The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessments, authorizations, and continuous monitoring for cloud products and services. FedRAMP is meant to replace the current process by which federal agencies assess low and moderate baseline third party cloud service provider systems prior to procurement. Preceding FedRAMP, individual agencies managed their own assessment methodology following guidance loosely set by the Federal Information Security Management Act of 2002 (FISMA).
FedRAMP has not only overhauled the civilian federal agency cloud service procurement process but it is also changing how the Department of Defense (DoD) assesses the security of cloud services prior to procurement.
The DoD Approach
The DoD utilizes the DoD Information Assurance Certification and Accreditation Process (DIACAP) to assess the risk posture of systems prior to authorizing the systems for use. On June 26, 2012, the DoD Chief Information Officer (CIO) released a memo designating the Defense Information Systems Agency (DISA) as the Department of Defense Enterprise Cloud Service Broker (ECSB) to manage the use, performance, and delivery of cloud services. In addition, the DISA will negotiate relationships between cloud providers and the DoD agency cloud consumers. The memo also stated that DISA would use commercial cloud services that meet FedRAMP requirements.
FedRAMP uses NIST Special Publication (SP) 800-53 amongst others to establish common cloud computing baselines. In order to align with the NIST standards, DoD created the Joint Task Force (JTF) Transformation Initiative Interagency Working Group which included members from DoD, NIST, the Office of the Director of National Intelligence (ODNI), and the Committee on National Security Systems (CNSS), to transition DIACAP to a risk management framework. CNSS has the authority to issue binding guidance for national security systems and as such issued supplemental guidance for implementing NIST SP 800-53 controls for national security systems (NSS) in CNSS Instruction 1253, Security Categorization and Control Selection for National Security Systems.
For cloud providers, DISA has implemented a pilot program of the DoD Enterprise Cloud Service Broker (ECSB) Cloud Security Model that leverages the FedRAMP authorization process to assess cloud services for use in the DoD. CSPs that do not go through the ESCB security assessment process must obtain a waiver from the DoD CIO.
The Enterprise Cloud Service Broker (ECSB) Assessment Process
The ECSB will leverage FedRAMP provisional authorization and U.S. Government Federal ATO packages residing in the FedRAMP Secure Repository, including all supporting documentation, as part of the ECSB security assessment process. Once a CSP successfully completed the ECSB security assessment and receives a DISA provisional authorization, it is eligible for DoD cloud customer use. The CNSS worked with representatives from the Civil, Defense, and Intelligence Communities to produce a unified information security framework and to ensure NIST SP 800-53 contains security controls to meet the requirements of NSS.
These “FedRAMP plus” controls include additional requirements for defense systems. The additional DoD controls above the FedRAMP baselines are defined for each service type:
- Impact Level 1 and 2 in the DoD Enterprise Cloud Service Broker Cloud Security Model, Version 1.2, dated September 18, 2013
- Impact Levels 3 through 5 in the DoD Enterprise Cloud Broker Cloud Security Model, Version 2.0.1, dated December 20, 2013
The additional controls and control enhancements must be implemented and documented by the CSP and will be assessed by the DISA when applying for provisional authorization. As part of the CSP’s continuous monitoring program, The CSP and Third Party Assessment Organization (3PAO) are responsible for providing evidence of additional control implementation to the ESCB. The ECSB will use the information received, in combination with all information provided to the FedRAMP Information System Security Officer (ISSO), to recommend to the ECSB re-authorization of the CSP as a provisional DoD CSP.
ECSB and DoD Authorization in Action
On November 12, 2013, Autonomic Resources Corporation announced that it was issued a provisional authorization by the DOD for its Autonomic Resources Cloud Platform (ARC-P) infrastructure as a service offering, making it the only cloud provider offered for DOD-wide acceptance under the Defense Information Systems Agency (DISA) Enterprise Cloud Service Broker catalog. ACR-P was notably the first CSP to obtain FedRAMP provisional authorization at the end of 2012. After ARC-P achieved FedRAMP authorization, it was further assessed using the DOD cloud security model, taking into account an additional 23 controls and enhancements from SP 800-53 rev 3. According to Autonomic, ARC-P is now authorized at DOD Impact Levels 1 and 2, meaning it is approved for unclassified public information and unclassified private information.
With a process to authorize systems for DoD use, FedRAMP is now not only the pathway for CSPs to certify their services for civilian federal agency procurement, but a major component of the DoD authorization process. CSPs should contact a 3PAO, such as BrightLine, to discuss their options when applying for a FedRAMP assessment to ensure CSPs are aware of potential opportunities to market their cloud systems