The Department of Defense Updates Security Requirements for Cloud Services

The Department of Defense (DoD) recently published Version 1, Release 4 of its Cloud Computing Security Requirements Guide (SRG).  The SRG outlines the administrative, technical, and physical security controls and requirements to be followed by contractors providing cloud services to the DoD pursuant to DFARS 252.239-7010, Cloud Computing Services. 

The first update in almost five years, Release 4:

• Reduces the differences between FedRAMP and DoD requirements for cloud services and provides additional guidance with regard to reciprocity between the two authorization regimes;
• Updates the requirements for cloud services handling personally identifiable and protected health information;
• Introduces the possibility of higher authorization levels for cloud services offering the DoD physical, rather than logical, separation from other tenants;
• Clarifies guidance with regard to cloud access points through which a cloud service connects to the DoD’s network; and
• Makes a number of additional changes to modernize requirements, clarify ambiguities, and reduce redundancy.

The SRG instructs contractors currently providing cloud services to the DoD to transition to the requirements in Release 4 as soon as practical but not later than one year after the SRG’s publication.  Contractors interested in providing cloud services to the DoD should prepare for an assessment against the new requirements, as Release 4 became effective upon publication.