Why Have DoD Impact Levels for Cloud Compliance?
Joshua Bregler
Senior Security Manager II at McKinsey & Company | MBA, Cybersecurity, US Marine
Short answer: WE SHOULDN’T.
The real answer is somewhat longer because there are both technological and sociological issues at play.
Few people knew what the original true designs were behind the DoD Cloud Security Requirements Guide (CC SRG) and the Secure Cloud Computing Architecture (SCCA) but we can make some pretty safe assumptions:
· Trying to not be RMF while also not interfering with RMF
· Create a construct that uniquely fits cloud computing
· Be enough like legacy to feel familiar but still be different
Despite its valiant goals, the CC SRG is built on concepts that are not relevant for modern cloud computing initiatives. Dedicated tenancy, single customers, and full management console access are all concepts that do not and should not be applied to all cloud computing initiatives.
Problem
The bigger issue is that the document left A LOT open to interpretation. This is particularly true in the mapping of those requirements to RMF controls. Moreover, they established these requirements without a means to assess their implementations. While RMF doesn’t spell out each control intent (unless you dive into CCI’s), the NIST SP 800-53 has 800-53A to help guide an assessor/auditor through and sets expectations.
The CC SRG not only has no equal to 800-53A but doesn’t adequately spell out the intentions of the individual requirements to those that aren’t already trained in cloud security. This leaves a huge amount of ambiguity with architects, engineers, assessors, and AOs. All effected parties are left to their own interpretations, causing confusion. There are points to be made that this ambiguity provides flexibility in implementation and opens conversation between those building the environments and those authorizing it. In reality this isn't a benefit. These channels of communication between engineers, program offices, and assessors are often opened too late or not at all. We as an industry can't let a few exceptions disprove the common case.
Then there are the 4 Horsemen of the CC SRG: CAP, CSSP, VDMS, VDSS. These are constructs based on legacy principles that don’t map to modern cloud deployments very well. Not only are they not cost-effective, they bring a great deal of unnecessary latency and performance degradation.
Solution
While RMF isn’t perfect, it has evolved into its current state for a reason. It’s flexible and it covers a huge swath of use cases and cyber surface area. More often than not, it’s the execution of the process that is the blocker rather than the technicals of the framework.
This brings us to a better solution…
The Cloud Computing Overlay.
This is how every system use-case of significance is applied to the framework already. Classified systems, National Security Systems, Nuclear, Intelligence, PII… all have their own overlays. RMF already has mechanisms in place for implementing and populating control sets with overlays.
So why not create a cloud computing overlay??
Benefits
A Cloud Computing overlay would adjust control sets to feel less RMFy; it’s still familiar with engineers, assessors, and AOs; and would allow for legacy, cloud,?and?hybrid systems. It removes enough ambiguity to be useful, while allowing tailoring to take care of unnecessary restrictions. It would also allow for these systems to match them with the other overlays without confusion.
How does this replace the SRG Impact Levels?
·?????IL4 = Cloud Computing overlay + PII overlay (which already exists)
·?????IL5 = Cloud Computing overlay + National Security overlay (which already exists)
·?????IL6 = Cloud Computing overlay + Classified overlay (which already exists)
What about the 4 Horsemen of the SRG?
RMF already has controls in place that address all of the components of the VDMS and VDSS. The Continuous Monitoring (CM) family would be modified by the Cloud Computing overlay to address CSSP requirements which, honestly, wouldn’t be much of a modification. The same goes for the CAP. There are a number of controls in place that already address this need; the cloud computing overlay would simply be a modification of those controls to meet the requirement and intention of a Cloud Access Point.
The Cloud Computing Overlay, folks. It should be a thing.
Chief Growth Officer at Effectual | Strategic Growth Specialist | Private Equity, Mergers & Acquisitions | Enterprise Technology Services | Servant Leader and Mentor
2 年Super insightful post, Joshua. Definitely interested to see how this plays into the multi-cloud sphere. Thanks for sharing.
Joshua Bregler and Adam Tajalli. Great discussion, and I have a lot to add here, but first have you used the Fast Track ATO process? It doesn't resolve your Impact Level concerns, and it is only Air Force and not DoD, but It was supposed to mitigate some of the concerns posted here like being faster and easier to navigate. It also gives the AO authority to outright approve SaaS or require an ATO for it. It appears to be a step in the right direction, but I understand it's not the 'do over' Adam Tajalli is calling for. https://www.safcn.af.mil/Portals/64/DAF%20Fast%20Track%20%20ATO%20072021%20Cleared%20for%20Public%20Release%20AFR-2021-2421%2C%2026%20Jul%202021.pdf
More would argue why IL4? I believe many try to make all of NIPR fit into IL4 and/or IL5. IMO it’s all about the data and as DOD created ILs around how much we care about the data, DOD fails to ‘wash’ the data before transitioning to cloud. Many apps migrate but fail to separate and tag data to fit either IL4 or IL5 as defined today.
Vice President, Cloud Services at Plus3 IT Systems
2 年Great Article. The CCSRG manages to be too ambiguous and too prescriptive (your four horsemen) at the same time. The result in our customer space is that the assessors focus on those four horsemen and are too unsure about the rest to be comfortable considering alternative approaches that meet the intent in a more modern way. If there's a movement afoot to rid ourselves of these shackles, count me in!
Director of Cybersecurity @ Tanium Cloud
2 年Going to feel old, but the Cloud SRG came out (May 2013) about a year before DoD moved to RMF (Mar 2014). I remember because at that time I was doing my Federal CISO masters at National Defense university while having RDT&E appropriations and the policies at the time. Ironically, there were SIX impact levels in version 1 of the CRG, took about a year to do up to version 5, and then rolled up two impact levels to simplify the model. There were never talks of overlays at the time - as the impact level was a simpler model to convey risk like DIACAP. Just be glad the OG ECSB didn't get to do the STIGs they wanted per CSP when DoD CIO in Dec 2015 disbanded them. You can catch up on some of the CRG history here, especially slides 8 and 9: https://disa.mil/-/media/Files/DISA/News/Events/Symposium/Cloud-Computing-Security-Requirements-Guide.ashx?la=en&hash=BBFEC2B02DD9F601290D20803A4FD8FBFFB7E77E