Microsoft CPS Pre-Validated For FedRAMP Compliance

Hello everyone, this is Filippo Seracini from the Microsoft Private Cloud Solutions team. I am here to tell you about the work we have done to facilitate your FedRAMP authorization for the Microsoft Cloud Platform System (CPS).

Who should read this post?

This blog post describes Microsoft’s investment in configuring and validating CPS to make sure it can pass a FedRAMP certification. It also describes the documentation that was prepared as a result of the FedRAMP evaluation. This evaluation, and the documentation we prepared for it, will result in significant time and cost savings for the CSP that seeks FedRAMP authorization or a host of other IT security standards.

If you are a Cloud Service Provider (CSP) or an enterprise that provides hosting services to Federal Government agencies, you know that FedRAMP certification is important to your business. Also, if you are a CSP or an enterprise interested in getting certified for one of the main IT security standards like ISO 27001, PCI, HIPAA or DISA SRG Level II, this document is for you, too. In fact, many security controls within the FedRAMP Moderate baseline directly satisfy requirements in other common IT security standards. In the provided documentation, we mapped each FedRAMP control to the equivalent ones of the security standards listed above.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP), is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by a joint collaboration of cybersecurity and cloud experts from the U.S. Department of Homeland Security, Department of Defense, National Security Agency and other government agencies as well as experts from private industry. FedRAMP comprises an extensive set of security best practices and standards; for this reason, it is considered one of the most comprehensive security programs for cloud solutions. Please refer to www.FedRAMP.govfor further information on the FedRAMP certification.

Microsoft worked to ensure that implementation of CPS within a customer environment could easily allow customers the ability to meet their specific IT security and compliance requirements. Because so many CPS customers must meet the requirements of multiple IT security standards that differ in stringency and granularity, Microsoft focused design and evaluation of CPS on the FedRAMP Moderate security controls baseline, which is widely considered the most common cloud computing security standard in the Federal government space.

Although the CPS assessment was focused on the FedRAMP standard, many security controls within the FedRAMP Moderate baseline directly satisfy requirements in other common IT security standards, including PCI, ISO 27001, HIPAA, and DISA SRG cloud requirements.

How does CPS facilitate FedRAMP and other security certifications?

Microsoft hired Coalfire System Inc., an ISO/IEC 17020:2012 certified FedRAMP third-party independent assessor (3PAO), to evaluate CPS’ capability to meet the latest version of the FedRAMP Moderate baseline. The independent assessor analyzed the entire CPS architecture and identified all the technology-related security controls that apply to CPS. The independent assessor found that, out of the 326 security controls within the FedRAMP Moderate security control baseline, 105 were applicable to CPS. The assessor also verified that the CPS supports all 105 controls. These controls comprise a broad set of security settings, from Active Directory account management mechanisms to network and environment segregation, logical VLAN architecture, implementation of VM clustering concepts, storage encryption, router and switches configurations, and disaster recovery and system backup.

We worked hard to create and validate an OS security baseline and enable additional security features (e.g. data at rest encryption) to meet all the applicable security controls. The independent assessor attested that all the applicable controls are either completely or partially addressed by CPS . So, in other words, CPS passed the independent capability assessment with flying colors!

The security controls that the independent assessor found to be not applicable to CPS are going to be either a customer or tenant responsibility. The security controls in this group are mostly related to physical access security, policy and documentation management, organizational processes, or to technology that lies outside of the CPS boundary, e.g. the configuration of the data center external firewall.

Many security controls within the FedRAMP Moderate baseline directly satisfy requirements in other common IT security standards, including PCI, ISO 27001, HIPAA, and DISA SRG Level II cloud requirements. Hence, in order to further facilitate the compliance efforts for CPS customers, Microsoft compiled a mapping between the addressed FedRAMP controls and those IT security standards. This will provide guidance to customers pursuing other forms of certification, including PCI, ISO 27001, HIPAA, and DISA SRG.

Documents and guidance to make CPS ‘FedRAMP Ready’

As a result of Microsoft’s engagement with Coalfire, a System Security Plan (SSP) template and a Customer Responsibility Matrix (CRM) were also developed. Both these documents are available for CPS customers seeking FedRAMP certification. Please contact your Microsoft representative to find out more.

The SSP is the main document in which the Cloud Service Provider describes all the security controls in use on the information system and their implementation. The CPS SSP Template is constructed from the base FedRAMP SSP template available at https://www.fedramp.gov. CPS comes with the official SSP template precompiled with descriptions of the controls that CPS addresses. This technical information is provided in an expository way that will give CPS users a head start on the FedRAMP documentation process, and will easily integrate into any existing SSP documentation they already have.

The Customer Responsibility Matrix (CRM) is a streamlined overview of the FedRAMP Moderate control baseline in relation to CPS. The CRM provides several tools for customers to leverage. First, it provides an easy way to identify which controls CPS can be leveraged to support. In addition, the results of the 3PAO’s capability assessment are disclosed as well – providing an easy way to determine how CPS can assist in any FedRAMP compliance effort.

Summary

The Microsoft Cloud Platform System (CPS) is a converged infrastructure solution providing a reliable, secure and highly scalable Azure-consistent private cloud solution. Independently assessed to provide the capability to meet many FedRAMP Moderate security controls, CPS provides coverage of all FedRAMP moderate controls that are in scope for CPS. The rigorous capability assessment effort that CPS underwent dramatically increases the confidence that your IT infrastructure can be successfully authorized for FedRAMP and/or any the other major IT security standards using CPS. Finally, the documentation Microsoft has developed will streamline certain aspects of the FedRAMP authorization process, providing CPS customers an easy way to leverage CPS when deploying services to internal or tenant users that require FedRAMP compliance. This assessment, with all the documents and guidance that come with CPS, will significantly reduce the time, the cost and the resources required for the certification process for FedRAMP, DISA SRG, PCI, HIPAA and ISO 27001.