Rule ID
SV-259884r959010_rule
Version
V1R3
CCIs
CCI-000366
FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.
If the CSO implementation is categorized as Impact Level 4/5/6, this is not applicable. Review the approval documentation. Verify the cloud service offering is listed in either the FedRAMP or DISA PA DOD Cloud Catalog when hosting unclassified, publicly releasable DOD information. If unclassified, publicly releasable DOD information is being hosted in the IaaS/PaaS and the CSO is not listed in the FedRAMP Marketplace as FedRAMP moderate (at a minimum), or the DISA PA DOD Cloud Catalog, this is a finding.
This applies to Impact Level 2. FedRAMP Moderate, High. Select and configure an Impact Level 2 CSO listed in the FedRAMP Marketplace as FedRAMP moderate, or the DISA PA DOD Cloud Catalog, when hosting unclassified, publicly releasable DOD information.