V-259886

SV-259886r959010_rule

CAT I

The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).

From: Cloud Computing Mission Owner Operating System Security Requirements Guide (V1R3)

Description

<VulnDiscussion>U-NSI must be housed on an Impact Level 5 CSO. This is Unclassified National Security Systems (NSS) information and data. This is because NSS-specific security requirements are included in FedRAMP+.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

If the implementation is categorized as Impact Level 2, 4, or 6, this is not applicable. Review the approval documentation and the DISA PA Cloud Catalog. For clouds hosting U-NSI information, verify the CSO is listed as Impact Level 5. If U-NSI is being hosted in the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) and the CSO is not listed in the DISA PA DOD Cloud Catalog as Impact Level 5, this is a finding.

Fix Text

This applies to Impact Level 5. FedRAMP High. For U-NSI information, select and configure a CSO listed in the DISA PA DOD Cloud Catalog for use with Impact Level 5. Specify in the Service Level Agreement (SLA) with the CSP and any third-party providers compliance with applicable STIG configurations.

CCI Reference

CCI-000366

Created: 2026-04-07 20:08:14
Last Updated: 2026-04-07 20:08:14