The Department of Defense has released a playbook designed to help software development managers, mission owners and developers improve the cybersecurity of applications hosted in cloud environments.
The Cloud Security Playbook, cleared for public release on Feb. 26, seeks to address the most common cloud security vulnerabilities and threats and intends to help mission owners hosting software in the cloud quickly achieve an Authorization to Operate, or ATO.
The document comes in two volumes. The first volume aims to prepare organizations for using a cloud and intends to enable users to understand key concepts, such as the shared responsibility model, the impact level and the requirement of a DOD provisional authorization or ATO for cloud services.
Table of Contents
Preparing Organizations for Cloud Adoption
The playbook suggests several actions to prepare an organization for using a cloud, such as setting up a cloud governance team, developing a cloud migration strategy and establishing a budget to implement the cloud migration strategy.
Other measures outlined in the document are developing organizational policies on cloud usage, creating a cloud exit strategy, defining the roles and responsibilities of those who will have cloud access and training the workforce on cloud security.
Implementing Secure Identity, Credential & Access Management
The document calls for the implementation of identity, credential and access management, or ICAM.
Recommended actions under this section include implementing and enforcing the principle of least privilege, or PoLP; implementing PoLP for each cloud resource; requiring phishing-resistant multifactor authentication; using context-based access control policies and review policies prior to deployment and periodically after deployment to identify potential gaps; and considering requiring administrators to access cloud resources using privileged access workstations.
The initial volume also covers other key plays, such as establishing secure network access, deploying with infrastructure as code, using a cloud-native application protection platform, employing defensive cyberspace operations and deploying user and entity behavior analytics.
Cloud Security Playbook Volume 2
The playbook’s second volume addresses ways to secure containers and microservices, defend DevSecOps pipelines, mitigate third-party risks and ensure the security of artificial intelligence systems and application programming interfaces.
To defend DevSecOps pipelines, recommended actions include adopting a zero-trust approach, using encryption with a FIPS 140-2 approved algorithm, minimizing the use of long-term credentials, implementing endpoint detection and response tools and integrating security testing into the pipeline.
Related Articles
Air Force Gen. Dagvin R.M. Anderson on Friday officially assumed the role of commander of U.S. Africa Command during a change of command ceremony held at Kelley Barracks in Stuttgart, Germany. Anderson took the helm of Africom from Marine Corps Gen. Michael Langley, who led efforts to strengthen operational readiness and improve interoperability with African and allied forces when he took command in August 2022. Join U.S. military leaders and industry experts as they discuss international partnerships, coalition warfare, technological advances and more at the Potomac Officers Club’s GovCon International Summit. Save your spot now for this Oct. 16 event! “I am
Jay Bhattacharya, director of the National Institutes of Health, said NIH is advancing a unified strategy that seeks to align funding approaches and priorities to address urgent health needs, support a biomedical research workforce and fund scientific research. “A central pillar of this approach is balancing scientific opportunity with mission-critical objectives,” Bhattacharya said in a statement published Friday. As part of the unified strategy, the NIH director said the agency is prioritizing artificial intelligence, real-world data platforms, alternative testing models and other next-generation tools. Hear experts discuss the latest tech advancements, policies and more at the Potomac Officers Club’s 2025
The U.S. Navy is moving away from the optionally manned vessel concept as it refines its vision for unmanned platforms that will operate alongside traditional surface ships, USNI News reported Friday. Officials said the service now prefers designs that keep sailors entirely off board. Speaking at an event at the U.S. Naval Institute, Capt. Matt Lewis, program manager for unmanned maritime systems, said the change stems from the complexity and cost that come with designing ships to accommodate crews. He noted that the Navy’s recent presolicitation for a Modular Attack Surface Craft, or MASC, encourages proposals that remove the need