DISA has finally realized everyone is responsible for DoD cyber security rather than just the professionals:

As the pace of connectivity spurs forward, the job of protecting the networks has also expanded, often beyond the resources of the people meant to protect them. DISA Chief Technology Officer David Mihelcic said that because of the speed and adaptability of bad actors, cybersecurity has now moved to a kind of horizontal altruism that affects multiple elements of the information technology industry.

“Security cannot be the sole domain of cybersecurity specialists,” he said. “It has to be owned by everyone, to include the program managers and engineers who are developing and acquiring the system, the system administrators charged with operating the systems.

“We are going to have specialists. We’re going to have the CPTs — the cyber protection teams. We’re going to have offensive information and our cybersecurity forces as well, but cybersecurity cannot be the sole domain. We, the developers, the technologists and you, our mission partners, need to ensure that the [whole thing] is secure.

DoD has just released its first ever Cloud Computing Security Requirements Guide (SRG) addressing how organizations are required to secure services provisioned and provided by commercial cloud service providers:

The Defense Information Systems Agency has issued three new documents targeting cloud security, including two new requirements guides and a new concept of operations, according to a report in C4ISR & Networks.

The three new documents more thoroughly define cloud security and the steps to achieving it, outlining the responsibilities of the organizations and managers increasingly capitalizing on commercial cloud offerings. The release underscores the Defense Department’s growing adoption of commercial cloud offerings.

The cloud access point (CAP) functional requirements document (FRD) prescribes a barrier of protection between the Department of Defense Information Network (DoDIN) and Internet-based public cloud service offerings, directing defense agencies to implement protections for the connection points linking the two. The first DISA-established CAP is a modified NIPRNet federated gateway, according to the documents.

This is long overdue but a very welcome addition to the already very comprehensive security requirements guide and secure technical implementation guide catalog DISA manages.