The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259883	SRG-OS-000480	SRG-OS-000480-CLD-000025	SV-259883r959010_rule	2024-12-19	1

Description
The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.

Description

The Mission Owner must choose a CSO that fits the operational needs and also has a DOD Provisional Authorization (PA) at the information Impact Level corresponding to the categorization of the information to be processed or stored in the CSO. The PA and supporting documentation must then be leveraged by the Mission Owner's AO in granting the required Authority to Operate (ATO) for the mission system operating within the cloud.

ℹ️ Check
Review the approval documentation. Verify the ATO indicates the component level AO has authorized the use of the CSO. If the Mission Owner's AO has not authorized the use of the CSO, this is a finding.

✔️ Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Obtain AO authorization for each CSO implemented in support of production or development environments prior to operational use.