V-259883
SV-259883r959010_rule
CAT II
The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.
From: Cloud Computing Mission Owner Operating System Security Requirements Guide (V1R3)
Description
<VulnDiscussion>The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the approval documentation. Verify the ATO indicates the component level AO has authorized the use of the CSO.
If the Mission Owner's AO has not authorized the use of the CSO, this is a finding.
Fix Text
This applies to all Impact Levels.
FedRAMP Moderate, High.
Obtain AO authorization for each CSO implemented in support of production or development environments prior to operational use.
CCI Reference
CCI-000366- Created
- 2026-04-07 20:08:14
- Last Updated
- 2026-04-07 20:08:14