V-259872

Discussion

The Mission Owner must appoint specific individuals or entities to establish plans and policies for the control of privileged user access (including root account credentials) used to establish, configure, and control a Mission Owner's Virtual Private Cloud (VPC) configuration once connected to the DISA Information Systems Network (DISN). These individuals or entities establish and manage accounts and credentials used by privileged DOD users and systems to administer and control DOD cloud service offering configurations. This role is intended to operate at all DOD information Impact Levels. However, it may not apply to some Software-as-a-Service (SaaS) solutions where DOD account owners are not required to use the cloud service provider's (CSP's) Identity and Access Management (IdAM) system to administer user accounts and service configurations.

Check Content

Review the site's approval documentation to verify that an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration.

If the Mission Owner has not configured the customer service portal credentials and the Mission Owner application/system privileged accounts for least privilege, this is a finding.