Key Takeaways
- Mandatory Attestation for CSPs: The 2022 DoD CC SRG requires Cloud Service Providers (CSPs) that offer hosting or financial applications relevant to DoD financial statement assessments to obtain a SOC 1® Type 2 report.
- Impact Level (IL) Applicability: This requirement specifically applies to CSPs that have achieved Impact Level 4 (IL4) or Impact Level 5 (IL5) status, which designates the level of data sensitivity they handle.
- Required Control Scope: The SOC 1® Type 2 assessment must include IT general control objectives. Additionally, Application Service Providers (ASPs) must add business process control objectives related to the management of applicable financial data.
DoD SRG & SOC 1®
Did you know that according to the 2022 Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) the Cloud Service Providers (CSPs) with an IL4 or IL5 status may need a SOC 1® report?
Speak to a Compliance Specialist.
Defining IL 4 & IL 5
“IL” stands for Impact Level, which is based on the sensitivity of the information stored or processed, and the potential impact that the loss of confidentiality, integrity, or availability that information could have if compromised.
Multiple classifications are used for organizations working with the DoD, but the most pertinent to the 2022 DoD SRG are IL4 and IL5.
- DoD IL4 – IL4 organizations must adhere to the elevated FedRAMP Moderate control requirements and the security requirements defined in Section 5 of the CC SRG.
- DoD IL5 – IL5 organizations are able to host unclassified National Security Systems (NSSs) supporting DoD missions. This comes with additional controls on top of the IL4 controls.
Why Your Organization Needs a SOC 1®*
Any cloud service or data hosting organizations that offer hosting or deliver financial or non-financial applications relevant to DoD financial statement assessments will be required to have a SOC 1® Type 2 with IT general control objectives.
In addition, Application Service Providers (ASPs) will need to add business process control objectives for how they may manage applicable financial data.
Many organizations have already received a letter about compliance for the next year, but the SOC 1® Type 2 period is Oct. 1 to Jun. 30 every year, so now is the perfect time to jump on the necessary compliance attestations.
Choosing an Experienced SOC 1®* Partner
Auditwerx’s experienced SOC 1® team is here to support your organization’s compliance needs. When it comes to the DoD SRG, we can offer the SOC 1® Type 2 services you need, and we can work with your existing compliance partners to ensure your assessment is completed in a timely and transparent manner.
FAQs
What does the DoD CC SRG require for organizations that manage cloud services for the Department of Defense?
The DoD Cloud Computing Security Requirements Guide (CC SRG) outlines the security and compliance requirements for Cloud Service Providers (CSPs). The 2022 update emphasizes that CSPs dealing with systems relevant to DoD financial statements must secure a specific SOC 1® Type 2 compliance report.
What do Impact Levels (IL4 and IL5) signify under the DoD SRG?
Impact Level (IL) indicates the sensitivity of the information stored and the potential negative impact if that data’s confidentiality, integrity, or availability were compromised. IL4 organizations must meet elevated FedRAMP Moderate controls, while IL5 organizations can host unclassified National Security Systems (NSSs) with additional security controls.
Which specific compliance attestation report is now mandated under the 2022 DoD SRG update?
For eligible cloud and data hosting organizations, the update mandates a SOC 1® Type 2 compliance report. This report must specifically include IT general control objectives to verify the security of the systems supporting the financial statement assessments.
What is the standard assessment period that must be covered by the required SOC 1® Type 2 report for the DoD SRG?
To meet the continuous compliance requirement, the mandated SOC 1® Type 2 report must cover an assessment period spanning from October 1 to June 30 of every year. Organizations must plan proactively to ensure this attestation is completed in a timely manner.
About the Author
