• HOME
• SERVICE CATALOG
• DOD CLOUD BROKER
• FAQS

FREQUENTLY ASKED QUESTIONS

1. Can I bypass Information Assurance activities by leveraging non-cloud, as opposed to cloud, services or by acquiring services myself rather than going through the Broker? [Answer]
2. Is there any guidance that applies specifically to use of commercial cloud services? [Answer]
3. Are there any considerations related to commercial cloud services that preclude me from doing a full and open acquisition? [Answer]
4. Are there any special considerations related to use of Software as a Service? [Answer]
5. What policy and other documents are relevant to Information Assurance and use of cloud services by DoD? [Answer]

---

Can I bypass Information Assurance activities by leveraging non-cloud, as opposed to cloud, services or by acquiring services myself rather than going through the Broker?

No. DoD Information Assurance, NetOps, and Computer Network Defense policies apply to operation and use of all cloud and non-cloud IT infrastructure, platform, and software services and applications and apply regardless of how the acquisition is accomplished.

Is there any guidance that applies specifically to use of commercial cloud services?

Yes. Per the 9 December 2011 "Interim Guidance Memorandum on Use of Commercial Cloud Computing Services", "...use of third party, off-premises cloud services will require a waiver from the GIG Waiver Panel in order to preserve the security of DoD data and mission assurance in the face of persistent cyber threats from capable adversaries”.

Are there any considerations related to commercial cloud services that preclude me from doing a full and open acquisition?

There are no considerations that preclude such an acquisition. However, you should take the required certification and accreditation activities into account in your acquisition planning. Based on current policies, it may take considerable time and effort for a vendor to get the required support infrastructure in place to meet the monitoring and reporting requirements for Controlled Unclassified Data (including Personally Identifiable Information and Protected Health Information).

Are there any special considerations related to use of Software as a Service?

Yes. For Software as a Service (SaaS), the entire stack (infrastructure, platform, and software) must be accredited before implementation. If the SaaS is going to operate on a previously accredited infrastructure, the timeline for certification and accreditation may be shorter than if the entire stack is being assessed for the first time.

What policy and other documents are relevant to Information Assurance and use of cloud services by DoD?

• CJCSM 6510.01B:
• Chairman of the Joint Chiefs of Staff Manual: Cyber Incident Handling Program, dated 10 July 2012. (PDF)
• CNSSI 1253:
• Security Categorization and Control Selection for National Security Systems, dated 15 March 2012. (PDF)
• CNSSI 4009:
• National Information Assurance (IA) Glossary, dated 26 April 2010. (PDF)
• Executive Order 13526:
• Classified National Security Information, dated 29 December 2009.
• The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. (ZIP file)
• FIPS 199:
• Standards for Security Categorization of Federal Information and Information Systems, dated February 2004. (PDF)
• NIST SP 500-292:
• NIST Cloud Computing Reference Architecture, dated September 2011.
• NIST SP 800-53:
• Recommended Security Controls for Federal Information Systems and Organizations, Revision 3, dated August 2009. (PDF).
• Note: NIST Special Publications (SP) - 800 Series web page contains additional documents relating to SP 800-53.
• NIST SP 800-59:
• Guideline for Identifying an Information System as a National Security System, dated August 2003. (PDF)
• NIST SP 800-66:
• Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, dated October 2008. (PDF)
• NIST SP 800-122:
• Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), dated April 2010. (PDF)
• NIST SP 800-144:
• Guidelines on Security and Privacy in Public Cloud Computing, dated December 2011. (PDF)