Earlier this month, Microsoft hosted its third Trusted Cloud Security Summit in Washington DC. The event brought together a wide range of security stakeholders from the different Microsoft cloud offerings and over a 100 federal department and agency participants, particularly those looking to adapt the FedRAMP High baseline, such as the Department of Homeland Security, Federal Bureau of Investigations, Department of Justice, State Department, the Treasury and the Food and Drug Administration, amongst others. The interest in the event reflected the broader US government prioritization of cybersecurity, which was underlined by the announcement made by President Obama in February, introducing the new Cybersecurity National Action Plan.
Ensuring the security of government agencies using cloud technologies follows a similar vein and has been central to the government since the introduction of the Cloud First policy in 2011. The Federal Risk and Authorization Management Program, better known as FedRAMP, was developed shortly thereafter and has for a number of years served as a process which provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud services. The original process supported migration of low and moderate impact workloads to the cloud and has helped many government agencies make that critical move. However, that has not been the case for some of the more critical services.
The FedRAMP High baseline aims to provide a higher categorization level for confidentiality, integrity and availability of cloud services; i.e. for those considered critical to government operations. While the High baseline addresses only 20% of government information and systems, it comprises over 50% of federal IT spend, reflecting a significant cost savings potential when migrating these workloads to the cloud. The pilot we participated in represented the last step in a year-long effort to develop the High baseline. The draft baseline has already been through two rounds of public comment and review from a Tiger Team from across multiple federal agencies.
Since FedRAMP was established, Microsoft has worked closely with the FedRAMP program management office to ensure our Federal cloud solutions meet or exceed public sector security, privacy and compliance standards. Our March Summit established that this has not changed, as it confirmed Microsoft as one of only three cloud service providers to be included in the FedRAMP High Baseline pilot and was on that point on track to achieve the appropriate level. Building on the FedRAMP authorization, Azure Government is also on track to achieve the DISA Level 4 authorization shortly, covering unclassified data that requires protection against unauthorized disclosure or other mission-critical data (i.e. controlled unclassified data).
The event itself, examined the development process of the FedRAMP High Baseline, as well its impact on federal cloud adoption. Matt Goodrich, Director for FedRAMP in GSA’s Office of Citizen Services and Innovative Technologies (OCSIT) talked about how the revision of the process will benefit both providers and the government, for example by limiting the certification time and providing more transparency, predictability and risk focus upfront through a focus on core capabilities instead of an exclusively controls-centric approach.
The Summit also served to examine some of Microsoft’s security capabilities that address other federal government cloud security priorities, including DOD’s FedRAMP+ and DHS’s Trusted Internet Connections programs. While both initiatives leverage the original FedRAMP process, they augment unique requirements for providers to demonstrate additional levels of assurance and operational visibility- capabilities that Microsoft’s cloud offerings can meet today.
For more on the security announcement made by Azure on the day, take a look at Matt Rathbun’s (Cloud Security Director, Azure) blog here.