The Mission Owner must select and configure an Impact Level 4/5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259885	SRG-OS-000480-CLD-000031	SV-259885r959010_rule		High

Description
Impact Level 4 accommodates Controlled Unclassified Information (CUI). This information must be protected from unauthorized disclosure. Designating information as CUI is the responsibility of the data owner and their organization. Determining the appropriate Impact Level for a specific mission with CUI will be the responsibility of the mission AO. Impact Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations.

Description

Impact Level 4 accommodates Controlled Unclassified Information (CUI). This information must be protected from unauthorized disclosure. Designating information as CUI is the responsibility of the data owner and their organization. Determining the appropriate Impact Level for a specific mission with CUI will be the responsibility of the mission AO. Impact Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63616r945641_chk )
If the implementation is categorized as Impact Level 2 or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting CUI information, verify the CSO is listed as Impact Level 4 or 5. If CUI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 4 or 5, this is a finding.

Check Text ( C-63616r945641_chk )

If the implementation is categorized as Impact Level 2 or 6, this is not applicable.

Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting CUI information, verify the CSO is listed as Impact Level 4 or 5.

If CUI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 4 or 5, this is a finding.

Fix Text (F-63523r945642_fix)
This applies to Impact Level 4/5. FedRAMP Moderate, High. For CUI information, select and configure a CSO listed in the DISA PA DOD Cloud Catalog for use with Impact Level 4/5 or higher. Specify in the Service Level Agreement (SLA) with the cloud service provider (CSP) and any third-party providers compliance with applicable STIG configurations.