Compliance
What is FedRAMP+?
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.
The Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) Version 1, Release 3 defines FedRAMP Plus (FedRAMP+) as:
“… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. A CSP’s CSO can be assessed in accordance with the criteria outlined in this SRG, with the results used as the basis for awarding a DoD provisional authorization.”
CC SRG Overview
The DoD CC SRG was developed by the Defense Information Systems Agency (DISA) for DoD agencies and DoD Mission Owners. DISA’s requirements build on the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) requirements for authorizing cloud services for use by federal government civilian agencies. FedRAMP+ outlines specific requirements for the implementation of cloud service offerings (CSOs) used by the DoD. The “plus” in FedRAMP+ signifies the additional security requirements that DISA has built on top of what FedRAMP as a program establishes for a risk-based approach in standardizing the adoption and use of cloud services by the federal government.
For any Cloud Service Provider (CSP) interested in providing solutions to the DoD, they must pass an assessment based on the CC SRG requirements to achieve a DoD Provisional Authorization (PA). The DoD PA is the acknowledgement of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks, and is equivalent to achieving a FedRAMP authorization for providing services to federal civilian agencies.
FedRAMP vs CC SRG
The FedRAMP program was established in 2011 to provide a risk-based approach to cloud adoption by the federal government. The program is specific to cloud technologies that store, process, or transmit federal information and is not applicable to non-federal state and local government organizations (though there are public and private organizations interested in CSOs that have achieved FedRAMP authorization).
The CC SRG was released after FedRAMP and, among other things, it defines the additional security requirements and guidance that DoD Mission Owners and CSPs must meet to offer their CSO to DoD departments and agencies. While the CC SRG follows a similar take on the “do once, use many times” framework as FedRAMP does for the authorization of CSOs, there are notable differences in the authorization process itself. Information security objectives in the CC SRG are defined by specific information Impact Levels (IL), which categorize data based on sensitivity – ranging from public to classified secret information. Security controls baselines for an IL are aligned respective to the confidentiality and integrity of the data stored within the CSO. A DoD Mission Owner must carefully assess not only the Federal Information Processing Standards (FIPS) 199 system categorization of the CSO, but also the IL which determines the information sensitivity threshold of what type of data can be processed.
What are the required authorization levels?
There are four ILs presently in use for authorization of cloud service offerings with the DoD and each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. When evaluating the appropriate DoD IL to assess against, the best reference is the Figure 1 - Impact Level Comparison provided in the CC SRG. This figure provides a high-level comparison of the security control requirements, location, connectivity, separation, and personnel requirements associated with each IL.
Impact level
Information sensitivity
Security controls
Location
Off-premises connectivity
Separation
Personnel requirements
2
PUBLIC or Non-critical Mission Information
FedRAMP v2 Moderate
US / US outlying areas
or
DoD on-premises
Internet
Virtual / Logical
PUBLIC COMMUNITY
National Agency Check and Inquiries (NACI)
4
CUI or Non-CUI
Non-Critical Mission Information
Non-National Security Systems
Level 2
+
CUI-Specific Tailored Set
US / US outlying areas
or
DoD on-premises
NIPRNet via CAP
Virtual / Logical
Limited "Public" Community
Strong Virtual Separation Between Tenant Systems & Information
US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)
5
Higher Sensitivity CUI
Mission Critical Information
National Security Systems
Level 4
+
NSS & CUI-Specific Tailored Set
US / US outlying areas
or
DoD on-premises
NIPRNet via CAP
Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal Systems
Strong Virtual Separation Between Tenant Systems & Information
US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)
6
Classified SECRET
National Security Systems
Level 5
+
Classified Overlay
US / US outlying areas
or
DoD on-premises
CLEARED/CLASSIFIED FACILITIES
SIPRNET DIRECT
With DoD SIPRNet Enclave Connection Approval
Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal and Unclassified Systems
Strong Virtual Separation Between Tenant Systems & Information
US Citizens w/ Favorably Adjudicated SSBI & SECRET Clearance
NDA
Figure 1 - Impact Level Comparison
Coalfire has experience navigating the requirements of the CC SRG and assisting customers in building upon existing FedRAMP authorized environments to meet the additional FedRAMP+ requirements, or as a standalone authorization within the DoD. We will continue to explore the DoD Cloud Computing requirements in this ongoing blog series.
For more information on FedRAMP, please visit our website.
Contact 3PAO@coalfire.com for more information on how we can help.
This is part one of our series on FedRAMP+ and DoD cloud computing requirements. Click here to continue reading blog #2 in the series, Requirements for DoD Impact Level 2.