Page History

As of June of 2014, all federal organizations are restricted to using Cloud Service Providers (CSP) that have been FedRAMP authorized, or that are in the process of obtaining their FedRAMP authorization to operate. Visit the  GSA's FedRAMP site for , the FedRAMP Marketplace, for more information and for to see a listing of currently approved and list of ready, in-process, and authorized CSPs.

According to NIST's Special Publication 800-145, The NIST Definition of Cloud Computing, Cloud based systems are typically leased infrastructure and use one or more of the following service models: Platform Infrastructure as a Service (PaaSIaaS); Software , Platform as a Service (SaaS); or Infrastructure PaaS), or Software as a Service (IaaSSaaS).  System owners who use a CSP should understand the compliance requirements for such environments because they do vary some from traditional infrastructure solutions. Federal agencies that use cloud services fall under the auspices of both the Federal Risk Authorization Management Program (FedRAMP) program, which is managed by the GSA, and by NIST's 800-37 Risk Management Framework, which outlines how traditional FISMA assessments are conducted. When choosing a cloud service provider you should first ensure that the provider has a FedRAMP issued or recognized Authorization to Operate (ATO). Please visit GSA's list of authorized CSPs to CSPs to find the current list of FedRAMP authorized CSPs.

FedRAMP is the FISMA based authorization process that cloud service providers must follow before government government agencies may use their cloud service offering (CSO). Once a CSP has its FedRAMP authorization, Federal agencies may use them but are still subject to internal agency review and endorsement of the FedRAMP authorization. The agency authorization includes a review of the FedRAMP package, but also requires agencies to implement and assess non-fully managed controls. Agencies are asked to submit their own authorization leveraging the FedRAMP authorization acknowledging that they are approving the use of the CSO by their agency and attesting that they will separately implement, assess, and maintain the agency or customer managed controls not covered by the CSP. Agency endorsements or ATOs are posted on the FedRAMP Marketplace so that other agencies can determine who else uses the CSO and avoid duplicating effort by their agency. 

...

As part of the implementation, you may need to update your application's design requirements to account for new or modified security requirements. You may also need to implement or develop specific tools to satisfy required controls. If the cost of developing or implementing a new security control is impractical or if it is not cost effective when compared to the potential risk of not implementing the control, you can apply for a security waiver to the NIH chief information security officer (CISO). You should discuss any waiver requests first with your Contracting Officer Representative (COR), and with the NCI ISSO (nciirm@mail.nih.govlink sends email).

) before actually submitting the request, to determine if there are any compensating control options and whether the waiver is likely to be approved.

...

Your AO will most likely be either your Contracting Officer Representative (COR) or your Federal Program Manager (PM), sometimes one and the same. If you have trouble determining who the AO will be for your system, email the NCI ISSO (link sends email).

for assistance in making a determination.

...

Continuous monitoring (CM) is the sixth and final step in the RMF, and includes both automated and manual security monitoring and remediation activities. The routine security-control monitoring and remediation that occur after an application has been authorized to operate often includes a combination of automated diagnostics services such as vulnerability management, intrusion detection and prevention, system and application event log collection and analysis, and patch management. Along with these, manual assessment and remediation procedures such as annual assessments (AA), security impact reviews, plan of action and milestones (POA&M) management, and ongoing authorization (OA) or re-authorization must be performed.

Annual Assessments

The NIH SA&A policy requires application owners to assess a set of controls that is roughly 1/3 of the total applicable controls, each year after the ATO has been issued. Each year NIH issues guidance on which controls must be annually assessed. This list is available from the NCI ISSO upon request, or may be provided by your C.O.R. This approach helps owners address the most prevalent security threats on an ongoing basis while maximizing efficiency and supports the system's re-authorization decision every three years. If a system owner fails to keep up with the annual assessments, then every three years the system must be fully re-assessed. These controls need only be assessed to the extent they are not already covered under the FedRAMP inherited controls.

Security Impact Reviews

When significant changes to your application are proposed (while it is operational and has an active ATO), you must ensure that new security risks are identified, evaluated, and addressed before those changes are implemented. This may require re-testing of any new or modified controls and, possibly, reauthorization of your application. However, if you follow a defined change control process, and if you adequately identify and address potential risks that may result from a proposed significant change, re-authorization may not be required. The idea is to be transparent about such changes, adequately identify and address potential risks, and to keep a record of such assessments. Some changes may be so significant that the system must be re-authorized, such as changing the operating location of a system or a complete re-design of a system. When in doubt about when a re-authorization may be needed, please consult with your ISSO.

POA&M Management

The Plan of Action and Milestones (POA&M) is a key management tool that lists, prioritizes, and tracks an application's identified weaknesses and progress. Any new security findings that are generated from ongoing security assessment and risk impact reviews should be added to the application specific POA&M and remediated in a timely manner. You should not track the CSPs POA&M items as those will be monitored by the FedRAMP Project Management Office (PMO) or by the agency that sponsored their FedRAMP assessment.

Ongoing Authorization and Re-authorization

The NIH is currently developing its ongoing authorization (OA) model so we are not using a true ongoing authorization approach at this time.  However, by demonstrating that you have conducted annual assessments, applied sound configuration and change control, scanned for and closed technical and security vulnerabilities, addressed your POA&M items in a timely manner, and patched your systems and applications in accordance with NIH standards, you will be able to seek re-authorization as required every three years and should find the process less time consuming and less expensive than starting from square one. 

IaaS

PaaS

SaaS