DISA releases new security guide for cloud computing

Grazed from DefenseSystems. Author: Kevin McCaney.

The Defense Information Systems Agency has released its new security requirements guide for cloud computing, which is intended to make it easier—and quicker—for Defense Department agencies to procure commercial cloud services while still ensuring security. The new SRG puts out to pasture the Cloud Security Model, under which only a handful of vendors had received authorization, and more closely follows the Federal Risk and Authorization Management Program used by civilian federal agencies—although it does set additional requirements in areas where extra security is needed. In many cases, cloud providers will seek to comply with the SRG in coordination with their FedRAMP reauthorization.

"The SRG is designed to ensure that DOD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk," Mark Orndorff, DISA Risk Management Executive, said in a statement. The new guide sets the security requirements for information up to the Secret classification, sets standards for what systems or information can be handled in a virtual environment and what data should be physically separated, and tweaks the impact levels identified under the old Cloud Security Model…

Under the SRG, the old model?s Level 1, which had covered publicly released information, is combined with Level 2, covering data cleared for public release as well as unclassified information not deemed to be mission-critical. This data would not require access top DOD networks…

Read more from the source @ http://defensesystems.com/articles/2015/01/14/disa-cloud-security-requirements-guide.aspx?admgarea=DS