V-259888

Discussion

The Mission Owner may tailor the SLA/contract to include any of the controls in the Cloud Computing Mission Owner SRG Overview, Table-3-1, beyond the FedRAMP and DOD Baseline and FedRAMP+ security controls. The Mission Owner is responsible for defining any parameter values associated with any added security control. These values should be based on current DOD Risk Management Framework (RMF) Technical Advisory Group (TAG) values or Committee on National Security Systems Instruction (CNSSI) 1253 values. Any change of ownership involving a CSP, whether the primary CSP or an underlying CSP on which a cloud service offering (CSO) was built, will be reviewed by the DISA Authorizing Official (AO) to assess the impacts and risks associated with the continuation of the DOD Provisional Authorization (PA). Any existing Impact Level 5/National Security System (NSS) systems will have two years from publication date of the Cloud Computing SRG, V1R1, to update to the National Institute of Standards and Technology Special Publication 800-53 Rev 5. They must submit a Plan of Acton and Milestones (POA&M) within 30 days, outlining actions to move to the High baseline requirement. When new updates for the Cloud Computing SRG are published, the Mission Owners and their Authorizing Officials (AOs) must review the controls to determine if the risk is acceptable until such time the CSP is required to comply and/or include the required compliance in the SLA/contract.

Check Content

Verify that the SLA with the CSP and third-party providers includes all required compliance items in the Cloud Computing Mission Owner SRG.

If the Mission Owner does not add all required compensating controls and requirements in the SLA/contract with the CSP or third-party provider, this is a finding.