The Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259888	SRG-OS-000480-CLD-000035	SV-259888r959010_rule		Medium

Description
The Mission Owner may tailor the SLA/contract to include any of the controls in the Cloud Computing Mission Owner SRG Overview, Table-3-1, beyond the FedRAMP and DOD Baseline and FedRAMP+ security controls. The Mission Owner is responsible for defining any parameter values associated with any added security control. These values should be based on current DOD Risk Management Framework (RMF) Technical Advisory Group (TAG) values or Committee on National Security Systems Instruction (CNSSI) 1253 values. Any change of ownership involving a CSP, whether the primary CSP or an underlying CSP on which a cloud service offering (CSO) was built, will be reviewed by the DISA Authorizing Official (AO) to assess the impacts and risks associated with the continuation of the DOD Provisional Authorization (PA). Any existing Impact Level 5/National Security System (NSS) systems will have two years from publication date of the Cloud Computing SRG, V1R1, to update to the National Institute of Standards and Technology Special Publication 800-53 Rev 5. They must submit a Plan of Acton and Milestones (POA&M) within 30 days, outlining actions to move to the High baseline requirement. When new updates for the Cloud Computing SRG are published, the Mission Owners and their Authorizing Officials (AOs) must review the controls to determine if the risk is acceptable until such time the CSP is required to comply and/or include the required compliance in the SLA/contract.

Description

The Mission Owner may tailor the SLA/contract to include any of the controls in the Cloud Computing Mission Owner SRG Overview, Table-3-1, beyond the FedRAMP and DOD Baseline and FedRAMP+ security controls. The Mission Owner is responsible for defining any parameter values associated with any added security control. These values should be based on current DOD Risk Management Framework (RMF) Technical Advisory Group (TAG) values or Committee on National Security Systems Instruction (CNSSI) 1253 values. Any change of ownership involving a CSP, whether the primary CSP or an underlying CSP on which a cloud service offering (CSO) was built, will be reviewed by the DISA Authorizing Official (AO) to assess the impacts and risks associated with the continuation of the DOD Provisional Authorization (PA). Any existing Impact Level 5/National Security System (NSS) systems will have two years from publication date of the Cloud Computing SRG, V1R1, to update to the National Institute of Standards and Technology Special Publication 800-53 Rev 5. They must submit a Plan of Acton and Milestones (POA&M) within 30 days, outlining actions to move to the High baseline requirement. When new updates for the Cloud Computing SRG are published, the Mission Owners and their Authorizing Officials (AOs) must review the controls to determine if the risk is acceptable until such time the CSP is required to comply and/or include the required compliance in the SLA/contract.

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63619r945650_chk )
Verify that the SLA with the CSP and third-party providers includes all required compliance items in the Cloud Computing Mission Owner SRG. If the Mission Owner does not add all required compensating controls and requirements in the SLA/contract with the CSP or third-party provider, this is a finding.

Fix Text (F-63526r945651_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Review Sections 3.6.6 and 3.6.7 of the Cloud Computing Mission Owner SRG Overview. Document all applicable compensating controls and requirements in the SLA/contract with the CSP or third-party provider. Update the SLA/contract with any revised guidance in Cloud Computing SRG updates. If there is a period of noncompliance, document the risk.

Fix Text (F-63526r945651_fix)

This applies to all Impact Levels.
FedRAMP Moderate, High.

Review Sections 3.6.6 and 3.6.7 of the Cloud Computing Mission Owner SRG Overview. Document all applicable compensating controls and requirements in the SLA/contract with the CSP or third-party provider.

Update the SLA/contract with any revised guidance in Cloud Computing SRG updates. If there is a period of noncompliance, document the risk.