Azure Government FedRAMP FAQ

Let’s face it—FedRAMP is a tough nut to crack! There is so much to the process and so much at stake when it comes to managing the risk of your information systems in the cloud. So let’s start with the basics–this Azure FedRAMP compliance FAQ gives you a plain-English primer on FedRAMP, Azure Commercial, Azure Government, and the step-by-step process you must go thru to get an Azure-based system to be FedRAMP certified.

What is FedRAMP?

The Federal Risk and Authorization Management Program, or FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Federal Agencies, including all federal departments and offices, must ensure that all cloud systems that process, transmit, or store Government information comply with FedRAMP.

FedRAMP authorizes cloud systems in a three step process:

1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
2. Leveraging and Authorization:  Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
3. Ongoing Assessment & Authorization:  Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

Who are the FedRAMP stakeholders?

There are four main players in the FedRAMP process: Agencies, Cloud Service Providers (CSP)s, Third Party Assessment Organizations (3PAOs), and the Joint Authorization Board (JAB):

• Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements.
• CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services.
• 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.
• The JAB is FedRAMP’s primary decision-making body, and is comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.

What is the actual FedRAMP process?

To become “FedRAMP certified”, a cloud system must complete all phases of the FedRAMP Security Assessment Framework (which is based on the NIST Risk Management Framework):

1. Document: The CSP documents the System Security Plan (SSP) for their cloud system in the Document phase by categorizing the system, selecting the appropriate security controls, and implementing these security controls. This phase incorporates steps 1-3 of the NIST Risk Management Framework (RMF).
   1. To categorize the system, the CSP determines the information types and completes a FIPS PUB 199 worksheet to categorize what types of data are (or can be) contained within the system to determine the impact level for the system.
   2. After completing a categorization in accordance with FIPS PUB 199, the CSP selects the FedRAMP security controls baseline (low, moderate, or high) that matches the FIPS PUB 199 categorization level.
   3. Once the CSP has selected the FedRAMP security control baseline, the next step is to implement the security controls related to that impact level. For most providers, many of the controls are already implemented but need to be described adequately within the FedRAMP templates.
2. Assess: CSPs must use an independent assessor to test the information system to demonstrate that the controls are effective and implemented as documented in the SSP. This assessment starts with documenting the methodology and process for testing the control implementation in the Security Assessment Plan (SAP).
3. Authorize: Once testing has been completed, the next step is for AOs to make an authorization decision based on the completed package of documents and the risks identified during the testing phase.
4. Monitor: Ongoing assessment and authorization, hereinafter referred to as continuous monitoring, is the third and final process for cloud services in FedRAMP. Once a CSP receives a FedRAMP Authorization (JAB or Agency), it must implement a continuous monitoring capability to ensure the cloud system maintains an acceptable risk posture.

What is an ATO and a P-ATO?

After completing a security assessment, the head of an agency (or their designee) can authorize the system for use, or grant an Authorization to Operate (ATO). An agency grants an ATO according to a risk-based framework that analyzes how a vendor has implemented the security controls within their IT environment.

A FedRAMP Provisional (P)-ATO is an initial approval of the CSP authorization package by the JAB that an executive department or agency can leverage to grant a security authorization and an accompanying ATO for the acquisition and use of the cloud service within their agency. The FedRAMP JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. Before granting a P-ATO, the JAB reviews the CSP authorization package in much the same way a leveraging agency would — by reviewing the body of evidence contained in the authorization package provided by the CSP and verified by an accredited 3PAO — to make risk-based decisions regarding the use of a cloud system.

Where can I get more information about FedRAMP?

Please visit www.fedramp.gov for more information about FedRAMP.

What is Azure Government?

Microsoft Azure Government delivers a cloud platform built upon the foundational principles of security, privacy & control, compliance, and transparency.

Public Sector entities receive a physically isolated instance of Microsoft Azure that employs world-class security and compliance services critical to U.S. government for all systems and applications built on its architecture. These services include FedRAMP and DoD compliance certifications, CJIS state-level agreements, the ability to issue HIPAA Business Associate Agreements, and support for IRS 1075.

Operated by screened U.S. persons, Azure Government supports multiple hybrid scenarios for building and deploying solutions on-premises or in the cloud. Public Sector entities can also take advantage of the instant scalability and guaranteed uptime of a hyper-scale cloud service.

Azure Government includes the core components of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). This includes infrastructure, network, storage, data management, identity management, and many other services.

What is the difference between Azure, Azure Government, and Azure Government DoD?

Did you know there are 3 Azure clouds? The three Azure clouds are: Azure commercial, Azure Government, and Azure Government DoD. While all three are essentially the same underlying technology, there are some differences you should know about. Here’s the differences between them:

• Azure Government is available for federal/state/local government customers only.
• Azure Government Department of Defense (DoD) is available for DoD customers only.
• Azure Government is a physically isolated instance of Azure. In other words, Azure Government has its own data centers (organized into regions), its own personnel, and even its own network fiber that is separate from Azure commercial. Please see the latest information about Azure regions here: https://azure.microsoft.com/en-us/regions/
• Azure Government DoD is a physically isolated instance of Azure Government. It to has its own data centers, personnel and network fiber that is separated from both Azure Government and Azure commercial.
• Azure Government/DoD has screened U.S. citizens and policies to help protect customer data and applications.
• Azure Government/DoD stores data within the United States only.
• Azure Government/DoD offers continuous commitment to meet rigorous compliance demands (i.e. FedRAMP, CJIS, and HIPAA) of a government-community cloud.

How do I get a FedRAMP ATO for my Azure/Azure Government system?

FedRAMP authorizes cloud systems in a three step process:

1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
2. Leveraging and Authorization:  Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
3. Ongoing Assessment & Authorization:  Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

Full details of the FedRAMP Security Assessment Framework can be found here: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/482/2016/06/FedRAMP-Security-Assessment-Framework-v2-1.pdf

ATO as a Service™ Automates FedRAMP Compliance for Azure and Office 365

cFocus Software automates the FedRAMP ATO process with our exclusive ATO as a Service™ offering–potentially reducing FedRAMP ATO timeframes by as much as 25%!

More Information