STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Cloud Computing Mission Owner Operating System Security Requirements Guide

Version

V1R3

Release Date

Aug 13, 2025

SCAP Benchmark ID

Cloud_Computing_Mission_Owner_OS_SRG

Total Checks

17

Tags

other
CAT I: 5CAT II: 12CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (17)

V-259872HIGHThe Mission Owner must configure the customer service portal credentials for least privilege.V-259873MEDIUMThe Mission Owner must configure the cloud service offering (CSO)-provided customer logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting access to users that must log on.V-259874MEDIUMThe Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.V-259875MEDIUMThe cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-259876MEDIUMThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must perform centralized logging to capture and store log records.V-259877MEDIUMFor Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.V-259878MEDIUMFor Impact Level 6, the Mission Owner must process connection approval to the SIPRNet through the DISA classified connection approval process.V-259879MEDIUMThe Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must remove orphaned or unused virtual machine (VM) instances.V-259880MEDIUMThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.V-259881HIGHFor storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance.V-259882MEDIUMThe Mission Owner of the Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) must remove all upgraded or replaced software and firmware components that are no longer required for operation.V-259883MEDIUMThe Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.V-259884MEDIUMThe Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.V-259885HIGHThe Mission Owner must select and configure an Impact Level 4/5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).V-259886HIGHThe Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).V-259887HIGHThe Mission Owners must select and configure a cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog at Level 6 when hosting classified DOD information.V-259888MEDIUMThe Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.