The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259883	SRG-OS-000480-CLD-000025	SV-259883r959010_rule		Medium

Description
The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.

Description

The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63614r945635_chk )
Review the approval documentation. Verify the ATO indicates the component level AO has authorized the use of the CSO. If the Mission Owner's AO has not authorized the use of the CSO, this is a finding.

Fix Text (F-63521r945636_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Obtain AO authorization for each CSO implemented in support of production or development environments prior to operational use.