Skip to main content
CUI

STIG Rule - V-259884

Back to STIG Browser

V-259884

SV-259884r959010_rule

CAT II

The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.

From: Cloud Computing Mission Owner Operating System Security Requirements Guide (V1R3)

Description

<VulnDiscussion>FedRAMP Moderate is the minimum security baseline for all DOD cloud services. Components and Mission Owners may host unclassified, publicly releasable DOD information on FedRAMP Moderate approved cloud services. This type of CSO is known as Impact Level 2. They may also configure an offering from the DISA PA DOD Cloud Catalog at any Impact Level for use. Low Confidentiality Impact: Mission Owners will only publish, collect, store, or process low confidentiality impact (sensitivity) personally identifiable information (PII) in a CSO minimally possessing a FedRAMP Moderate Provisional Authority to Operate (P-ATO) listed on the FedRAMP Marketplace and a DOD Level 2 Provisional Authorization (PA), with Privacy Officer approval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

If the CSO implementation is categorized as Impact Level 4/5/6, this is not applicable. Review the approval documentation. Verify the cloud service offering is listed in either the FedRAMP or DISA PA DOD Cloud Catalog when hosting unclassified, publicly releasable DOD information. If unclassified, publicly releasable DOD information is being hosted in the IaaS/PaaS and the CSO is not listed in the FedRAMP Marketplace as FedRAMP moderate (at a minimum), or the DISA PA DOD Cloud Catalog, this is a finding.

Fix Text

This applies to Impact Level 2. FedRAMP Moderate, High. Select and configure an Impact Level 2 CSO listed in the FedRAMP Marketplace as FedRAMP moderate, or the DISA PA DOD Cloud Catalog, when hosting unclassified, publicly releasable DOD information.

CCI Reference

CCI-000366
Created
2026-04-07 20:08:14
Last Updated
2026-04-07 20:08:14
Back to Browse
CUI