Back

Monitor managing cloud services.


CONTROL ID
13150
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Manage cloud services., CC ID: 13144

This Control has the following implementation support Control(s):
  • Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties., CC ID: 13159


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for. (STA-06, Cloud Controls Matrix, v4.0)
  • Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. (Annex A: § CLD.12.1.5 ¶ 2, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • For a Level 4 PA, the CSP must provide evidence of strong virtual separation controls and monitoring in support of the ability to meet "search and seizure" requests for non-DoD information and data without the release of DoD information and data and vice-versa. Additionally the strong virtual separa… (Section 5.2.2.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSP CSOs that are intended to store and process PII and/or PHI (e.g., certain SaaS and PaaS offerings and potentially others) must be additionally assessed against the C/CEs that the Privacy Overlay adds to, or modifies in, the FedRAMP Moderate baseline as well as the FedRAMP+ C/CEs to receive a DoD… (Section 5.1.5.3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSP personnel managing and/or monitoring the CSO infrastructure. This is primarily related to US Persons constraints in regard to the previous item. (Section 5.1.7 ¶ 2 Bullet 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting the infrastructure, operating systems, and applications supporting all service offerings. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting SaaS service offering OSs and applications including DoD data/information in them. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services. (T0505, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)