSOin the context of the Mission Owner system requirements, interconnections,and data processedIssue ATO to a Mission Owner for a system that makes use of the CSP’s CSOTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!18
UNCLASSIFIEDMission Owner AO Risk DecisionIaaSPaaSAuthorized by:CSPDoD Mission OwnerCSPSaaSDoD Mission OwnerCSPDoD MissionOwnerSecurity Responsibility FedRAMP JAB DISA AOAuthorized by: Mission Owner AOJAB P-ATO DoD PAUNCLASSIFIEDATOTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!19
UNCLASSIFIEDDoD Provisional Authorization Process TimelineEstimated duration (per CSP) is 11 – 17 weeks (not including time for 3PAOAssessment)Prioritization assigned. Sponsor’s technicalreviewers’ names and documentationchecklist submitted to DISA. RAR, SAP, SSP, SSPAddendum, Architecture and JVT approval toproceed with testing.KICKOFFINITIAL CONTACT PHASEDoD Sponsorsubmits ICF to DCASDoD Sponsorcompletes “InitialContact Form” inDCAS. DISA holds aninitial phone call withDoD Sponsor and CSPto review therequirements of thesponsor and best pathto PA.UNCLASSIFIEDDISA schedules InitialPlanning ConferencecallJVTApproval toProceed withAssessmentJVT iterative review of CSOpackage. Comments to CSP &3PAO, remediation (if required)Introductions & TeamBriefsSponsor - OverviewCSP - Architecture3PAO – AssessmentSchedule & PlanSCCA - CAPNIC – IP & DNSDISA – JVT BriefAssigns priority andnotional schedule.JVT: DISA SCA-R, SponsorAnalysts, CSP & 3PAOAccess to CSP documentrepository initiated.Initial Review of RAR, SSP,SSP Addendums, &documentation checklistfor Readiness.Review and approve SAP.Review and AuthorizationDoD JVT Review& Remediation8-10 weeksAUTHORIZATION &DSAWG PREP1-3 weeksDSAWGREVIEW1-2 weeksAODECISION1-2 weeksMONITOR& MANAGEDoD JVT performsvalidation on securitypackage(SSP/SAP/SAR/POAM)Draft AuthorizationRecommendationand DSAWGBrief. Submit toDSAWGDSAWGReview andCommentsFinal AOReview /PA Sign OffNetworkDefenseandMonitoring3PAOASSESSMENT3PAO and CSP ensuredelivery ofdocumentation.WorkDISA holds process DISA SCA-R, JVT andparsing begins and& requirementsCSP review andTechnical Exchangestrategy meetingapprove SAPMeeting Scheduleestablished.Authorization Rec, items/issues,vulnerability tables & DSAWG Briefdeveloped3PAO conductsassessment.CSP providesSSP & POA&M;3PAO providesSAR. Timevariesdepending onFedRAMPbaseline.Validation beginswith access toSecurity Package(SSP/SAR/POAM).CSP/3PAO remediateissues, re-test,updates documents,respond to JVTcomments, deliversrevised package.POA&M updated.AuthorizationRecommendationand DSAWG Brieffinalized andsubmitted to seniorsfor review. Forwardto DSAWG 2 WEEKSin advance of DSAWGmeeting, which is 2ndTuesday of month.TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!AuthorizationRecommendationsubmitted toDSAWG forcomments then toDISA AO forauthorizationdecisionMISSIONOWNERAuthorize useof CSO;Submit forConnectionMission Ownersmust authorizeuse of a CSOutilizing the DoDPA MO guidance.Afterauthorization isissued, submit forconnection.20
UNCLASSIFIEDInitial Planning and Readiness ReviewDeliverable / TaskSubmission DeadlineCompleted and signed sponsor request formWithin two weeks of initiating the formReadiness Assessment Report (RAR) or FedRAMPbaseline documentation, as applicableWithin two weeks of DoD Sponsor submittingrequestInitial Planning MeetingWithin two weeks of sponsor submitting the requestCSO Architecture BriefingWithin two weeks of Initial Planning MeetingDoD SSP Addendum, ILxWithin two weeks of Initial Planning MeetingSecurity Assessment Plan (SAP)Within two weeks of Kickoff MeetingComplete Security Authorization Package –As soon as final SAR is signed CSP submits SSP, DoD SSP Addendum & POA&M ineMASS3PAO submits SAP & SAR in eMASSUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!21
Provisional Authorization MemoUNCLASSIFIED Initial DoD Provisional Authorization (PA) The DISA AO is the Authorizing Official (AO) for a DoD PA.Typically, a DoD PA is issued with an expiration date to be leveraged by DoDMission Owners until it expires or is revoked.The PA is issued with general and/or specific conditions for the CSP and usageconsiderations for the DoD Mission Owner. Ongoing Provisional Authorization CSPs must comply with all Continuous Monitoring (ConMon) Requirements tomaintain the DoD PA. Reauthorization UNCLASSIFIEDUpon expiration, a CSP’s CSO may be reauthorized if there is continued needby the DoD community and the CSP has maintained a satisfactory securityposture. The DISA AO will issue an updated PA memo.TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!22
UNCLASSIFIEDeMASS A separate instance of eMASS is available for cloud services. It can be accessed by CSPs and their designated 3PAO POC. CSPs will create eMASS packages for their CSOs that will provideinheritance across to DoD Mission Owners leveraging the CSO. The use of the Cloud eMASS instance will provide a consolidatedlocation for the evidence and test results for CSOs that have aprovisional authorization. eMASS site: https://cloud.emass.apps.mil/UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!23
UNCLASSIFIEDSummary of Additional Requirementsfrom CC SRGUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!24
UNCLASSIFIEDAdditional Considerations and/or Requirements for IL4/IL5DoD PKI authentication by DoD privileged and non-privileged usersDoD IP addressingCSP Data center locationsCSO management/monitoring plane (and/or specific devices/systems) andits integration with the CSP’s corporate network or the generalcommercial CSO management plane CSP personnel managing and/or monitoring the CSO infrastructure. The availability of a private connection capability between the offpremises CSP’s/CSO’s network and DoD networks in support ofconnections through the BCAP and meet-me points. UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!25
UNCLASSIFIEDAdditional Considerations for IL4/IL5, contd. Reliance of the CSO or user experience on Internet based capabilities suchas the public DNS or content delivery networks. Reliance on Internet access to reach the CSO management/serviceordering portal or API endpoints from either NIPRNet or from within theCSO. The protections in place in the CSP’s network and CSO to prevent anyInternet connection to the CSP’s/CSO’s network and CSO from becoming aback door to the NIPRNet via the private connection through the BCAP. The robustness of the CSP’s required boundary protection (defense-indepth security / protective measures) implemented between the Internetand the CSO for its protection from Internet based threats. All other requirements as defined in the CC SRG and other considerationsas realized while assessing the CSO or as a result of lessons learned.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!26
UNCLASSIFIEDJoint Validation Team (JVT) ReviewMethodologyUNCLASSIFIEDUNITED IN SERVICE TO OUR NATION27
UNCLASSIFIEDJVT Analysts The CSP’s DoD Sponsor must provide additional resources toparticipate in the review of the CSP’s security authorization package. The DISA Cloud Assessment team will provide a Cloud SCA-R tofunction as overall manager of the DoD JVT process. The DoD sponsor’sanalysts accomplish most of the review and validation work. The sponsor’s support analysts should be deeply familiar with the RMF. The scope of effort is estimated to take 12-14 weeks for an uplift and fiveto eight months when a FedRAMP authorization is not leveraged. The CSP and their 3PAO will be expected to collaborate and provideinput to information exchange meetings and work with the JVT toestablish the schedule and timeline to completion.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!28
JVT Skill Requirements UNCLASSIFIEDSpecific skills needed: UNCLASSIFIEDIn-depth familiarity with NIST Risk Management Framework (RMF)Knowledge of DoD RMFKnowledge of DoD Cloud Computing Security Requirement GuideFamiliarization with FIPS-199, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-37Familiarization with FedRAMP documentation review processes (training on FedRAMP.gov)Ability to review and analyze CSP artifacts for completeness, consistency, compliance, anddue diligenceKnowledge of cryptographic protocols and standards such as FIPS 140, SSH, SSL/TLS,etc.Knowledge of multifactor authentication methodology and typesKnowledge of network architectureAbility to review and understand dataflow diagramsWriting skills for clarity and conciseness in commentsFamiliarity with and knowledge of DoD/85XX documentsTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!29
JVT Review Methodology UNCLASSIFIEDThe JVT will perform a technical review and validation of the following CSP/3PAOcompleted and signed documentation, and any other relevant documents: Readiness Assessment Report (RAR) Architecture/Network Topology SSP & IL4/5/6 SSP Addendum for FedRAMP controls FedRAMP baseline continuous monitoring artifacts, if applicable Security Assessment Plan (SAP) Security Assessment Report (SAR) SAR brief requested from 3PAO after SAR is submitted Plan of Action & Milestones (POA&M) CSP to provide review of risk remediation and mitigation plans from the Plan ofAction & Milestones All additional supporting documentationUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!30
JVT Lead ResponsibilitiesUNCLASSIFIED Performs initial review to verify readiness prior to kickoff Develops a review schedule Prepares a consolidated team review comment spreadsheet for each ofthe primary cloud security document under review Tasks individual team members, tracks items and collects responses perdocument Schedules weekly meetings with JVT and biweekly meetings for allstakeholders to share progress Sends comments to CSP/3PAO for adjudication and resolution Liaises with CSP/3PAO for all matters related to validation ofrequirements for DoD PA Prepares authorization documentsUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!31
JVT Responsibilities UNCLASSIFIEDReview all documents included in the CSP’s security authorization packageReview documents for completeness and structural thoroughnessAssess/validate compliance of implemented controlsEnsure compelling evidence maps to applicable security controlsReview system architecture for in-depth understanding of authorization boundaryReview architecture for data flows, trusted connections, remote access activitiesProvide comments to JVT lead on provided comment sheetReview response comments from CSP and 3PAO for adjudicationMeet weekly or as needed with JVT Lead and 3PAO/CSP to adjudicate commentsProvide input to stakeholders briefing slidesMay attend the DSAWG security briefing for the CSOUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!32
UNCLASSIFIEDDoD PA Process – Readiness ReviewCSP leverages FedRAMP JABPATO or Agency ATO forDoD PA Without FedRAMPauthorization, DISA &DoD Sponsorcoordinate processwith CSP/3PAODoD Componentsponsors CSP for DoDImpact level 4/5/6 DISA RME holds initialplanning meeting DoD sponsor commitsresourcesDISA assigns JVT Lead JVT, CSP, and 3PAOteams coordinate,develop and plan workschedule milestonesCSP completes DoDFedRAMP/FedRAMP assessment FedRAMP baselinedocuments, DoD RAR,DoD SSP Addendumand any applicablesecurity overlaysInitiationSponsorcontactsDISA toinitiateprocessUNCLASSIFIEDIN MISSIONSERVICE TOOURPEOPLENATIONALWAYS!TRUSTUNITEDIN DISA:FIRST,DISAschedulesInitial PlanningMeeting33
UNCLASSIFIEDDoD PA Process – KickoffCSP/3PAO submitdocumentation CSP/3PAO submitFedRAMP baselinedocumentation, SSPAddendum, RAR, and SAP DISA Cloud SCA-R/JVTconduct quality review ofreadiness Identify major findings orshowstoppers Determine possibletimelines for JVT detailedreview to begin Schedule kickoff meetingKickoff meeting Discuss authorizationboundary externalconnections, summary ofcontrol implementation SCCA team shares BCAPinfo DoD NIC shares info on.mil domain, DNS, and IPaddress spaceDISA SCA-R/JVT approve SAP,with Cloud SCA approval Approval of the SAP andSSP AddendumKickoffDISA SCA-R/JVT reviewsRAR, SSP Addendum,SAP, and documentationchecklist for readiness. Ifnot ready SCA-R will pushback for resubmission andrestart.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!34
UNCLASSIFIEDDoD PA Process – JVT Detailed Review Prerequisites: 3PAO AssessmentDISA SCA-R/JVT verifiesquality and completeness ofCSP/3PAO artifacts JVT validates DODrequirements throughreview of documentationand discussions Schedule JVT weeklymeetings Schedule stakeholderbiweekly updates Schedule meetings withCSP/3PAO as neededDISA SCA-R providescomment sheet to CSP/3PAOfor adjudication of findings Analyze full package forflaws Return package for reworkif flawed then restartvalidation clock uponresubmission CSP/3PAO provide writtenresponse to all commentsas applicableCSP remediates findings, and3PAO attests to remediationperformed Findings should beremediated prior tocompletion of validation 3PAO attestation may berequired for remediationperformed afterassessment Findings that remain openmust be mitigated andhave a remediation plansubject to approvalReview andRemediationJVT performs qualityreview, analysis onsecurity package(SSP/SAP/SAR/POAM)UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!35
DoD PA Process – Authorization RecommendationUNCLASSIFIED Prerequisites: DISA SCA-R/JVT review completedAll comments adjudicatedDISA Cloud SCA-R develops riskdetermination and authorizationdocuments, including briefing forthe DSAWGCloud SCA Review & Approval Updated artifacts/evidence maybe requested from CSP/3PAO CSP submits required monthlycontinuous monitoringdeliverables throughoutauthorization processUNCLASSIFIED Updated artifacts/evidencesubmitted by CSP/3PAO asrequestedTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!AuthorizationRecommendation &DSAWG PresentationDraft AuthRec andDSAWGBrief forSubmissionFinal AuthRec andDSAWGBriefSubmitted36
UNCLASSIFIEDDoD Provisional Authorization Process – DSAWG & AO Prerequisites: Cloud SCA Approval for submission to DSAWGDSAWG ReviewAO Decision Updatedartifacts/evidencemay be requestedfrom CSP/3PAO PA Memo signedand posted onDCAS siteDSAWGReview & AODecisionDSAWGFeedback to AOAO DecisionUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!37
Continuous MonitoringUNCLASSIFIED FedRAMP & DoD Continuous Monitoring requirements apply until theDoD Provisional Authorization is revoked or expires. DISA Cloud SCA-R schedules monthly meetings between CSP POCs andDISA. Visit FedRAMP.gov for training, documents, and templates. Visit DoD Cyber Exchange for DoD requirements and documents relatedto DoD cloud use. CSPs maintain test results and evidence in eMASS. Mission owners inherit security controls in eMASS.UNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!38
UNCLASSIFIEDDoD Cloud Authorization Services (DCAS) Site Find information about DoD Cloud Authorization Process, DoDtemplates, and useful links DoD component sponsors can initiate the onboarding process for aCSP/CSO Browse list of authorized and candidate cloud servicesUNCLASSIFIEDTRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!39
Cloud Resources DoD Cloud Authorization Process https://cyber.mil/Public and CAC-enabled ContentCloud Computing SRG, Templates, Other documents related to cloudDISA Website https://disa.deps.mil/org/RMED/casCAC-enabled siteSponsorship Request Form, Authorization Process, Services Catalog, etc.DoD Cyber Exchange t Us RUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!40
UNCLASSIFIEDDEFENSE INFORMATION SYSTEMS AGENCYThe IT Combat Support Agencywww.disa.milUNCLASSIFIED/USDISA@USDISATRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!41
DISA Cloud Assessment Division The DISA Cloud Assessment Division provides support to DoD Component Sponsors/Mission Owners through the pre -screening, assessment, validation, authorization, and continuous monitoring of Cloud Service Offerings (CSO). They ensure the Cloud Service Provider (CSP) and CSO meet DoD cloud
The US DoD has two PKI: DoD PKI is their internal PKI; DoD ECA PKI is the PKI for people outside of the DoD [External Certification Authority] who need to communicate with the DoD [i.e. you]. Fortunately, the DoD has created a tool for Microsoft to Trust the DoD PKI and ECA PKI; the DoD PKE InstallRoot tool.File Size: 1MBPage Count: 10
The DoD PKI consists of the US DoD issuing certificates internally to US DoD end entities (like DoD employees and DoD web sites). The ECA PKI consists of vendors that are authorized by the US DoD to issue certificates to end entities outside of the US DoD that need to communicate with the DoD. You probably need to trust both the DoD PKI and ECA .
Table 7: DISA Cloud Computing Team Points of Contact .52: DoD Cloud Connection Process Guide : Version 2 vi March 2017 : This page intentionally left blank: DoD Cloud Connection Process Guide . Version 2 1 March 2017 . : INTRODUCTION Purpose : The Cloud CPG provides guidance, points of contact, and processes for a Cloud Service Provider .
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
Cyber Security Training For School Staff. Agenda School cyber resilience in numbers Who is behind school cyber attacks? Cyber threats from outside the school Cyber threats from inside the school 4 key ways to defend yourself. of schools experienced some form of cyber
the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.
Simulink to STM32 MCUs Automate –the process from "C" code generation to programming STM32 F4 or STM32F30x –Code generation reporting –Code execution profiling reporting for PIL execution. 13 Summary for STM32 embedded target for MATLAB and Simulink release 3.1: Supported MCUs: STM32 F4 and F30x series Automated Processor-in-the-Loop (PIL) Testing using USART communication link Support .
