As federal agencies move to the cloud, they must also be aware of the requirement for that system to go through an evaluation to ensure policies and procedures are in compliance with government standards. Related specifically to Microsoft Azure Government Cloud, Azure Government Engineering has released an Azure Blueprint Baseline for the Federal Risk and Authorization Management Program (FedRAMP) High Baseline.
While working with my customer to receive an Authorization to Operate (ATO) for our Development and Production Azure environments, David Simsik pointed me to this information and I wanted to make sure all were aware (thanks Dave!). The Azure Blueprint Baseline consists of two documents:
- Azure’s Customer Responsibility Matrix (CRM), and
- System Security Plan (SSP)
These documents are designed to help facilitate the secure and compliant use of the Azure Government Cloud for our government customers. These documents act as a reference guide to help provide a way to understand the scope of the customer security responsibilities when architecting solutions in Azure to help streamline the path to attain a FedRAMP ATO.
The FedRAMP High CRM explicitly lists all control requirements that include the customer implementation requirements for both PaaS and IaaS environments. This includes both controls with a shared responsibility between Azure Government and Azure customers, as well as controls that are fully implemented by Azure customers. Note, the CRM spreadsheet does not include Microsoft Azure only controls.
The FedRAMP High SSP template is geared for use in developing an SSP that includes both customer implementations as well as control inheritance from Azure Government. The SSP is a comprehensive document which breaks down each of the controls and guidance on what the customer’s responsibility would be. The customer responsibility sections include guidance on how to write a thorough and compliant control response. Azure inheritance sections include information about how the control is implemented by Azure Government on behalf of the customer.
The SSP Template outlines specific controls in each applicable section:
- Section 13 outlines the customer responsibilities
- Section 14 provides control language for Azure IaaS inheritance
- Section 15 provides control language for Azure PaaS inheritance
Knowing of these support documents and how to use them can help get a better understanding of the ATO process as well as provide the ability to educate the customer and to help provide the supporting information needed to submit for ATO. It can also serve as a great tool to get a better understanding of guidelines to follow in implementing a secure cloud infrastructure whether you need to go through the ATO process or not.
For more details and a very comprehensive article from Microsoft, see https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-plan-compliance
To request the documents, email Microsoft at AzureBlueprint@microsoft.com.