Skip NavigationSkip to Content

Cloud Computing Guidance

What is FedRamp?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a ?do once, use many times? framework that saves cost, time, and staff required to conduct redundant agency security assessments.

 I have found cloud-based software that I would like to use with my team, can I use it?

The cloud must be FISMA-compliant to store government data and the appropriate contracts and usage agreements must be in place.

 What is currently FedRamp approved for cloud-based computing?

The current list of authorized cloud systems are listed here: http://cloud.cio.gov/fedramp/cloud-systems

The current list of cloud systems in the process of getting FedRamp certified are listed here: http://cloud.cio.gov/fedramp/in-process

Once I select a system or application that is FedRamp approved, what else do I need to do is that all I have to do?

No. You must contact your local Information Security office once you identify an application that is FedRamp approved. The local Information Security office will review the controls from the FedRamp approval to determine if anything else is needed from the vendor.

What is Cloud Computing?

Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

What are the different Service Models associated with Cloud Computing?

Software as a Service (SaaS). The capability provided to the consumer is to use the provider?s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

What are the different Deployment Models of Cloud Computing? 

Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Is FedRAMP mandatory?

Yes. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels.

How will FedRAMP help make cloud computing more secure for the Federal government?

The FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 rev4 for low and moderate systems. These additional controls address the unique elements of cloud computing in order to ensure all Federal data is secure in cloud environments.

Why is FedRAMP needed?

FedRAMP provides for a unified and government-wide risk management framework for security assessments and authorization. FedRAMP increases confidence in the security of cloud systems in three major areas:

  • Providing joint security assessments and authorizations based on a standardized baseline set of security controls
  • Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider?s ability to meet the security controls
  • Coordinating continuous monitoring services

How do I maintain accountability over the privacy and security of the data and applications implemented and deployed in a cloud computing environment? 

Appropriate security management practices and controls over cloud computing are required. Strong management practices are essential for operating and maintaining a secure cloud computing solution. Security and privacy practices entail monitoring information system assets and assessing the implementation of policies, standards, procedures, controls, and guidelines that are used to establish and preserve the confidentiality, integrity, and availability of information system resources.

How can I ensure that my client-side computing environment meets security and privacy requirements for cloud computing? 

Cloud computing encompasses both a server and a client side. Services from different cloud providers can impose more exacting demands on the client, which may have implications for security and privacy that need to be taken into consideration. Web browsers are a key element for client-side access to cloud computing services. Clients may also entail small lightweight applications that run on desktop and mobile devices to access services. The various available plug-ins and extensions for Web browsers are notorious for their security problems. Many browser add-ons also do not provide automatic updates, increasing the persistence of any existing vulnerabilities. It is necessary to review existing security and privacy measures and employ additional ones, if necessary, to secure the client side, such as hardening browser environments to encrypt network exchanges and protect against keystroke logging. Security awareness training also is an important measure to apply, since the proper behavior of individuals is an essential safeguard against many types of attacks.

How are incidents handled in a Cloud Computing environment?

Incident response involves an organized method for dealing with the consequences of an event or attack against the security of a system. An analysis to confirm the occurrence of an incident or determine the method of exploit needs to be performed quickly and with sufficient detail. Once the scope of the incident is determined, measures can be taken to contain and resolve the incident, bringing systems back to a secure operational state. Response to an incident should be handled in a way that limits damage and minimizes recovery time and costs. Collaboration in recognizing and responding to an incident is vital to security and privacy in cloud computing. Close coordination between the cloud service provider and the customer is necessary because an incident could originate in either party’s infrastructure and it may not be immediately apparent where the problem began and how serious or widespread it is.

How is Continuous Monitoring performed on a cloud-based system?

Continuous monitoring is the use of technology to identify and assess risk issues within the operational environment. NIST defines the objective of continuous monitoring as to ?determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur.? Continuous monitoring enables for greater transparency into the system and allows for timely risk-management decisions. Any changes that a cloud-based system goes through must be reported and assessed by the ISSO, who will make recommendations to ensure security is maintained.

How do I assess the risks involved with storing data in a cloud environment?

In order to ensure your cloud systems are as secure as possible, you should first properly plan and assess the environment.  It is important to first understand:

  • On what type of cloud your service or application will be hosted
  • How the cloud environment will be accessed
  • Existing agency security and privacy requirements
  • How accountability and security of the data and applications implemented and deployed will be maintained.

 

What is the policy for cloud computing?

HHS POLICY

OpDivs are required to comply with the following policy when acquiring and/or utilizing cloud services.

I. Contract Requirements

All contracts for cloud services, either directly with a CSP or when cloud services are bundled with another vendor’s offerings, must include:

  1. FedRAMP Standard Contract Clauses, FedRAMP Control-Specific Contract Clauses and applicable HHS/OpDiv specific contract clauses to ensure that FedRAMP, HHS and OpDiv security compliance, monitoring, and reporting requirements are addressed.
  2. Any additional required security and privacy language, as prescribed in the HHS Security and Privacy Language for Information and Information Technology Acquisitions.
  3. Service level agreements that define:
    • Performance metrics, how they will be monitored, and penalties for failure to meet them
    • Data management and disposition
    • Roles, responsibilities and reporting requirements

 

II. Authority to Operate (ATO)

Before HHS or an OpDiv begins to leverage either a CSP’s services or information system hosted within that cloud environment, the CSP or cloud-based information system must undergo a complete security assessment resulting in FedRAMP compliance.  Two categories of FedRAMP compliant ATOs are:

  1. Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)
  2. FedRAMP Agency ATO issued by a Federal agency and approved by the FedRAMP Program Management Office (PMO)

HHS, OpDivs, and program and business offices cannot implement a system solely on the basis of these ATOs.  Instead, it is the CSP customer’s responsibility to:

  1. Leverage and inherit the security controls covered by the CSP’s FedRAMP ATO
  2. Ensure that the FedRAMP assessment is commensurate with HHS’/OpDiv’s level of risk.
  3. Understand which controls are the responsibility of the CSP, the customer, or shared between the customer and the CSP. Responsibilities for controls are identified in the Control Implementation Summary (CIS) within the CSP’s FedRAMP security package.
  4. Document and assess all controls that are the full or shared responsibility of HHS/OpDiv (e.g., software or data added to the cloud environment by the customer, network configurations, etc.)

 

III. CSPs Without a FedRAMP Compliant ATO

  1. HHS and/or the OpDiv is responsible for performing the FedRAMP security assessment and authorization (SA&A) of CSPs that do not have a FedRAMP compliant ATO.
    1. All HHS and OpDiv FedRAMP assessments of CSPs must be coordinated through the HHS Cloud Security Working Group (CSWG) and the Cloud Security Team (CST). Contact the CSWG and CST through the HHS FedRAMP mailbox at fedramp@hhs.gov.
      1. The CSWG works jointly with the OpDiv to assess the demand for the CSP’s services within the Department and the CSP’s readiness to start a FedRAMP assessment.
        1. If the CSP reaches a threshold, HHS may decide to sponsor the CSP for a FedRAMP Assessment.
        2. If the CSP does not reach the threshold, the CSWG will meet with the OpDiv to discuss the best path forward for assessing and authorizing the CSP.
        3. In certain cases in which the mission-importance presented by the CSP outweighs the threshold, HHS may choose to pursue sponsorship for a FedRAMP assessment.
    1. All HHS FedRAMP authorizations must follow the HHS FedRAMP Standard Operating Procedure (SOP).
    2. Assessments must use the FedRAMP templates and FedRAMP baseline.
    3. CSP systems categorized as Federal Information Processing Standards (FIPS) 199 high must leverage a FedRAMP accredited third-party assessment organization (3PAO); moderate impact CSP systems must make a best effort to use a FedRAMP accredited 3PAO.  CSP systems categorized as FIPS 199 low impact may leverage a non-accredited, independent assessor.
    4. The HHS CSWG and CST review continuous monitoring reporting from CSPs with an HHS FedRAMP Agency ATO on a monthly basis and report on the CSPs’ continuous monitoring status during the monthly CSWG meeting.
      1. OpDivs must provide at least two representatives to participate in the CSWG as required by the CSWG Charter.
      2. OpDivs that leverage CSPs authorized by HHS must attend and participate in the monthly Continuous Monitoring meetings for the CSPs they use.
      3. OpDivs should also use the information provided during monthly CSWG meetings to help form their risk-based decisions to use the CSP’s services.
  2. A CSP having an “In Process” status is not a substitute for a FedRAMP compliant ATO.
    1. OpDivs wishing to use a CSP that is in process with the FedRAMP PMO or another agency should wait for the completion of the FedRAMP assessment before acquiring the CSP’s services.
    2. The CSWG will liaise with the FedRAMP PMO to determine the assessment timeline of CSPs that are in process.
    3. Deviations from these requirements must be discussed with the CSWG. Contact the CSWG through the HHS FedRAMP mailbox at fedramp@hhs.gov.

 

HHS ROLES AND RESPONSIBILITIES

  1. Authorizing Official

The HHS Chief Information Officer (CIO), or the CIO’s designee, is the Authorizing Official (AO) responsible for granting an ATO for all HHS-sponsored CSPs.

  1. Cloud Security Working Group (CSWG)

The HHS Cloud Security Working Group (CSWG) consists of representatives from HHS and HHS OpDivs/StaffDivs. The HHS Chief Information Security Officer (CISO) appoints the CSWG Chair. The CSWG is responsible for:

  • Making sponsorship recommendations and, in consultation with the HHS Cloud Security Team, formally accepting CSPs into the HHS FedRAMP authorization process.
  • Providing subject matter expertise to the AO in recommending authorizations and escalating issues as appropriate.
  • Providing feedback on HHS Cloud Computing policy and process improvements.
  1. Operational Divisions (OpDivs) / Staff Divisions (StaffDivs) 

OpDivs/StaffDivs have the following roles and responsibilities:

  • Ensure that all cloud computing systems in use within the OpDivs currently have a FedRAMP compliant ATO.
  • Notify the HHS CST and CSWG if the OpDiv would like to acquire the services of a CSP that does not have a FedRAMP compliant ATO.
  • Send a request to the HHS CST and CSWG to initiate an HHS FedRAMP assessment and ensure that the CSP applies for an HHS FedRAMP Agency ATO.
  • Use the FedRAMP cloud specific contract language and control specific language when acquiring cloud services. Acquisition of cloud services should also include service level agreements.
  • Ensure that OpDiv or StaffDiv applications deployed on top of FedRAMP compliant cloud infrastructures are assessed and issued an ATO prior to being put into production.
  • Designate two technical representatives, a primary representative and a back-up, to participate in the CSWG.
  • Perform continuous monitoring for any CSP system directly authorized by the OpDiv.
  • OpDivs shall use the most recent version of the HHS Information Security and Privacy Policy (IS2P), as amended, as a baseline for OpDiv policy and requirements for their FedRAMP SA&A packages.
  • OpDivs are responsible for providing the HHS CIO with an annual certification, providing an inventory of all cloud services used by the OpDiv and listing any cloud services that the OpDiv determines cannot meet HHS FedRAMP requirements with appropriate rationale and proposed resolutions.
  1. Office of Information Security

The HHS Office of Information Security (OIS) is responsible for the implementation of FedRAMP requirements, management, operations and oversight of the HHS FedRAMP Cloud Sponsorship Program, and establishment of HHS FedRAMP processes and procedures.

 

INFORMATION RESOURCES

For additional information and guidance regarding the use of cloud services, OpDivs should reference the following HHS, FedRAMP, and NIST guidance:

  • HHS FedRAMP Standard Operating Procedure and associated HHS FedRAMP OpDiv FedRAMP process decision guidance documents.
  • Department of Health and Human Services Cloud Security Working Group (CSWG) Charter
  • HHS Cloud Computing Strategy
  • NIST SP 800-144, Guidelines on Security and Privacy in Cloud Computing
    1. Guidance to address security and privacy objectives/requirements and challenges to help make informed decisions when engaging in cloud computing environments.
  • NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
    1. Guidance on performing continuous monitoring.
  • FedRAMP Guidance, Package Document Templates, and other related documents can be found at http://www.fedramp.gov. Key FedRAMP guidance documents include but are not limited to:
    1. Guide to Understanding FedRAMP
    2. FedRAMP Security Assessment Framework
    3. FedRAMP Security Controls
    4. FedRAMP Continuous Monitoring Strategy Guide
    5. FedRAMP Standard Contract Clauses
    6. FedRAMP Control-Specific Contract Clauses