U.S. Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG)

April 2023
Amazon FSx for NetApp ONTAP is authorized for Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) Impact Levels 2, 4, and 5 in the Amazon Web Services (AWS) GovCloud (US) Regions and Impact Level 2 in AWS US Regions.

The U.S. Defense Information Systems Agency (DISA) (of the U.S. Department of Defense (DoD)), is responsible for maintaining and publishing the DoD Cloud Computing Security Requirements Guide (CC SRG). The CC SRG defines the baseline security requirements that DoD uses to evaluate the security posture of a cloud service provider (CSP) and its offerings. DISA supports an authorization process whereby CSPs can furnish documentation attesting to the security compliance with CC SRG standards of their cloud service offering. DISA assesses their compliance, and, when appropriate, grants a DoD provisional authorization. This reduces the time necessary for DoD agencies and supporting organizations to engage the CSP to host DoD missions. 

The DoD CC SRG defines four impact levels (IL2, IL4, IL5, and IL6) based on the sensitivity of DoD information stored and processed in the cloud, and the potential impact if there were a loss of confidentiality, integrity, or availability of that information.

• IL2 covers information that has been authorized for public release.  
  
• IL4 covers controlled or noncontrolled unclassified information. 
• IL5 covers higher sensitivity controlled unclassified information (CUI), as well as mission-critical and national security systems information. 
• IL6 covers DoD classified SECRET and national security systems information. 

Amazon FSx for NetApp ONTAP is authorized through Amazon Web Services (AWS) for the U.S. DoD CC SRG. AWS has been assessed and approved as a cloud service provider at Impact Level 2 for the US East and US West Regions and at Impact Levels 4 and 5 for the AWS GovCloud (US). 

• At Impact Level 2, the U.S.-based AWS holds two Provisional Authorizations to Operate (P-ATOs) in two regions: US East/West and AWS GovCloud (US). AWS compliance with DoD requirements was achieved by leveraging the existing FedRAMP Joint Authorization Board (JAB) P-ATO. This permits mission owners to deploy publicly released information in these AWS regions. 
  
  
• At Impact Levels 4 and 5, DISA has also issued a P-ATO for AWS GovCloud (US). This enables DoD customers to deploy production applications with the enhanced control baselines defined by Impact Levels 4 and 5. This enables mission owners to deploy the full range of both noncontrolled or controlled unclassified information (CUI) and higher sensitivity CUI categories covered by these levels. 

These authorizations mean that agencies that were previously restricted to on premises or cloud.gov can take advantage of the speed and flexibility of both hybrid cloud and dedicated AWS Cloud environments. Government entities can now deploy critical workloads there. 

Amazon FSx for NetApp ONTAP

The P-ATOs for Amazon FSx for NetApp ONTAP are held by Amazon Web Services as part of AWS Commercial Cloud and AWS GovCloud DoD CC SRG authorizations. They are listed on AWS Services in Scope by Compliance Program (DoD CC SRG).