The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259884	SRG-OS-000480-CLD-000030	SV-259884r959010_rule		Medium

Description
FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.

Description

FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63615r945638_chk )
If the CSO implementation is categorized as Impact Level 4/5/6, this is not applicable. Review the approval documentation. Verify the cloud service offering is listed in either the FedRAMP or DISA PA DOD Cloud Catalog when hosting unclassified, publicly releasable DOD information. If unclassified, publicly releasable DOD information is being hosted in the IaaS/PaaS and the CSO is not listed in the FedRAMP Marketplace as FedRAMP moderate (at a minimum), or the DISA PA DOD Cloud Catalog, this is a finding.

Check Text ( C-63615r945638_chk )

If the CSO implementation is categorized as Impact Level 4/5/6, this is not applicable.

Review the approval documentation. Verify the cloud service offering is listed in either the FedRAMP or DISA PA DOD Cloud Catalog when hosting unclassified, publicly releasable DOD information.

If unclassified, publicly releasable DOD information is being hosted in the IaaS/PaaS and the CSO is not listed in the FedRAMP Marketplace as FedRAMP moderate (at a minimum), or the DISA PA DOD Cloud Catalog, this is a finding.

Fix Text (F-63522r945639_fix)
This applies to Impact Level 2. FedRAMP Moderate, High. Select and configure an Impact Level 2 CSO listed in the FedRAMP Marketplace as FedRAMP moderate, or the DISA PA DOD Cloud Catalog, when hosting unclassified, publicly releasable DOD information.