For Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-259877SRG-OS-000368SRG-OS-000368-CLD-000040SV-259877r958804_rule2024-12-191
Description
Register all cloud-based systems and applications, including the cloud service provider (CSP)/cloud service offering (CSO) name, Mission Cyberspace Defense (MCD), and connection method in the DISA SNAP database Cloud Module. SNAP registration will enable cloud services to be connected to the DISA Information Systems Network (DISN) and is crucial for situational awareness. SNAP registration documentation must include designating a certified cybersecurity service provider (CSSP) as the Tier 2 Computer Network Defense (CND). If applicable, the IP address of the cloud service must be configured in accordance with the Mission Owner's IP registration in SNAP so they do not repurpose an already registered IP for new services without updating the SNAP registration. SNAP: https://snap.dod.mil/gcap/home.do Connection Approval: https://www.disa.mil/Network-Services/Enterprise-Connections/Connection-Approval
ℹ️ Check
If this is a Software as a Service (SaaS) Impact Level 2 implementation, this is not applicable. Verify the CSP's cloud service offering is registered in SNAP for the connection approval, and it is the one being used in the cloud management portal. If the IP address registered in SNAP is not configured for use with the approved cloud environment, this is a finding.
✔️ Fix
This applies to Impact Levels 4 and 5. FedRAMP Moderate, High. Register the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) CSP's cloud service offering in SNAP for the connection approval. Register the IP address that the cloud service offering uses for the cloud management portal.