The Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259888	SRG-OS-000480-CLD-000035	SV-259888r1056071_rule		Medium

Description

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-12-19

Details

Check Text (C-63619r945650_chk)

Verify that the SLA with the CSP and third-party providers includes all required compliance items in the Cloud Computing Mission Owner SRG.

If the Mission Owner does not add all required compensating controls and requirements in the SLA/contract with the CSP or third-party provider, this is a finding.

Fix Text (F-63526r1056070_fix)

This applies to all Impact Levels.
FedRAMP Moderate, High.

Review Sections 3.3.6 and 3.3.7 of the Cloud Computing Mission Owner SRG Overview. Document all applicable compensating controls and requirements in the SLA/contract with the CSP or third-party provider.

Update the SLA/contract with any revised guidance in Cloud Computing SRG updates. If there is a period of noncompliance, document the risk.