The Defense Information Systems Agency issued a Provisional Authorization (PA) Aug. 15 enabling DOD mission partners and service components to host DoD Impact Level 2 (IL2) data on Federal Risk and Authorization Management Program (FedRAMP) Authorized, Moderate Baseline, Cloud Service Offerings (CSO), without waiting for an explicit, DoD written authorization.
DISA’s Risk Management Executive (RME) and Authorizing Official (AO), Roger Greenwell, signed the blanket Provisional Authorization to streamline processes and information availability for mission partners looking to host DoD IL2 mission data in the cloud. It also reduces the steps industry partners go through prior to FedRAMP Moderate authorized solutions being available to address DoD customer needs.
“This authorization allows for data designated publically releasable or IL2, to be stored in the cloud on authorized FedRAMP offerings without waiting for DoD to issue a specific authorization document,” said Greenwell. “We worked with officials from the DoD, Chief Information Office (CIO), and mission partners on the drafting of the policy, and believe this approach provides significant benefit to both the DoD community as well as the cloud industry."
This reciprocity memo applies to CSOs authorized at the FedRAMP Moderate Baseline, whose datacenters are located in the United States or its territories, and listed in the FedRAMP Marketplace. Information and associated authorization artifacts for the various CSOs are available at FedRAMP and from the Cloud Service Provider’s (CSP) listed point-of-contact.
The memo further explains reciprocity is contingent upon the CSP maintaining the FedRAMP Joint Authorization Board (JAB) or agency authorization for the CSO and adhering to successful continuous monitoring practices. If the FedRAMP JAB or agency authorization is suspended, revoked, restricted, or limited in any manner, the DoD IL2 reciprocity for that CSO is considered suspended and will be explicitly revoked until all issues with the authorization are mitigated in accordance with policy.
Mission partners with questions regarding this action should contact the DoD Cloud Authorization Services (DCAS) team or the Security Control Assessor and Chief of Assessments and Authorization Division.