DoD Cloud Authorization Process...as part of the FedRAMP process with an additional assessment of the DoD-specific security controls and requirements not addressed by FedRAMP. •

UNCLASSIFIED 1

UNCLASSIFIED

TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!

DoD Cloud Authorization Process

DISA Cloud Assessment DivisionDISA RME/RE2

April 2021

UNCLASSIFIED 2

UNCLASSIFIED


Cloud Computing Security Requirements

Table of Contents1 Introduction2 Background3 Information Security

Objectives / Impact Levels4 Risk Assessment of Cloud

Service Offerings5 Security Requirements6 Cyber Defense and Incident

Response

UNCLASSIFIED 3

UNCLASSIFIED


Authorization Terminology

• FedRAMP Joint Authorization Board (JAB) Provisional Authorization (P-ATO)• Issued by the JAB to a Cloud Service Provider (CSP) for its Cloud Service Offering (CSO)• CSP’s package is reviewed by JAB Reviewers from three agencies (DoD, DHS, GSA)

• Agency Authorization to Operate (ATO)• Issued by a Federal Agency Authorizing Official (AO) to a CSP for its CSO based on compliance with

FedRAMP requirements and listed on the FedRAMP Marketplace• DoD Provisional Authorization (PA)

• Issued by the DISA Authorizing Official (AO) to a CSP for its CSO based on FedRAMP and additional DoD security requirements (Impact Levels 4/5/6) and primarily issued for enterprise use

• Typically leverages a CSP’s JAB P-ATO or Federal Agency ATO• Reciprocity memo issued at Impact Level 2 for CSOs on the FedRAMP Marketplace• CSP’s package is reviewed by DoD Reviewers from DISA and the DoD Component sponsoring the CSP

• DoD Component ATO• Issued by a DoD Component AO to a Mission Owner for its system/data that makes use of the CSP’s CSO • Must leverage a CSP’s DoD PA

Provisional Authorization – Focuses on CSO RiskGranted by: The FedRAMP JAB and the DISA AO To: A CSP for its CSO

ATO – Focuses on Mission RiskGranted by: A DoD Component’s AO To: A DoD Mission Owner for their system

UNCLASSIFIED 4

UNCLASSIFIED


DISA Cloud Assessment Division

• The DISA Cloud Assessment Division provides support to DoD Component Sponsors/Mission Owners through the pre-screening, assessment, validation, authorization, and continuous monitoring of a Cloud Service Offering (CSO).

• They ensure the Cloud Service Provider (CSP) and CSO meet DoD cloud security controls and connection requirements.

• They serve as reviewers on the FedRAMP Joint Authorization Board (JAB).

UNCLASSIFIED 5

UNCLASSIFIED


The Three Paths to a DoD PA

1. CSP CSO with a FedRAMP JAB P-ATO • This is the DoD preferred path to a DoD PA because the DoD CIO and the DISA Security Control

Assessor Representative (SCA-R) (i.e., JAB DoD Reviewers) are involved in FedRAMP JAB assessment and authorization activities as part of the FedRAMP JAB team comprised of DoD, GSA and DHS reviewers.

• For Impact Levels 4 (IL4) and above, DoD leverages the documentation and artifacts produced as part of the FedRAMP process with an additional assessment of the DoD-specific security controls and requirements not addressed by FedRAMP.

• For Impact Level 2 (IL2), DoD does not do any additional assessment and has issued a reciprocity memo for FedRAMP Moderate (MBL) or High Baseline (HBL) authorizations that meet IL2 requirements.

• For IL4 and above, the additional assessment (i.e., FedRAMP+) must be performed by a FedRAMP-approved Third Party Assessment Organization (3PAO). The CSP/3PAO submit documentation (SSP/SAP/SAR/POAM, etc.) to the DISA SCA-R for review and validation by the Joint Validation Team (JVT) toward awarding a DoD PA.

• The validation process will leverage the authorized FedRAMP baseline. The DISA SCA-R will request all baseline documentation and applicable continuous monitoring artifacts.

UNCLASSIFIED 6

UNCLASSIFIED



2. CSP CSO with a FedRAMP Agency ATO listed in FedRAMP Marketplace• CSPs with a non-DoD Federal Agency ATO based upon security controls assessed by a

FedRAMP-approved 3PAO can be assessed for a DoD PA if the Federal Agency ATO has been reviewed and accepted by the FedRAMP PMO and placed on the FedRAMP Marketplace as an authorized FedRAMP Agency ATO.

• The minimum baseline for a DOD PA is FedRAMP Moderate. FedRAMP assessments done at the HBL facilitate transition to the DoD Cloud Computing Security Requirements Guide (SRG) Version 1 Release 3.

• For IL4 and above, DoD will leverage the Federal Agency ATO authorized baseline, to include all relevant continuous monitoring documentation, with additional assessment of the DoD-specific controls and requirements.

• A FedRAMP-approved 3PAO must perform the additional assessment.• The CSP and 3PAO submit assessment documentation (SSP/SAP/SAR/POAM, etc.) to the

DISA SCA-R for review and validation toward awarding a DoD PA. • The DISA SCA-R will request all baseline documentation and applicable continuous

monitoring artifacts.

UNCLASSIFIED 7

UNCLASSIFIED



3. DoD Component Assessed PA• Without a FedRAMP JAB P-ATO or Agency ATO, a DoD Component assessment of a CSP’s CSO may only be

performed under two circumstances: • If a DoD organization has a validated mission requirement that only the specific CSP’s CSO can fulfill requiring it to

be authorized • If a DoD organization acting as a CSP develops and instantiates a CSO

• The CSP’s CSO is fully assessed by a FedRAMP-approved 3PAO and the DISA Cloud SCA. The CSP’s CSO must be assessed and validated against both the FedRAMP Moderate/High Baseline and DoD’s FedRAMP+ requirements.

• The DoD organization with a need for that CSP’s CSO to be authorized will be required to support resourcing for the full assessment and validation in coordination with the DISA Cloud SCA organization.

• This assessment and validation is from initial start, so it may take up to 5 to 8 months for completion depending on the scope of effort.

• The CSP and 3PAO submit assessment documentation (RAR/SSP/SAP/SAR/POAM, etc.) to the DISA Cloud SCA for review and validation toward awarding a DoD PA.

Note: If a CSP receives a DoD-assessed PA and the offering is desired to be leveraged by other Federal Agencies, the CSP’s assessment package may be shared with FedRAMP and be available through the FedRAMP secure repository as well as the DoD Cloud Services Catalog.

UNCLASSIFIED 8

UNCLASSIFIED


Provisional Authorization Memo

• Initial DoD Provisional Authorization (PA)• The DISA AO is the Authorizing Official (AO) for a DoD PA.• Typically, a DoD PA is issued with an expiration date to be leveraged by DoD

Mission Owners until it expires or is revoked.• The PA is issued with general and/or specific conditions for the CSP and usage

considerations for the DoD Mission Owner.• Ongoing Provisional Authorization

• CSPs must comply with all Continuous Monitoring (ConMon) Requirements to maintain the DoD PA.

• Reauthorization• Upon expiration, a CSP’s CSO may be reauthorized if there is continued need

by the DoD community and the CSP has maintained a satisfactory security posture. The DISA AO will issue an updated PA memo.

UNCLASSIFIED 9

UNCLASSIFIED


Information Impact Levels & Some Distinguishing Requirements

UNCLASSIFIED 10

UNCLASSIFIED


FedRAMP/FedRAMP+ Security Control Requirements

FedRAMP Moderate Baseline

325325 Controls/Control Enhancements (C/CE)

FedRAMP High

Baseline 97 FedRAMP MBL + 97 additional C/CE = 421 HBL C/CE

DoD Impact Level 4

Baseline325+38

FedRAMP MBL + 38 FedRAMP+ C/CE = 363 IL4 C/CE + 19 DoD General Readiness & DoD Unique Requirements

DoD Impact Level 5

Baseline325+38+9

IL4 + 9 FedRAMP+ C/CE = 372 IL5 C/CE / + 19 DoD General Readiness & DoD Unique Requirements

325

421

363

372

UNCLASSIFIED 11

UNCLASSIFIED


DoD Provisional Authorization Process Timeline

Draft AuthorizationRecommendation

and DSAWGBrief. Submit to

DSAWG

AUTHORIZATION & DSAWG PREP

1-3 weeks

DSAWG Review and Comments

DISA SCA-R, JVT and CSP review and

approve SAP

DISA schedules Initial Planning Conference

call

JVT: DISA SCA-R, Sponsor Analysts, CSP & 3PAO

Access to CSP document repository initiated.Initial Review of RAR, SSP, SSP Addendums, & documentation checklist for Readiness. Review and approve SAP.

Validation begins with access to Security Package (SSP/SAR/POAM). CSP/3PAO remediate issues, re-test, updates documents, respond to JVT comments, delivers revised package. POA&M updated.

Authorization Recommendation and DSAWG Brief

finalized and submitted to seniors for review. Forward to DSAWG 2 WEEKS

in advance of DSAWG meeting, which is 2nd

Tuesday of month.

DISA holds process & requirements

strategy meeting

Final AO Review /

PA Sign Off

AO DECISION1-2 weeks

Authorization Recommendation

submitted to DSAWG for

comments then to DISA AO for

authorization decision

DSAWG REVIEW

1-2 weeks

Network Defense

and Monitoring

MONITOR & MANAGE

3PAO conducts assessment. CSP provides

SSP & POA&M; 3PAO provides

SAR. Time varies

depending on FedRAMP baseline.

3PAO and CSP ensure delivery of

documentation. Work parsing begins and Technical Exchange Meeting Schedule

established.

DoD JVT performs validation on security

package (SSP/SAP/SAR/POAM)

Estimated duration (per CSP) is 11 – 17 weeks (not including time for 3PAO Assessment)

ONBOARDING KICKOFF

Prioritization assigned. Sponsor’s technical reviewers’ names and documentation

checklist submitted to DISA. RAR, SAP, SSP, SSP Addendum, Architecture and JVT approval to

proceed with testing.

JVT iterative review of CSO package. Comments to CSP &

3PAO, remediation (if required)

Authorization Rec, items/issues, vulnerability tables & DSAWG Brief

developedReview and Authorization

3PAOASSESSMENT

DoD JVT Review & Remediation

8-10 weeks

Introductions & Team BriefsSponsor - OverviewCSP - Architecture 3PAO – Assessment Schedule & PlanSCCA - CAP NIC – IP & DNS DISA – JVT Brief

Assigns priority and notional schedule.

DoD Sponsor completes “Initial Contact Form” in DCAS. DISA holds an initial phone call with DoD Sponsor and CSP to review the requirements of the sponsor and best path to PA.

DoD Sponsor submits ICF to DCAS

INITIAL CONTACT PHASE

JVTApproval to

Proceed with Assessment

Mission Owners must authorize use of a CSO utilizing the DoD PA MO guidance. After authorization is issued, submit for connection.

Authorize use of CSO;

Submit for Connection

MISSION OWNER

UNCLASSIFIED 12

UNCLASSIFIED


Mission Owner AO Responsibility

• Inherit/Leverage – Maximize use of existing body of evidence • Scope of testing adequate? If so, review the 3PAO’s Security Assessment Plan

(SAP)• Review test results: 3PAO’s Security Assessment Report (SAR)• Residual risk: Review POA&Ms, continuous monitoring data, DISA’s

Authorization Recommendation and Provisional Authorization memos• Identify and proceed with any additional testing required (with CSP and 3PAO)

• If risk is acceptable, issue an IATT or ATO• Accept risk and liabilities identified in the DoD PA for the Mission Owner’s

unique system and mission• Impose any conditions deemed necessary for the secure operation of the CSO

in the context of the Mission Owner system requirements, interconnections, and data processed

• Issue ATO to a Mission Owner for a system that makes use of the CSP’s CSO

UNCLASSIFIED 13

UNCLASSIFIED


Mission Owner AO Risk Decision

DoD Mission OwnerCSP

CSP

CSP

DoD Mission Owner

DoD Mission Owner

IaaS

PaaS

SaaS

Security ResponsibilityAuthorized by: FedRAMP JAB DISA AO

Authorized by: Mission Owner AO

DoD PA

JAB P-ATO

ATO+

UNCLASSIFIED 14

UNCLASSIFIED


JVT Analysts

• Under the joint technical review process, the CSP’s DoD Sponsor must provide additional resources to participate in the Joint Technical Validation Process. The DISA Cloud Assessment team will provide a Joint Validation Team (JVT) Lead who will function as overall manager of the DoD JVT process with the DoD Sponsor analysts accomplishing most of the validation review work.

• The CSP’s sponsoring agency should commit to the offering, provide a minimum of two qualified technical reviewers (IAM Level II/III) highly familiar with the RMF, and be prepared to attend/champion the DSAWG session for the cloud service offering. The scope of effort is normally 12-14 weeks but may vary depending on conditions unique to each CSP or CSO.

• The CSP and their 3PAO will be expected to collaborate and provide input to information exchange meetings and work with the JVT to establish the schedule and timeline to completion.

UNCLASSIFIED 15

UNCLASSIFIED


JVT Skill Requirements

• The sponsoring agency’s analysts must meet DoD 8570 requirements for IAM Level II/III• Specific skills needed:

• In-depth familiarity with NIST Risk Management Framework (RMF) • Knowledge of DoD RMF • Knowledge of DoD Cloud Computing Security Requirement Guide• Familiarization with FIPS-199, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-37• Familiarization with FedRAMP documentation review processes• Ability to review and analyze CSP artifacts for completeness, consistency, compliance, and due diligence• Knowledge of cryptographic protocols and standards such as FIPS 140, SSH, SSL/TLS, etc.• Knowledge of multifactor authentication methodology and types• Knowledge of network architecture • Ability to review and understand dataflow diagrams• Writing skills for clarity and conciseness in comments• Familiarity with and knowledge of DoD/85XX documents

UNCLASSIFIED 16

UNCLASSIFIED


JVT Review Methodology

• The JVT will perform a technical review/validation of the following CSP/3PAO completed and signed documentation, and any other relevant documents:

• Readiness Assessment Report (RAR)• SSP & IL4/5/6 SSP Addendum for FedRAMP+ controls • Security Assessment Plan (SAP)• Security Assessment Report (SAR)• Plan of Action & Milestones (POA&M)• Architecture/Network Topology• SAR Brief - Review of risk remediation and mitigation plans from the Plan of

Action & Milestones• FedRAMP baseline continuous monitoring artifacts, if applicable• Supporting documentation

UNCLASSIFIED 17

UNCLASSIFIED


JVT Review Methodology– JVT Lead

• Develops a review schedule, typically 12-14 weeks• Prepares a consolidated team review comment spreadsheet for each of

the primary cloud security document under review• Tasks individual team members, tracks items and collects responses per

document• Schedules weekly meetings with JVT and biweekly meetings for all

stakeholders to share progress • Sends comments to CSP/3PAO for adjudication and resolution• Liaises with CSP/3PAO for all matters related to validation of

requirements for DoD PA• Prepares authorization documents

UNCLASSIFIED 18

UNCLASSIFIED


JVT Responsibilities – JVT Members

• Review all documents included in the CSP’s security authorization package• Review documents for completeness and structural thoroughness• Assess/validate compliance of implemented controls• Ensure compelling evidence maps to applicable security controls• Review system architecture for in-depth understanding of authorization boundary• Review architecture for data flows, trusted connections, remote access activities• Provide comments to JVT lead on provided comment sheet• Review response comments from CSP and 3PAO for adjudication• Meet weekly or as needed with JVT Lead and 3PAO/CSP to adjudicate comments• Provide input to stakeholders briefing slides• May attend the DSAWG security briefing for the CSO

UNCLASSIFIED 19

UNCLASSIFIED

TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!UNITED IN SERVICE TO OUR NATION

DoD Provisional Authorization Process - Initiation

Initiation

DISA schedules

Initial Planning Meeting Assignspriority

• DISA schedules initial planning meeting to discuss CSP’s CSO readiness in accordance with DoD’s SRG security requirements

CSP leverages FedRAMP JAB PATO or Agency ATO for DoD PA

•Without FedRAMP authorization, DISA & DoD Sponsor coordinate process with CSP/3PAO

DoD Component sponsors CSP for DoD Impact level 4/5/6

•DISA RME holds Initial Planning meeting

•DoD Sponsor commits resources

DISA assigns priority and JVT Lead

•JVT, CSP, and 3PAO teams coordinate, develop and plan work schedule milestones

CSP completes DoD FedRAMP+ assessment

•DoD RAR, DoD SSP Addendum and any applicable security overlays

Sponsor contacts DISA for

Onboarding

UNCLASSIFIED 20

UNCLASSIFIED


Review System Architecture / Authorization Boundary

•Identify major findings or showstoppers

•Determine possible timelines for validation effort to begin

CSP/3PAO submit documentation

•CSP/3PAO submit FedRAMP baseline documentation, SSP Addendum, RAR, and SAP

•DISA SCA-R/JVT conduct quality review of readiness

•Review documentation, including architecture / authorization and network boundary

DISA SCA-R/JVT approve SAP, with Cloud SCA approval

•Approval of the SAP and SSP Addendum

DoD Provisional Authorization Process – Kickoff

• DISA schedules onboarding kickoff meeting to discuss CSO’s system architecture and authorization boundary

• SCCA team presents information on connecting to the DISA CAP• DoD NIC team presents information on options for top level domain, DNS, and IP address space

Kickoff

DISA SCA-R/JVT reviews RAR, SSP Addendum,

SAP, and documentation checklist for readiness. If

not ready SCA-R will push back for resubmission and

restart.

UNCLASSIFIED 21

UNCLASSIFIED


DoD Provisional Authorization Process - Validation

Review and Remediation

JVT performs quality review, analysis on

security package (SSP/SAP/SAR/POAM)

DISA SCA-R/JVT verifies quality and completeness of CSP/3PAO artifacts

•JVT validates DOD requirements through review of documentation and discussions

•Schedule JVT weekly meetings

•Schedule stakeholder biweekly updates

•Schedule meetings with CSP/3PAO as needed

DISA SCA-R provides comment sheet to CSP/3PAO for adjudication of findings

•Analyze full package for flaws

•Return package for rework if flawed then restart validation clock upon resubmission

•CSP/3PAO provide written response to all comments as applicable

CSP remediates findings, and 3PAO attests to remediation performed

•Findings should be remediated prior to completion of validation

•3PAO attestation may be required for remediation performed after assessment

•Findings that remain open must be mitigated and have a remediation plan subject to approval

• Prerequisites: • 3PAO Assessment

UNCLASSIFIED 22

UNCLASSIFIED


DoD Provisional Authorization Process –Recommendation

Authorization Recommendation & DSAWG Presentation

Draft AuthRec and DSAWG Brief for

Submission

Final Auth Rec and DSAWG

Brief Submitted

• Prerequisites: • DISA SCA-R/JVT validation completed• All comments adjudicated

DISA SCA-R develops Authorization Recommendation and Presentation for the DSAWG

• Updated artifacts/evidence may be requested from CSP/3PAO

• CSP submits required monthly continuous monitoring deliverables throughout authorization process

Cloud SCA Review & Approval

• Updated artifacts/evidence submitted by CSP/3PAO as requested

UNCLASSIFIED 23

UNCLASSIFIED


DoD Provisional Authorization Process – DSAWG & AO

• Prerequisites: • Cloud SCA Approval for submission to DSAWG

DSAWG Review

• Updated artifacts/evidence may be requested from CSP/3PAO

AO Decision

• PA Memo signed and posted on DCAS site

DSAWG Feedback to AO

AO Decision

DSAWGReview & AO

Decision

UNCLASSIFIED 24

UNCLASSIFIED


Continuous Monitoring

• FedRAMP & DoD Continuous Monitoring requirements apply until the DoD Provisional Authorization is revoked or expires.

• DISA SCA-R schedules monthly meetings between CSP POCs and SCA-R• Visit FedRAMP.gov for training, documents, and templates.• Visit DoD Cyber Exchange for DoD requirements and documents related

to cloud use.• CSPs will have an account in a cloud instance of eMASS.• Mission Owners can inherit security controls in eMASS that are the

responsibility of the CSP or shared between the CSP and the customer.

UNCLASSIFIED 25

UNCLASSIFIED


DoD Cloud Authorization Services (DCAS) Site

• Cloud Authorization Process:• Provides Cloud Service Providers (CSPs) with DoD templates and supporting

documentation• Sponsor a CSP/CSO:

• DoD component sponsors will initiate the onboarding process for a CSP/CSO• Current DoD Cloud Service Offerings:

• Provides a catalog of current authorized Cloud services and access to their Provisional Authorization (PA) letter

• Allows request to sponsor an upgrade an existing PA• Current Service Offering Candidates:

• Provides the status of ongoing cloud candidates in the DoD queue• Cloud Support Resources:

• Provides helpful DoD guidance and supporting documentation

UNCLASSIFIED 26

UNCLASSIFIED


Cloud Resources

• DoD Cloud Authorization Process• https://disa.deps.mil/org/RMED/cas• CAC-enabled site. Requires PKI access• Sponsorship Request Form, Authorization Process, Services Catalog

• DoD Cyber Exchange• https://cyber.mil/• Public and CAC-enabled Content• Cloud Computing SRG, Templates, Other documents related to cloud

• DISA Website• https://storefront.disa.mil/kinetic/disa/service-catalog#/category/cloud-computing• DISA Storefront

• Contact Us• [email protected]

https://disa.deps.mil/org/RMED/cas

https://cyber.mil/

https://storefront.disa.mil/kinetic/disa/service-catalog#/category/cloud-computing

UNCLASSIFIED 27

UNCLASSIFIED


DEFENSE INFORMATION SYSTEMS AGENCYThe IT Combat Support Agency

/USDISA @USDISAwww.disa.mil

DoD Cloud Authorization Process...as part of the FedRAMP process with an additional assessment of the DoD-specific security controls and requirements not addressed by FedRAMP. •

Documents