Companies performing work in the Defense Industrial Base (DIB) often contemplate whether they should use a cloud service provider for their business, then wonder which version of the cloud service they should consider. The rules and regulations passed down to the DIB from the Federal Government are quite confusing when it comes to trying to figure out what their requirements are. In this article, we will try to clear some of that up!
FedRAMP Moderate Baseline
The Department of Defense provides the requirements in their Defense Federal Acquisition Supplements (DFARS) for the usage of cloud services when Covered Defense Information (CDI) will be stored, processed or transmitted using that service. Other Federal Agencies will communicate their requirements in the contract directly or by referencing that Agency’s policies (which you are expected to review when bidding on the contract).
In a previous article we posted a whitepaper. “Sensitive Unclassified Information,” which discusses CDI and how to identify it. This should be used as a reference and primer, so your organization understands CDI prior to deciding on the proper cloud platform. We also have an article highlighting the use of cloud environments for ITAR regulated information (even it if is not CDI or Controlled Unclassified Information (CUI)).
For DoD contracts, and those who will be using a cloud service for processing, storing or transmitting CDI, the minimum requirement is for FedRAMP Moderate baseline with 5 additional requirements, which is communicated in DFARS 252.204-7012, section b.2.ii.D;
If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/documents-templates/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
This means that even if the provider has a FedRAMP Moderate authorization, it must also provide the additional 5 requirements. Not all cloud providers will provide those 5 requirements in their FedRAMP Moderate offering.
Cloud services without a FedRAMP Moderate authorization who have met the FedRAMP Moderate equivalent (as defined in the DoD CIO Memo here), also need to meet those 5 additional requirements. It will be up to the user of the cloud service (DIB company) to ensure those 5 requirements are being met by the service provider. It is also up to the DIB company to ensure that the cloud service meets the FedRAMP moderate controls by obtaining evidence that the provider complies (typically by an assessment report from a 3rd party assessment organization or 3PAO).
Big Changes in the Cloud Computing Security Requirements Guide (SRG)
The DoD recently published a new version of the Cloud Service Provider SRG on June 14, 2024, which made significant changes to the requirements since it finally transitioned from NIST SP800-53 revision 4 to Revision 5 and it was renamed from Cloud Services to Cloud Service Provider.
Is There More?
The FedRAMP moderate baseline and the 5 additional requirements are perfectly acceptable for CUI Basic and some CUI Specified. Definitions about these two types of information can be found in 32 CFR 2002. Some CUI specified categories have dissemination requirements (information can only be shared if certain conditions are met). Your organization must also meet those in order to properly protect that CUI from unauthorized disclosure. The most frequently discussed type is information regulated under export regulations such as EAR or ITAR. In particular, this information requires the DIB company to ensure that information is not “exported” to a foreign business or person without an export license. Cloud Services that meet FedRAMP moderate controls did not have a requirement to use US Persons for the physical or remote support of the environment. This means if your organization places EAR, ITAR or CUI//SP-EXPT information into a FedRAMP moderate environment, you may be exposing export-controlled information to a non-US Person. If the cloud service meets FedRAMP Moderate controls, and the FedRAMP+ Controls (CUI overlay and/or National Security Overlay) for the DoD Cloud Service Provider Security Requirements Guide (SRG) Impact level 4, 5 or 6, then they meet the US persons requirement (but not necessarily the DFARS 252.204-7012 c through g clauses). The cloud service provider may also need to provide assurance that the information remains in the sovereign US data centers (no replication outside of it) so you meet export requirements as well.
Figure 1: DoD Cloud Service Provider SRG, V1R1 Table 5.1
Summary
If processing CDI using a cloud service provider, it must meet:
- FedRAMP Moderate (or equivalent)
- Requirements c-g of DFARS 252.204-7012
If processing CDI that is also CUI Specified or export-controlled information, the cloud service provider may need to meet:
- FedRAMP moderate (or equivalent)
- Requirements c-g of DFARS 252.204-7012
- US Data Sovereignty
- US Person support and access only
- FedRAMP+ controls (CUI overlay and/or NSS overlay)
- DoD Cloud Service Provider Impact level 4, 5 or 6
It can be complex, but at Daymark Solutions, we are here to assist your business to ensure you select the correct cloud service provider level that will ensure your data is compliant and secure.
Daymark’s Government Community Cloud (GCC) Team provides a white glove approach to architecting and implementing Microsoft 365 GCC High and Azure Gov services across the entire landscape of solutions that includes:
- Tenant security baseline hardening
- Governance and compliance solutions
- Identity and endpoint management
- Email and data migrations
- Data protection threat intelligence and protection solutions
As an AOS-G Government Services Partner, Microsoft Direct Cloud Service Provider and Microsoft AI Cloud Partner, Daymark has the breadth and depth of proven expertise to design, implement and provide on-going support of highly customized secure enclaves in Microsoft 365 GCC High and Azure Gov cloud. We can help your team along your journey to CMMC 2.0 Compliance. Contact us to learn more.