US Department of Defense (DoD) Provisional Authorization
The Defense Information Systems Agency (DISA) is a combat support agency of the US Department of Defense (DoD). It provides an enterprise information infrastructure, communications support, and a secure, resilient enterprise cloud environment for the DoD, the White House, and any other organization that plays a role in the defense of the United States.
To implement its mandate, DISA developed the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements for cloud service providers (CSPs) that host DoD information, systems, and applications, and for DoD's use of cloud services. It replaces the DoD Cloud Security Model, and maps to the DoD Risk Management Framework and NIST 800-37/53.
DoD Cloud Service Support defines the policies, security controls, and other requirements in the SRG, which it publishes and maintains. It guides DoD agencies and departments in planning and authorizing the use of a cloud service provider. Cloud Service Support also evaluates CSP offerings for compliance with the SRG—an authorization process whereby CSPs can provide attestations of compliance with DoD standards. It issues DoD Provisional Authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.
DISA Cloud Service Support has granted a DoD Impact Level 5 PA for Microsoft Azure Government for DoD. DISA has also granted Office 365 U.S. Government Defense a DoD Impact Level 5 PA. Impact Level 5 covers Controlled Unclassified Information (CUI) deemed by law, other government regulations, or the agency that owns the information and needs a higher level of protection than Level 4 provides. It also covers unclassified National Security Systems.
DISA Cloud Service Support has granted a DoD Impact Level 4 PA for both Microsoft Azure Government and Office 365 U.S. Government Defense. This was based on a review of the their FedRAMP authorizations as well as additional security controls required by the Cloud Computing SRG. (FedRAMP is a US program that enables secure cloud computing for the government.)
Impact Level 4 covers Controlled Unclassified Information—data requiring protection from unauthorized disclosure under Executive Order 13556 (November 2010) and other mission-critical data. It may include data designated as For Official Use Only, Law Enforcement Sensitive, or Sensitive Security Information. This authorization enables US federal government customers to deploy these types of highly sensitive data on in-scope Microsoft government cloud services.
Based on FedRAMP authorizations, DISA Cloud Service Support granted a DoD Impact Level 2 PA to:
- Azure and Azure Government Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) were granted this authorization based on the Provisional Authority to Operate (P-ATO) from the FedRAMP Joint Authorization Board.
- Dynamics 365 U.S. Government Software as a Service (SaaS) was granted this authorization based on the Agency FedRAMP Authority to Operate (ATO) from the Department of Housing and Urban Development (HUD).
- Office 365 U.S. Government was granted this authorization based on the Agency FedRAMP ATO from the Department of Health and Human Services (DHHS).
Impact Level 2 covers Non-Controlled Unclassified Information—data that is authorized for public release. It also covers other unclassified information that, while not considered “mission critical,” still requires a minimal level of access control. This authorization enables US federal government customers to deploy non-sensitive information as well as basic defense applications and websites on in-scope Microsoft cloud services.
Frequently asked questions
Yes. All DoD agencies may rely on the certifications of Microsoft cloud services as the foundation for any program or initiative that requires a DoD authorization. (This also applies to other organizations that support DoD and require cloud services.) However, you will need to achieve your own authorizations for components outside these services.
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit “covered defense information” through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an “alternative, but equally effective, security measure” that is approved by the DoD contracting officer. And where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.
The following Microsoft cloud services have received a FedRAMP moderate authorization: Azure, Azure Government, Dynamics 365 U.S. Government, Office 365 MT, Office 365 U.S. Government, and Office 365 U.S. Government Defense.
Additionally, Microsoft offerings outside the FedRAMP-certified boundary that could potentially be used by DoD contractors to process, store, or transmit “covered defense information” are undergoing a review to meet a December 31, 2017, compliance deadline. Microsoft is working to document how these internal and customer-facing services comply with NIST SP 800-171 or an acceptable security equivalent, to meet the DFARS relevant clauses.
Once granted a DoD PA, Microsoft cloud services are monitored and assessed annually.
Microsoft in-scope cloud services
Covered services for DoD Impact Level 5
- Azure Government for DoD detailed list
- Office 365 U.S. Government Defense
Covered services for DoD Impact Level 4
- Azure Government detailed list
Covered services for DoD Impact Level 2