How to Become FedRAMP-Compliant on Azure
In this blogpost, we will discuss what FedRAMP is, why it was formed, and why you would want to prove compliance. We'll also go over Azure blueprints and policy and how to implement FedRAMP on Azure.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a "do once, use many times" framework that saves money, time, and staff required to conduct redundant Agency security assessments.
FedRAMP is mandatory for Federal Agency cloud deployments and service models at any and all risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception. Additionally, agencies must submit a quarterly report in PortfolioStat listing all existing cloud services that do not meet FedRAMP requirements, with the appropriate rationale and proposed resolutions for achieving compliance.
FedRAMP requirements include additional controls above the standard NIST baseline controls, found in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
A Review of Azure Policy and Azure Blueprints
Azure Policy is a control service in Azure that is used to create, assign, and manage policies. These policies enforce different rules and effects over your resources, keeping them compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
For example, you can have a policy that allows only a certain VM SKU in your environment. Once the policy is implemented, new and existing resources are evaluated for compliance.
With the right type of policy, existing resources can be brought into compliance.
You can learn more about Azure Policy in my post on Cloud Governance.
Azure Blueprints assists with environment setup. Such environments often include:
- Azure resource groups
- Role assignments
- Different policies
- Resource Manager deployment templates
Blueprints are packages that pull these types of resources and artifacts together. The package contains resources defined to meet your standards, compliance requirements, and company policies.
I also wrote about Azure Blueprints in a previous post, Enforcing Speed and Control Using Azure Management Groups and Azure Blueprints.
Understanding Baselines and Impact Levels in FedRAMP
Federal Information Processing Standard (FIPS) 199 provides the standards for categorizing information and information systems. Cloud Service Providers (CSPs) use this process to ensure their services meet the minimum security requirements for the data processed, stored, and transmitted. The security categories are based on the potential impact certain events would have on an organization's ability to:
- Accomplish its assigned mission
- Protect its assets
- Fulfill its legal responsibilities
- Maintain its day-to-day functions
- Protect individuals
It's important that CSPs understand the impact level of their offerings, as well as correlated security categorization when developing their authorization strategy.
Cloud Service Offerings (CSOs) are categorized into one of three impact levels; low, moderate, and high.
CSOs are also categorized across three security objectives:
Confidentiality - information access and disclosure includes means for protecting personal privacy and proprietary information.
Integrity - stored information is sufficiently guarded against modification or destruction.
Availability - ensuring timely and reliable access to information.
FedRAMP currently authorizes CSOs at the low, moderate, and high impact levels.
- Low Impact Level - Low impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency's operations, assets, or individuals.
- Moderate Impact Level - Moderate impact systems account for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency's operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
- High Impact Level - High impact data is usually in Law Enforcement and Emergency Services systems, financial systems, health systems, and any other system where loss of CIA could be expected to have a sever or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government's most sensitive, unclassified data in cloud computing environments.
We're going to discuss how to implement High Impact Level security controls in Azure.
NIST 800-53 Security Controls Catalog Revision 4 & FedRAMP High Baseline
The security controls are classified into families:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Control Mapping of the FedRAMP High Azure Blueprint Sample
Many of the mapped controls are implemented with an Azure Policy Initiative. To review the complete initiative:
- Open Policy in the Azure portal
- Select the Definitions page
- Find and select the [Preview]: Audit FedRAMP High controls and deploy specific VM Extensions to support audit requirements built-in policy initiative
Deploy FedRAMP High Blueprint
In the Blueprints pane, search for FedRAMP High blueprint and follow the steps below.
(Note on Review Artifacts-Many of the artifacts have parameters that we'll define later.)
Select Save Draft when you've finished reviewing the blueprint sample.
Publish the Sample Copy - Your copy of the blueprint sample has now been created in your environment. It's created in Draft mode and must be Published before it can be assigned and deployed. The copy of the blueprint sample can be customized to your environment and needs, but that modification may move it away from alignment with FedRAMP High controls.
Click on Publish (not shown in the image above) to publish the draft blueprint.
Assign the Sample Blueprint - Once the copy of the blueprint sample has been successfully Published, it can be assigned to a subscription within the management group it was saved to. This step is where parameters are provided to make each deployment of the copy of the blueprint sample unique.
The creation of consistent environments at scale is only truly valuable if there's a mechanism to maintain that consistency.
Locking Mode applies to the blueprint assignment and has three options:
- Don't Lock
- Read Only
- Do Not Delete
The locking mode is configured during artifact deployment within a blueprint assignment. A different locking mode can be set by updating the blueprint assignment. Locking modes, however, can't be changed outside of Blueprints.
Resources created by artifacts in a blueprint assignment have four states:
- Not Locked
- Read Only
- Cannot Edit/Delete
- Cannot Delete
Each artifact type can be in the Not Locked state.
The parameters defined in this section apply to the artifact under which it's defined. These parameters are dynamic since they're defined during the assignment of the blueprint.
Here you can find a table of parameters and values you can specify in the Blueprints deployment.
Once all parameters have been entered, select Assign at the bottom of the page. The blueprint assignment is created and artifact deployment begins. Deployment takes roughly an hour.
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, continuous monitoring, and authorization of cloud services and products. FedRAMP compliance is becoming increasingly non-optional for many businesses, as government buyers are looking more to cloud services and cloud-based products and tools. Competition is also fiercer among cloud providers, consultants, and third-party cloud support utilities.
In cloud service providers (CSPs), FedRAMP certification demonstrates a proven commitment to compliance standards and cloud security. For government acquisition personnel, FedRAMP compliance fits in closely with other federal regulations governing cloud computing and cybersecurity.
FedRAMP requirements tie in closely with other federal regulations and a number of industry standards, including:
- Homeland Security Acquisition Regulations (HSAR)
- Defense Federal Acquisition Regulations (DFAR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HIGHTECH)
- Payment Card Industry Data Security Standard (PCI DSS)
- Model for Information Security Management Systems (ISO 27001)
- Control Objectives for Information and Related Technologies (COBIT)
- Gramm-Leach-Bliley Act of 1999 (GLBA)
FedRAMP certification provides a solid foundation for risk assessment, documentation review, and consistent use of security best practices. This produces a better security posture for your company's cloud services and products. The process of preparing for or obtaining certification can lead to optimization of services and built-in security improvements, resulting in some of the most reliable systems.
Sharpen your Azure Skills. Sign in today to learn more.