DoD Agency Requirements
Before an agency in the US Department of Defense (DoD) can use a cloud application in production, the agency must first grant it an Authority to Operate (ATO). Before granting an ATO, the agency’s security team needs to make sure that the cloud application is compliant with the security controls at Impact Level (IL) 2, 4, 5, or 6 specified in the DoD Cloud Computing Security Requirements Guide (SRG). After the ATO is granted, the Defense Information System Agency (DISA) or another DoD agency needs to grant an authority to connect the cloud application to DoD networks NIPRNet (for IL4/5) or SIPRNet (for IL6) through a DISA-approved Boundary Cloud Access Point (BCAP).
Watch our video on the DoD Cloud Process for ISV —>