The Blog

DOD CIO, Through DISA, Releases Cloud Security Requirements Guide Update

Relevant links are at the bottom of this post.

FORT GEORGE G. MEADE, Md. – The Department of Defense (DOD) Chief Information Office, through the Defense Information Systems Agency (DISA), released an update to the Cloud Computing Security Requirements Guide (CC SRG) Friday, March 25, to provide guidance and policy to commercial and DOD cloud service providers (CSPs), DOD components using cloud, and other mission partners in the Department of Defense as they develop cloud computing solutions and use cases.

“The CC SRG v1r2 is a result of the feedback we received from our mission and industry partners about the previous version released in January 2015. The new version fittingly represents the evolution we are going through to refine our processes and better position the department to enable secure options to migrate systems and data to the cloud,” said John Hickey, DISA Chief Information Officer and Risk Management Executive.

The update incorporates and supersedes CC SRG v1r1, and applies to all CSP offerings, regardless of who owns or operates the environments. It also applies to all DOD components and their usage of cloud services.

Alongside the updated SRG is a published revision history allowing interested parties to better understand changes and how best to apply the information. A comment matrix is also published to facilitate an opportunity for on-going mission partner comment, where issues and concerns are welcome anytime, allowing for rapid correction of major issues.

“This on-going public comment period will allow our mission partners to offer changes as they become necessary,” said Robert Vietmeyer, associate director for cloud computing and agile development in the enterprise capabilities directorate at the DOD CIO’s office. “This is in direct support of the DOD CIO’s vision of ‘agile policy development.’”

The Cloud Computing SRG establishes the DOD security objectives to host DOD missions up to and including SECRET on commercial service offerings. Missions above SECRET must follow existing applicable DOD policies and are not covered by the SRG.

The updated SRG continues to serve several purposes:

– Provides security requirements and guidance to DOD and non-DOD owned and operated CSPs that wish to have their service offerings included in the DOD Cloud Service Catalog.

– Establishes a basis on which DOD will assess the security posture of a DOD or non-DOD CSP service offering, supporting the decision to grant a DOD Provisional Authorization that allows a non-DOD CSP to host DOD missions.

– Defines the policies, requirements, and architectures for the use and implementation of DOD or commercial cloud services by DOD mission owners.

– Provides guidance to DOD mission owners and assessment and authorization officials in planning and authorizing the use of a cloud service offering.

The SRG is posted on the IASE website: