Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form Page 1 of 5 Submitted to DISA s DoD Cloud Support Office by: Signature (Prefer CAC Digital) Received by DISA s DoD Cloud Support Office: Signature (Prefer CAC Digital) A. Cloud Service Provider (CSP), CSP Sponsor, & CSO Information: Date Date CSP DoD CSP Sponsor Third-Party Assessment Organization (3PAO) or DoD Approved Assessor CSO Title Website If the sponsor has a Cloud Information Technology Project (C-ITP) projected to use this CSO, please have the sponsor fill out a C-IPT Initial Contact Form and provide the C-ITP title here for reference. Title Cloud Service Model Data Impact Level Cloud Deployment Model IaaS - Infrastructure as a Service 1 - t Used Private Cloud PaaS - Platform as a Service 2 - n-controlled Unclassified Information Community Cloud SaaS - Software as a Service 3 - t Used 4 - Controlled Unclassified Information (non - National Security Systems (NSS)) Public Cloud Hybrid Cloud 5 - Controlled Unclassified Information (NSS) 6 - Classified Information (up to Secret) CSO Description Target Cloud Access Point(s) (CAP(s)) Target Date of Operation DISA CAP Navy CAP Target Date of Connection Use this form to make initial contact with the DISA Cloud Support Office regarding a request for assessment, registration, and/or connection to the DISA CAP for a cloud service offering Please email this completed form to disa.meade.re.mbx.disa-commercial-cloud@mail.mil Form Release Date 14 August 2016
Page 2 of 5 A. Cloud Service Provider (CSP), CSP Sponsor, & CSO Information: (Continued) Physical Location(s) of the CSP-CSO Environment Location of the Users for this CSO A - CONUS B - EUROPE C - Pacific D - Soutwest Asia E - Other (and) 1 - NIPRNet Only 2 - NIRPNet and Internet 3 - Internet Only 4 - Other B. Federal Risk and Authorization Program (FedRAMP) Assessment Status: FedRAMP Package Package ID Authorizing Agency Authorization Date Authorization Expiration Date Type of FedRAMP Authorization Joint Authorization Board (JAB) Authority to Operate (ATO) United States (US) Government Agency ATO Status of FedRAMP Authorization t Submitted Submitted (t Complete) Completed Status Narrative Has a System Security Plan (SSP) been written, has an assessor been engaged, when would the CSP submit the DoD SSP Addendum to Initiate the assessment, etc. 1. Does the CSP request that DISA perform the FedRamp+ assessment of the CSO? If NO, identify the DoD Organization that will perform the FedRamp+ assessment in collaboration with DISA
Page 3 of 5 C. Information Used to Assess Mission Priority: 1. Does this effort directly support a high profile DoD Mission as recognized by a DoD CIO or J6? If so, please provide POC information: DoD CIO or J6 2. Does this effort directly support a DoD contract? If so, please provide Contract & Contract POC information: Contract Name or Number Contract 3. Is this CSP-CSO in use by an existing DoD IT Project and is migrating to a multi-tenant or public cloud deployment? If so, please provide IT Projects POC information: Name of IT Project currently using CSP-CSO IT Project Name of 2nd IT Project in New Deployment 2nd IT Project
D. Information Used for Initial Technical Planning: These questions are only for connection to the DISA CAP. Please fill in as much information as possible. This information will be used to assess the CSO maturity for setting priorities. Page 4 of 5 1. Is there an existing physical or logical communications path between the CSP enclave and the DISN? If so, what is the existing Command Communications Service Designator (CCSD)? CCSD 2. Is a new Physical or Logical Circuit (L3VPN, IPSec, etc.) required between the CSP and the CAP/MeetMe Point? 3. What is the CAP Connection Type required? 4. Provide the Diversity requirement (network redundancy type requirement) 5. Provide the estimated bandwidth requirement 6. Provide the required number of estimated concurrent users 7. Provide Additional performance requirements (Latency maximums, packet loss, Jitter, etc.) 8. What applications / services / protocols / ports are within the CSO? (ie. Mail, DNS, Web Browsing, Voice, Chat, Video, et) 9. Provide application profile names applicable to the CSO using the descriptions from the paloalto networks website (https://applipedia.paloaltonetworks.com) 10. What is the IP space utilized by the CSO? 11. Provide reference identification numbers for these databases when available. PPSM SNAP 12. Provide Network / enclave / System Topology Diagrams with this form. (If available)
Please fill in as much information as possible. This information will be used to assess the CSO maturity for setting priority. Page 5 of 5 E. Information Used for Initial Security Assessment Planning: 1. Does the CSO plan to support information subject to privacy protection? 2. Does all customer data remain under US jurisdiction while stored or processed? 3. Will there be only DoD and Federal Government tenants (customers) on the CSO and underlying infrastructure? 4. Is there strong virtual separation among the tenants / missions for both data storage and processing, having the ability to meet search and seizure requests for non-dod information and data without release of DoD information and data? 5. If the CSO is responsible for authentication of entities and/or identifying a hosted DoD information system, can the CSO integrate with the DoD PKI in accordance with DoDI 8520.03? 6. Do the data processing facilities meet the requirements defined in the FedRAMP Moderate baseline and FedRAMP+ C/CEs related to physical security? 7. Does the CSP establish personnel position sensitivity risk determinations based on OPM guidance and the Position Sensitivity Tool? 8. Can DOD data at rest be encrypted with validated FIPS-140-2 validated cryptography? 9. Does only the customer have full control of generation, management, use, and destruction of the crypto keys? 10. Will the CSO force all DoD traffic to and from the CSP infrastructure through a DoD cloud access point (CAP)? 11. For off-premises infrastructure, does the architecture include connecting via one or more boundary CAPs (BCAPs)? 12. For SaaS offerings, does the CSO implement defense-in-depth measures? 13. Does the CSP have an incident response plan (or addendum) meeting the DoD requirements? 14. Will the CSP report all incidents via the on-line Defense Industrial Base (DIB) Cyber Incident Collection Form? 15. Do appropriate personnel have or are willing to secure either a DoD PKI certificate or DoD-approved medium assurance External Certificate Authority (ECA) certificate for secure communications with DoD entities regarding C2 or CND functions? 16. Will the CSP receive, act upon, and report compliance with CND Tier II directives and notifications? 17. Is the CSP already a member of the DIB Cyber Security / Information Assurance Program or willing to become one?