The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259886	SRG-OS-000480-CLD-000032	SV-259886r959010_rule		High

Description
U-NSI must be housed on an Impact Level 5 CSO. This is Unclassified National Security Systems (NSS) information and data. This is because NSS-specific security requirements are included in FedRAMP+.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63617r945644_chk )
If the implementation is categorized as Impact Level 2, 4, or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting U-NSI information, verify the CSO is listed as Impact Level 5. If U-NSI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 5, this is a finding.

Check Text ( C-63617r945644_chk )

If the implementation is categorized as Impact Level 2, 4, or 6, this is not applicable.

Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting U-NSI information, verify the CSO is listed as Impact Level 5.

If U-NSI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 5, this is a finding.

Fix Text (F-63524r945645_fix)
This applies to Impact Level 5. FedRAMP High. For U-NSI information, select and configure a CSO listed in the DISA PA DOD Cloud Catalog for use with Impact Level 5. Specify in the Service Level Agreement (SLA) with the CSP and any third-party providers compliance with applicable STIG configurations.