This site provides a knowledge base for cloud computing security authorization processes and security requirements for use by DoD and Non-DoD Cloud Service Providers (CSPs) as well as DoD Components, their application/system owners/operators and Information owners using Cloud Service Offerings (CSOs).
DoD Cloud Computing Security
DoD Cloud Authorization Process
The Cloud Assessment Division, operating as the DoD Cloud Authorization Services (DCAS) team, supports DoD components by pre-screening, assessing, validating, and managing the initial authorization process for Cloud Service Offerings (CSO). There are two pathways to obtain a DoD Provisional Authorization (PA): leveraging an existing FedRAMP authorization or having a DoD component sponsor a CSO for a DoD PA.
DoD components seeking to sponsor a Cloud Service Provider (CSP) for a DoD Provisional Authorization, as well as the CSPs themselves, should be well-versed in the requirements outlined in the Cloud Computing Security Requirements Guide, which can be downloaded from the document library. It is also crucial for sponsors and CSPs to understand the cloud authorization process, for which a summary presentation and process diagram are available in the document library.
When DoD components are ready to sponsor a Cloud Service Offering (CSO), the DoD component sponsor should visit the DoD Cloud Authorization Services (DCAS) site (DoD CAC required) to submit a request form. The DCAS site is the primary starting point for sponsors to initiate the DoD Provisional Authorization (PA) process for their chosen CSOs. The DCAS site includes detailed steps outlining the Cloud Authorization Process, a Registration Portal for DoD sponsors, a list of all CSOs with a DoD Provisional Authorization (PA), and a Resources Page.
Cloud Computing Security Requirements Guide (CC SRG)
The Cloud Computing Security Requirements Guide (CC SRG) outlines the security model for DoD’s use of cloud computing, detailing the necessary security controls and requirements for cloud-based solutions. It applies to both DoD-provided cloud services and those offered by commercial Cloud Service Providers (CSPs) or DoD contractors on behalf of the Department. The CC SRG can be downloaded from the document library.
The CC SRG is intended for:
- Commercial and non-DoD Federal Government CSPs
- DoD programs operating as CSPs
- DoD Components and Mission Owners using, or considering the use of, commercial/non-DoD and DoD cloud computing services
- DoD risk management officials and Authorizing Officials (AOs)
DoD Cloud computing policy and the CC SRG are constantly evolving based on lessons learned regarding the authorization of Cloud Service Offerings and their use by DoD Components. The CC SRG follows an “Agile Policy Development” strategy, allowing for quick updates when necessary. To support this strategy, DISA offers a continuous public review option, accepting comments on the current version of the CC SRG at any time. Comments should focus on critical issues, omissions, or recommended coverage topics.
Submit all comments and questions related to the DoD PA process to the DISA Cloud Team.
Submit all comments and questions related to the CC SRG to the DISA STIG Customer Support Team.