FORT GEORGE G. MEADE, Md. – A new Cloud Computing Security Requirements Guide was released today by the Defense Information Systems Agency to provide guidance and
policy to commercial Cloud Service Providers and mission partners in the Department of Defense as they explore cloud computing options.
"The SRG is designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk," said Mark Orndorff, DISA Risk Management Executive.
The Cloud Computing SRG establishes the DoD security objectives to host DoD missions up to and including SECRET on commercial service offerings. Missions above SECRET must follow existing applicable DoD policies and are not covered by the SRG.
The SRG incorporates, supersedes, and rescinds the previously published Cloud Security Model and applies to all CSP offerings, regardless of who owns or operates the environments.
The Cloud Computing SRG serves several purposes:
- Provides security requirements and guidance to non-DoD owned and operated CSPs that wish to have their service offerings included in the DoD Cloud Service Catalog.
- Establishes a basis on which DoD will assess the security posture of a non-DoD CSP's service offering, supporting the decision to grant a DoD Provisional Authorization that allows a non-DoD CSP to host DoD missions.
- Defines the policies, requirements, and architectures for the use and implementation of commercial cloud services by DoD Mission Owners.
- Provides guidance to DoD Mission Owners and Assessment and Authorization officials (formerly Certification and Accreditation) in planning and authorizing the use of a CSP.
The SRG is posted on the IASE website: http://http://iase.disa.mil/Pages/index.aspx.
Visit the DISA website: www.disa.mil.