For storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259881	SRG-OS-000404-CLD-000080	SV-259881r958870_rule		High

Description
Mission systems at all Impact Levels must have the capability for DOD data to be encrypted at rest with exclusive DOD control of encryption keys and key management. Some cloud service offerings (CSOs) may facilitate this by providing a Hardware Security Module (HSM) or offering customer-dedicated HSM devices as a service. CSOs that do not provide such a capability may require Mission Owners to use encryption hardware/software on the Defense Information Systems Network (DISN) or a cloud encryption service that provides DOD control of keys and key management. Some CSOs may offer a key management service that can suffice for management of customer keys by the customer while preventing cloud service provider (CSP) access to the keys. An NSA-validated CSP key management service is required. Data-at-rest (DAR) encryption with customer-controlled keys and key management protects the DOD data stored in CSOs with the following benefits: - Maintains the integrity of publicly released information and websites at Level 2 where confidentiality is not an issue. - Maintains the confidentiality and integrity of CUI at Levels 4 and 5 with the following benefits: - Limits the insider threat vector of unauthorized access by CSP personnel by increasing the work necessary to compromise/access unencrypted DOD data. Mission Owners and their Authorizing Officials should consider the benefits of DAR encryption and a cryptography-based process for data destruction and/or spill remediation at Impact Level 2 in addition to the benefit of maintaining information integrity.

Description

Mission systems at all Impact Levels must have the capability for DOD data to be encrypted at rest with exclusive DOD control of encryption keys and key management. Some cloud service offerings (CSOs) may facilitate this by providing a Hardware Security Module (HSM) or offering customer-dedicated HSM devices as a service. CSOs that do not provide such a capability may require Mission Owners to use encryption hardware/software on the Defense Information Systems Network (DISN) or a cloud encryption service that provides DOD control of keys and key management. Some CSOs may offer a key management service that can suffice for management of customer keys by the customer while preventing cloud service provider (CSP) access to the keys. An NSA-validated CSP key management service is required. Data-at-rest (DAR) encryption with customer-controlled keys and key management protects the DOD data stored in CSOs with the following benefits: - Maintains the integrity of publicly released information and websites at Level 2 where confidentiality is not an issue. - Maintains the confidentiality and integrity of CUI at Levels 4 and 5 with the following benefits: - Limits the insider threat vector of unauthorized access by CSP personnel by increasing the work necessary to compromise/access unencrypted DOD data. Mission Owners and their Authorizing Officials should consider the benefits of DAR encryption and a cryptography-based process for data destruction and/or spill remediation at Impact Level 2 in addition to the benefit of maintaining information integrity.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63612r945629_chk )
Unless the information owner requires encryption and KMS, for Impact Level 2 public cloud with nonprivileged user access to publicly releasable information, this is not applicable. Verify the cloud storage service is configured to use encryption and KMS to protect all DOD files housed in the virtual storage service. If the cloud storage service is not configured to use encryption to protect all DOD files housed in the virtual storage service, this is a finding.

Check Text ( C-63612r945629_chk )

Unless the information owner requires encryption and KMS, for Impact Level 2 public cloud with nonprivileged user access to publicly releasable information, this is not applicable.

Verify the cloud storage service is configured to use encryption and KMS to protect all DOD files housed in the virtual storage service.

If the cloud storage service is not configured to use encryption to protect all DOD files housed in the virtual storage service, this is a finding.

Fix Text (F-63519r945630_fix)
This applies to Impact Levels 4/5/6 and applies to Impact Level 2 where the Mission Owner has control of the environment. FedRAMP Moderate, High. Configure the cloud instance to use encryption to protect all DOD files housed in the virtual storage service.