Monday, June 17, 2024
HomeEditor’s PicksSpace Economy Businesses: Understanding DISA Impact Level Environments for Secure Cloud Computing
Editor’s PicksSpace Economy

Space Economy Businesses: Understanding DISA Impact Level Environments for Secure Cloud Computing

The Defense Information Systems Agency (DISA) has established a framework of impact levels to categorize Department of Defense (DoD) information systems and data based on the potential impact of a security breach. These impact levels, ranging from 2 to 6, define the required level of security controls that cloud service providers must implement to host DoD data. Understanding these impact levels is important for space economy businesses seeking to serve the defense market.

Overview of DISA Impact Levels

DISA’s Cloud Computing Security Requirements Guide (CC SRG) outlines four impact levels for DoD cloud environments:

Impact Level 2 (IL2)

IL2 covers data approved for public release and non-critical mission information. It requires a low confidentiality and moderate integrity level. Cloud services at IL2 can be hosted outside of DoD facilities and connected to public networks like the Internet.

Impact Level 4 (IL4)

IL4 is for Controlled Unclassified Information (CUI), such as For Official Use Only (FOUO) data, and non-critical mission information. It requires a moderate confidentiality and integrity level. IL4 cloud services must be dedicated to DoD use and hosted in DoD facilities or by authorized commercial providers. Connections must be through DoD networks or encrypted links over public networks.

Impact Level 5 (IL5)

IL5 covers CUI deemed critical to DoD missions, as well as unclassified National Security Systems. It requires a high confidentiality and integrity level, with systems hosted in dedicated DoD or federal facilities. All connections must be through secure DoD networks.

Impact Level 6 (IL6)

IL6 is reserved for classified information up to the Secret level. It has the most stringent security requirements, with systems hosted in highly secure DoD facilities and connected only to classified networks. Commercial providers are not authorized to host IL6 data.

Relation to FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment and authorization for cloud services used by federal agencies. FedRAMP has three impact levels based on NIST standards: Low, Moderate, and High.

DISA’s impact levels build upon the FedRAMP framework. IL2 is roughly equivalent to FedRAMP Moderate, while IL4 and IL5 have additional controls specific to DoD needs. FedRAMP High does not fully meet DoD requirements for classified systems at IL6.

However, DISA does leverage FedRAMP authorizations as a baseline for its own assessments. Cloud providers with a FedRAMP Moderate authorization, for example, can seek an IL2 provisional authorization from DISA by demonstrating compliance with additional DoD controls.

Key Security Controls

Each DISA impact level mandates a set of security controls that cloud providers must implement to protect DoD data. These controls cover areas such as:

Access Control

Higher impact levels require stricter controls on user authentication and authorization, such as multi-factor authentication, role-based access control, and logging of all access attempts.

Encryption

Data must be encrypted both at rest and in transit using FIPS 140-2 validated cryptographic modules. Higher impact levels require stronger encryption algorithms and key management practices.

Incident Response

Cloud providers must have documented incident response plans and procedures to detect, analyze, contain, and report security incidents affecting DoD data. Response times and reporting requirements become more stringent at higher impact levels.

Personnel Security

All personnel with access to DoD data must undergo background checks and security clearances commensurate with the impact level. Non-US citizens are generally not permitted to access data at IL4 and above.

Physical Security

Data centers hosting DoD clouds must meet strict physical security requirements, including access controls, monitoring, and protection against environmental hazards. IL5 and IL6 require dedicated DoD or federal facilities.

Provisional Authorizations

To host DoD data, cloud providers must obtain a provisional authorization from DISA at the appropriate impact level. This involves a rigorous assessment of the provider’s security controls, processes, and facilities against DoD standards.

The provisional authorization process typically includes:

  1. Documentation review: The provider submits extensive documentation on their cloud offering, including system security plans, incident response plans, configuration management plans, and personnel security policies.
  2. Vulnerability scanning and penetration testing: DISA conducts thorough technical testing of the cloud environment to identify any security weaknesses or misconfigurations.
  3. Site visits: DISA assessors visit the provider’s facilities to verify physical security controls and interview key personnel.
  4. Continuous monitoring: Once authorized, the provider must participate in DISA’s continuous monitoring program, which includes ongoing vulnerability scanning, incident reporting, and annual reassessments.

A provisional authorization is not a blanket approval for DoD use. Each DoD agency must still assess the risks and grant an Authority to Operate (ATO) for their specific mission needs. However, the provisional authorization provides a solid baseline that streamlines the agency ATO process.

Secure Cloud Computing Architecture

To facilitate DoD’s adoption of commercial cloud services, DISA has developed the Secure Cloud Computing Architecture (SCCA). The SCCA provides a set of boundary security services that enable DoD systems to connect securely to authorized commercial clouds.

Key components of the SCCA include:

Cloud Access Point (CAP)

The CAP is a DISA-managed boundary between the DoD networks and commercial cloud providers. It provides security functions such as traffic inspection, filtering, and monitoring. All traffic between DoD and IL4/IL5 commercial clouds must pass through the CAP.

Virtual Datacenter Security Stack (VDSS)

The VDSS is a suite of virtual security appliances that can be deployed within the commercial cloud environment to provide additional security controls, such as firewalls, intrusion detection, and web application security.

Trusted Cloud Credential Manager (TCCM)

The TCCM is a DISA service that enables secure, federated authentication and authorization between DoD systems and commercial clouds. It ensures that only authorized DoD users can access cloud resources using their DoD common access cards (CAC).

By leveraging the SCCA, DoD agencies can take advantage of the scalability and innovation of commercial cloud offerings while still meeting the strict security requirements of their mission.

Use Cases and Success Stories

DoD agencies are increasingly adopting cloud computing to improve agility, reduce costs, and enable new capabilities. Some notable examples include:

U.S. Air Force Cloud One

The Air Force has established a multi-cloud environment, known as Cloud One, to host a variety of applications and services at IL2, IL4, and IL5. Cloud One includes both DISA-managed milCloud offerings and commercial services from Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

U.S. Army cARMY

The Army has migrated its enterprise resource planning (ERP) system, known as the General Fund Enterprise Business System (GFEBS), to a commercial cloud environment at IL4. This has enabled the Army to reduce costs, improve performance, and adopt modern DevSecOps practices.

Defense Health Agency (DHA)

The DHA has leveraged IL5 cloud services to host a variety of healthcare applications, including the Armed Forces Health Longitudinal Technology Application (AHLTA) and the Defense Medical Information Exchange (DMIX). These cloud-based systems have improved the delivery of healthcare services to military members and their families.

Relevance to Space Economy Businesses

The DISA impact level framework is not only relevant for DoD agencies and contractors, but also for commercial companies operating in the space economy. As the space sector becomes increasingly intertwined with national security interests, businesses that provide space-related services or handle sensitive data may need to comply with DISA standards.

For example, satellite communications providers that support DoD missions may need to host their ground systems and data processing in IL4 or IL5 cloud environments. Space situational awareness companies that collect and analyze data on space objects may need to protect that information at the appropriate impact level, especially if it is used for military purposes.

Even space startups and commercial space companies may find themselves subject to DISA requirements if they partner with DoD agencies or receive funding from defense-related sources. Understanding the impact level framework and the associated security controls can help these businesses navigate the complex regulatory landscape of the space economy.

Moreover, as the space economy grows and matures, it is likely that similar security frameworks will emerge specifically for the space sector. The DISA impact levels provide a useful model for categorizing the sensitivity of space-related data and systems, and for defining a graduated set of security requirements. By aligning with these established standards, space economy businesses can demonstrate their commitment to security and build trust with government customers and partners.

Summary

DISA’s impact level framework provides a clear and consistent approach to securing DoD data in cloud environments. By defining specific security requirements for each level, DISA enables DoD agencies to adopt cloud computing with confidence, while also providing a path for commercial providers to enter the defense market.

As DoD continues to modernize its IT infrastructure and adopt new cloud-based capabilities, understanding and complying with DISA impact levels will be essential for success. With the right security controls and architectures in place, DoD can harness the power of cloud computing to enhance its mission effectiveness and stay ahead of evolving threats.

Moreover, the relevance of the DISA framework extends beyond the traditional defense sector to the growing space economy. As space becomes an increasingly critical domain for national security and economic growth, businesses operating in this sector will need to navigate a complex web of security requirements and regulations. By aligning with established standards like the DISA impact levels, space companies can position themselves for success in serving both government and commercial customers.

Subscribe to our weekly newsletter which summarizes all articles from the previous week.

Previous article
China’s International Lunar Research Station (ILRS): A Collaborative Endeavor for Lunar Science and Exploration
Next article
The Ringworld: A Megastructure of Impossibility and Imagination
YOU MIGHT LIKE

WEEKLY NEWSLETTER

Subscribe to our weekly newsletter. Sent every Monday morning. Quickly scan summaries of all articles published in the previous week.

Most Popular

Load more

Featured

Load more

About New Space Economy

NSE is a comprehensive resource covering all aspects of the Space Economy. Since 2021, we have published 2,947 articles and have over 1,334 articles currently scheduled.

×