The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259886 | SRG-OS-000480-CLD-000032 | SV-259886r959010_rule | CCI-000366 | high |
| Description | ||||
| U-NSI must be housed on an Impact Level 5 CSO. This is Unclassified National Security Systems (NSS) information and data. This is because NSS-specific security requirements are included in FedRAMP+. | ||||
| STIG | Date | |||
| Cloud Computing Mission Owner Operating System Security Requirements Guide | 2024-12-19 | |||
Details
Check Text (C-259886r959010_chk)
If the implementation is categorized as Impact Level 2, 4, or 6, this is not applicable.
Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting U-NSI information, verify the CSO is listed as Impact Level 5.
If U-NSI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 5, this is a finding.
Fix Text (F-63524r945645_fix)
This applies to Impact Level 5.
FedRAMP High.
For U-NSI information, select and configure a CSO listed in the DISA PA DOD Cloud Catalog for use with Impact Level 5.
Specify in the Service Level Agreement (SLA) with the CSP and any third-party providers compliance with applicable STIG configurations.