The DoD CSP SRG and DoD MO SRG: A Breakdown

The DoD CSP SRG and DoD MO SRG: A Breakdown

Now that the DoD Cloud Computing Security Requirements Guide (SRG) v1r4 has been officially retired, cloud service providers (CSPs) will need to familiarize themselves with the two new documents that have replaced those requirements—the latest DoD CSP SRG v1r1 and DoD Mission Owner (MO) SRG—to maintain compliance with applicable mandates.

As a leading third-party assessment organization (3PAO) of assessments on the FedRAMP Marketplace and providers of various other federal assessments, we’re well-entrenched in these requirements for cloud service providers, which we know can be quite dense—no matter if you’re looking to do business with the government or you’ve already dealt with them before.

It may never seem to get any less challenging, but as experts, we’re here to help you with this latest transition. In this article, we will review four key differences between the old version of the SRG and the new one(s) so that you can have a solid launch point to make any necessary adjustments.

4 Key Updates to the DoD CSP SRG

Though we recommend reading through both documents yourself for a more thorough understanding, we’ve identified the following five differences between the old version of the DoD SRG and the new:

Separation of document audience
New reciprocity between FedRAMP baselines and DoD Impact Levels
Inclusion of DoD’s right-to-penetration testing for Impact Level 6
Key control changes

1. Separation of Document Audience

Let’s start with the most obvious change—in the newest version of the DoD SRG, the guidance is split into two different documents:

DoD CSP SRG v1r1: Contains security requirements CSPs must adhere to in order to provide their cloud service offerings (CSOs) to DOD Mission Owners; and

DoD MO SRG: Contains technical requirements mandated for the Mission Owner (MO), or, the organization that will use the CSP’s product for their business use cases.
- NOTE: MOs who host their cloud workloads in CSP infrastructure must also review and comply with the CSP SRG.

Despite this separation, these documents will inform each other, as it’ll be up to customers to determine from their Mission Owner guide what they may want to enforce on the CSP regarding their cloud offering.

2. New Reciprocity Between FedRAMP Baselines and DoD Impact Levels

In another change, the new CSP SRG has now defined reciprocity between FedRAMP baseline Risk Assessments and specific impacts—i.e., how your FedRAMP Authorization for a federal agency translates and assists in meeting the DoD’s specific IL4, IL5, and IL6.

Why does this matter?

Though the DoD has previously acknowledged and accepted reciprocity between FedRAMP Moderate / High and IL2, and the new version of the CC SRG expands upon this reciprocity to IL4, 5, and 6—now, CSPs can use these baselines or even draw on their existing FedRAMP ATO to reduce their assessment package workload, as long as they add the controls and parameters in Appendix D of the CSP SRG.

More specifically, here’s what’s required to be able to leverage that new reciprocity:

Impact Level 4

To be approved at IL4, you have two options for FedRAMP:

1. Achieve Authorization with a non-DOD Agency at the Moderate baseline supplemented with DoD FedRAMP+ security controls and the inclusion of the CNSSI 1253 overlays in Appendix D for Moderate Confidentiality and Integrity, if applicable; or

2. Achieve a FedRAMP High baseline Authorization while meeting the General Readiness Requirements and passing a security clearance policy review. (DoD FedRAMP+ security controls and CNSSI 1253 overlays may also be a requirement based on MO needs.)

Impact Levels 5 and 6:

To be approved at IL5 or IL6, you must:

Leverage the FedRAMP High baseline; and
Include the additional CNSSI 1253 overlays in Appendix D for High Confidentiality and Integrity.

* If the CSO is designed as a National Security System (NSS), then additional NSS controls will also be a requirement.

3. Penetration Testing for IL6

Speaking of IL6, the DoD has added verbiage in the new SRG that gives them the right to perform internal and external penetration testing on CSP IL6 hosting environments.

Before, CSPs were solely responsible for defining and running the requisite penetration testing for IL6 3PAO assessments—the DoD would just shadow the 3PAO chosen by the CSP to run the tests. While that’s still true, this new language now means the DoD also reserves the right to perform its own, additional penetration testing whenever they choose to (though if they do choose to, they will coordinate with the CSP involved).

(As this is singular to IL6, this likely won’t impact many CSPs; however, if you’re planning to uplift to an IL6 or are developing an IL6 offering, it’s important to know that the DoD holds its right to penetration testing at any time now—though they’ll still need to coordinate with you.)

4. Security Control Changes Between the Previous SRG and the New CSP SRG

Now that we’ve mentioned Appendix D, we can get into our final key update—the changes made to its control sets in the new version of the SRG.

Controls Removed:

The following table is a list of controls that were removed from Appendix D of the Cloud Computing (CC) SRG:

Control ID
AC-6 (1)	AC-6 (7)	AC-8	AC-17 (3)	AC-18 (1)
AT-3 (4)	AU-2	AU-12 (1)	CA-2	CA-3
CA-3 (1)	CA-3 (5)	CM-3 (4)	CM-3 (6)	IA-5 (4)
IR-2	IR-4 (8)	IR-9 (2)	MP-2	MP-6
SA-12	SC-7 (12)	SC-8 (2)	SC-28 (1)	CM-2 (3)
		SI-2 (6)

Control Parameters Remaining:

Without those controls, we’re left with the following which are either new controls and/or new control parameters. This table outlines DoD specifically identified controls, their parameters, and the IL to which they are applicable as additions or amendments to the FedRAMP baselines. (We have also emphasized controls not covered by FedRAMP Moderate or High Baselines, and thus are additional control requirements for DoD.)

Control ID	Parameters Values	Impact Level	Associated FedRAMP Baseline
AC-7 Unsuccessful Logon Attempts	Privileged users: Limited to three unsuccessful attempts before an administrator must unlock. Nonprivileged users: If rate limiting, allowed 10 attempts with the account automatically unlocked after 30 minutes. If rate limiting is not used, normal DoD Specifically Assigned Value (DSPAV) will be required. DoD Parameter*: AC-07.b. Notify system administrator	IL4, IL5 and IL6	Moderate and High
AU-5 (1) Response to Audit Logging Process Failures: Storage Capacity Warning	FedRAMP-assigned value permitted. FedRAMP High: seventy-five percent (75%), or one month before expected negative impact.	IL4, IL5 and IL6	High
CM-7 (5) Least Functionality: Authorized Software – Allowed by Exception	DSPAV must be used. DoD Parameter*: CM-7(5).c. At least annually.	IL4, IL5 and IL6	Moderate and High
IA-5 (1) Authenticator Management: Password-based Authentication	DSPAV must be used. DoD Parameters*: IA-5(1).a. At least quarterly IA-5(1).h. A case-sensitive 12-character mix of upper-case letters, lowercase letters, numbers, and special characters including at least one of each; modify at least 50% of the characters when new passwords are created	IL4, IL5 and IL6	Moderate and High
MA-5 (1) Maintenance Personnel: Individuals Without Appropriate Access	DSPAV must be used. DoD Parameter*: None assigned.	IL4	Moderate and High
MA-5 (2) Maintenance Personnel: Security Clearances for Classified Systems	No parameter defined in SRG.	IL6	None
MA-5 (3) Maintenance Personnel: Citizenship Requirements for Classified Systems	No parameter defined in SRG.	IL6	None
MA-5 (4) Maintenance Personnel: Foreign Nationals	No parameter defined in SRG.	IL6	None
MA-5 (5) Maintenance Personnel: Non-system Maintenance	No parameter defined in SRG.	IL4, IL5 and IL6	None
MA-6 Timely Maintenance	FedRAMP-assigned value permitted. FedRAMP Moderate and High: A timeframe to support advertised uptime and availability.	IL4, IL5 and IL6	Moderate and High
PE-15 Water Damage Protection	DSPAV must be used. DoD Parameter*: None assigned.	IL4, IL5 and IL6	Moderate and High
PS-3 (4) Personnel Screening: Citizenship Requirements	Requirements apply to all information systems. Users: U.S. citizens, U.S. nationals, or U.S. persons, foreign personal as allowed by current DoD policies with Authorizing Official (AO) approval. Administrators: U.S. citizens, U.S. nationals, or U.S. persons.	IL4, IL5 and IL6	None
PS-4 Personnel Termination	CSP/CSO may use FedRAMP assigned Value. FedRAMP Moderate: four (4) hours FedRAMP High: one (1) hour DoD Parameter*: If voluntary, as soon as possible, not to exceed 5 working days; if involuntary, within same day as termination.	IL4, IL5 and IL6	Moderate and High
SA-4 (5) External System Services: System, Component, and Service Configurations	DSPAV must be used. DoD Parameter*: None assigned.	IL4, IL5 and IL6	High
SA-9 (1) External System Services: Risk Assessment and Organizational Approvals	DSPAV must be used. DoD Parameter*: None assigned.	IL4, IL5 and IL6	Moderate and High
SA-9 (3) External System Services: Establish and Maintain Trust Relationship with Providers	DSPAV must be used. DoD Parameter*: None assigned.	IL4, IL5 and IL6	None
SA-9 (5) External System Services: Processing, Storage, and Service Location	SA-9 (5)-1 [information processing, information or data, AND system services]. SA-9 (5)-2 [U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction]. SA-9 (5)-3 [all data, systems, or services].	IL4, IL5 and IL6	Moderate and High
SA-9 (6) External System Services: Organization-Controlled Cryptographic Keys	No parameter defined in SRG.	IL4, IL5 and IL6	None
SA-9 (7): External System Services: Organization-controlled Integrity Checking	No parameter defined in SRG.	IL4, IL5 and IL6	None
SA-9 (8): External System Services: Processing and Storage Location – U.S. Jurisdiction	No parameter defined in SRG.	IL4, IL5 and IL6	None
SC-12 (6): Cryptographic Key Establishment and Management: Physical Control of Keys	No parameter defined in SRG.	IL4, IL5 and IL6	None
SC-17: Public Key Infrastructure Certificates	DODI 8520.02, Public Key Infrastructure (PKI) and Public Key Enabling (PKE).	IL4, IL5 and IL6	Moderate and High
SC-18: Mobile Code	No parameter defined in SRG.	IL4, IL5 and IL6	Moderate and High
SC-18 (2) Mobile Code: Acquisition, Development, and Use	DSPAV must be used. DoD Parameters*: SC-18(2).a. Category 1A mobile code where technologies can differentiate between signed and unsigned mobile code and block execution of unsigned mobile code may be used. SC-18(2).b. Category 2 mobile code allowing mediated or controlled access to workstation, server, and remote system services and resources may be used with appropriate protections (e.g., executes in a constrained environment without access to system resources such as Windows registry, file system, system parameters, and network connections to other than the originating host; does not execute in a constrained environment unless obtained from a trusted source over an assured channel). SC-18(2).c. Category 3 mobile code having limited functionality, with no capability for unmediated access to workstation, server, and remote system services and resources may be used when executing in an approved browser	IL4, IL5 and IL6	None
SC-18 (3) Mobile Code: Prevent Downloading and Execution	DoD Parameters*: All unacceptable mobile code such as: SC-18(3).a. Emerging mobile code technologies that have not undergone a risk assessment and been assigned to a Risk Category by the CIO. SC-18(3).b. Category 1X mobile code technologies and implementations that cannot differentiate between signed and unsigned mobile code. SC-18(3).c. Unsigned Category 1A mobile code. SC-18(3).d. Category 2 mobile code not obtained from a trusted source over an assured channel (e.g., SIPRNet, SSL connection, S/MIME, code is signed with an approved code signing certificate).	IL5, IL6	None
SC-18 (4) Mobile Code: Prevent Automatic Execution	DoD Parameters*: 1st PV: software applications such as email, scriptable document/file editing applications that support documents with embedded code (e.g., MS Office applications/documents)	IL5, IL6	None
SC-24 Fail in Known State	DSPAV must be used. DoD Parameters*: SC-24.a. Known secure state. SC-24.b. Information necessary to determine cause of failure and to return to operations with least disruption to mission/business processes. SC-24.c. All types of failures on all system components.	IL4, IL5 and IL6	High
SC-46 Cross Domain Policy Enforcement	DSPAV must be used. DoD Parameter*: None assigned.	If Cross Domain Solutions (CDS) is used	None

*Note: At the time of this blog, DSPAVs were based on the parameters set in the CNSSI 1253 from July 29th, 2022.

Please note that these controls do not include the overlays, Contract, or Service Level Agreement (SLA) controls that each specific MO can impose at their discretion—for more information, those controls can be found in the MO SRG.

A Word About NSS and Non-NSS

Because most IL5 offerings tend to be Non-NSS, the identified controls and parameters in our above table do not include any specific details for those that are or are going to be an NSS.

That being said, the DoD has provided an Excel spreadsheet breakdown of the applicable controls for IL2 through 6 that does include NSS and Non-NSS baselines for IL5. Despite this spreadsheet not being explicitly provided within the new DoD SRG package, the DoD may impose approximately 178 additional controls and parameters for any system classified as IL5 and NSS. Should that happen, this would significantly change many factors regarding CSP offerings and 3PAO assessments such as the CSP’s implementation of the controls, as well as the 3PAO’s assessment scope and timeline.

As such, please make sure that you confirm with your DoD representative if your offering will be classified as an NSS and work with them to ensure a comprehensive control selection for your 3PAO assessments.

The Timeline for Transition to the New DoD CSP SRG

Now that you understand more about the new DoD CSP SRG, you need to know when you’ll need to transition to its mandates:

For CSPs with an existing IL 5/6/NSS Authority to Operate (ATO), the DoD has decreed that you’ll have no later than the end of the calendar year 2025 to update to NIST SP 800-53 Rev 5 requirements in this SRG.

For CSPs with existing ATOs, you must submit a Plan of Action and Milestones (POA&M) outlining actions needed to comply with the requirement to move to the High baseline within 30 days of publication of the SRG.

For CSPs in the process of obtaining an ATO, we recommend reaching out to your DoD Sponsor/AO for guidance on their expectations for your service offering to meet or transition to this new guidance.

As cloud service providers do transition to the new version of the DoD SRG, a complete understanding of all the changes within this latest release will be critical. We hope that this breakdown of some of the key updates will provide a helpful leg up, but should you have any further questions or concerns, don’t hesitate to reach out to us, as our team of experts is standing by ready to assist.

About Chris Lepotakis

Chris Lepotakis is a Manager with Schellman based in Massachusetts. Prior to joining Schellman in 2021, Chris worked as an Advanced Systems Engineer, for a large DoD contractor specializing in Technical Leadership and Information System Security Engineering. Chris led and supported various projects while working for his previous employer, developing cutting edge mission systems for DoD customers and worked directly with them to develop and deliver each design. Chris has over 18 years of experience comprised of serving clients in various industries, including Healthcare, Federal Government, and Professional services. Chris is now focused primarily on FedRAMP for organizations across various industries.