DoD has just released its first ever Cloud Computing Security Requirements Guide (SRG) addressing how organizations are required to secure services provisioned and provided by commercial cloud service providers:

The Defense Information Systems Agency has issued three new documents targeting cloud security, including two new requirements guides and a new concept of operations, according to a report in C4ISR & Networks.

The three new documents more thoroughly define cloud security and the steps to achieving it, outlining the responsibilities of the organizations and managers increasingly capitalizing on commercial cloud offerings. The release underscores the Defense Department’s growing adoption of commercial cloud offerings.

The cloud access point (CAP) functional requirements document (FRD) prescribes a barrier of protection between the Department of Defense Information Network (DoDIN) and Internet-based public cloud service offerings, directing defense agencies to implement protections for the connection points linking the two. The first DISA-established CAP is a modified NIPRNet federated gateway, according to the documents.

This is long overdue but a very welcome addition to the already very comprehensive security requirements guide and secure technical implementation guide catalog DISA manages.