The new Cloud Computing Security Requirements Guide (SRG) was recently released by the Defense Information Systems Agency (DISA) to provide guidance and policy to commercial cloud service providers and mission partners in the Department of Defense (DoD) as they explore cloud computing options.

“The SRG is designed to ensure that DoD can attain the full economic and technical advantages of using the commercial cloud without putting the department’s data and missions at risk,” said Mark Orndorff, DISA risk management executive.

The SRG establishes the security objectives to host DoD missions up to and including SECRET on commercial service offerings. Missions above SECRET must follow existing applicable DoD policies and are not covered by the SRG; the SRG incorporates, supersedes and rescinds the previously published Cloud Security Model and applies to all CSP offerings, regardless of who owns or operates the environments.

The SRG serves several purposes:

  • Provides security requirements and guidance to non-DoD owned and operated CSPs that wish to have their service offerings included in the DoD Cloud Service Catalog.
  • Establishes a basis on which DoD will assess the security posture of a non-DoD CSP’s service offering, supporting the decision to grant a DoD Provisional Authorization that allows a non-DoD CSP to host DoD missions.
  • Defines the policies, requirements and architectures for the use and implementation of commercial cloud services by DoD mission owners.
  • Provides guidance to DoD mission owners and assessment and authorization officials (formerly certification and accreditation) in planning and authorizing the use of a CSP.

The SRG is posted on