FedRAMP and Azure

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure and cost effective cloud-based IT.  The good news is Azure is FedRAMP compliant and has been for years. For those that don't know FedRAMP has multiple governing bodies:

  • Joint Authorization Board (JAB) - Primary governance and decision making is body for FedRamp are the Chief Information Officers (CIOs) from Department of Homeland Security, General Services Administration, and Department of Defense
  • Office of Management and Budget (OMB) - The governing body that issued the FedRAMP policy memo which defines the key requirements and capabilities of the program
  • CIO Council - Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events
  • FedRAMP Program Management Office (PMO) - Established within GSA and responsible for the development of the FedRAMP program including the management of day to day operations
  • Department of Homeland Security (DHS) - Manages the FedRAMP continuous monitoring strategy including data feed criteria, reporting structure, threat notification coordination, and incident response
  • National Institute for Standards and Technology (NIST) - Advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs

Now that we know who is telling us the standards, who do we apply that to Azure?

Azure Gov or Public?

When I was working in a Federal agency years ago one of the early misconceptions was that you could only get FedRAMP compliance in the Azure Gov but that isn't the case at all, you can achieve FedRAMP compliance in both public and gov region, but you have to make sure to evaluate each service as some services are complain and some are not.  To verify the service you want to use has been audited please review Azure services by FedRAMP.

FedRAMP Control Mapping

To be complaint during auditing you will have to show that the FedRAMP controls have been mapped to security settings in Azure, of course you knew at this point you would be using Azure Policy to help achieve this right?  You can find the documentation of the controls for FedRAMP High and FedRAMP Medium already done for you.

Deploy FedRAMP to Azure

Microsoft has done some of the heavy lifting for you here and have provided you an Azure Blueprint to guide your Azure Policy deployments.  These will provide you the governance guard rails to deploy compliant services in your Azure environment.  You will find both FedRAMP High  and FedRAMP Medium blueprints.

FedRamp Audit Report

The other requirement you will need to provide to get your approval will be the audit report for the Microsoft aspects of the controls that are required.  You can find a copy here.

Not Done Yet.....

Just remember while these policies will give you a great head start on your authority to operate (ATO) there will still need to be very specific configurations depending on what systems you deploy especially if you are using IaaS as there are configurations inside the OS level you must account for.  It is not a speedy process to get approved but the more info you can provide at the start the easier it will be to get through the process.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.