Welcome to the Unofficial Federal Risk and Authorization Management Program

Upcoming Events

 

Federal Risk and Authorization Management Program Policy

Purpose

  • Establishes Federal policy for the protection of Federal information in cloud services
  • Describes the key components and its operational capabilities
  • Defines Executive department and agency responsibilities in developing, implementing, operating, and maintaining the program
  • Defines the requirements for Executive departments and agencies using the program in the acquisition of cloud services

Objectives

  • Standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels;
  • A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by CSPs;
  • Authorization packages* of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the Department of Homeland Security (DHS), Department of Defense (DOD), and (General Services Administration (GSA);
  • Standardized contract language to help Executive departments and agencies integrate the Federal Risk and Authorization Management Program requirements and best practices into acquisition; and
  • A repository of authorization packages for cloud services that can be leveraged government-wide.

Applicability

  • Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;
  • All cloud deployment models** (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST; and
  • All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.

 Scope:

DHS

i. Assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;

ii. Coordinating cybersecurity operations and incident response and providing appropriate assistance;

iii. Developing continuous monitoring standards for ongoing cybersecurity of Federal information systems to include real-time monitoring and continuously verified operating configurations*; and

iv. Developing guidance on agency implementation of the Trusted Internet Connection (TIC) program with cloud services.

* DHS will work with the JAB and PMO to create a framework for how Executive departments and agencies can effectively and efficiently implement continuous monitoring and ongoing cybersecurity activities.

JAB

i. Consist of Chief Information Officers from DOD, DHS, and GSA, supported by designated technical representatives from their respective member organizations;

ii. Define and regularly update the security authorization requirements* in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance;

iii. Approve accreditation criteria for third-party assessment organizations (3PAOs) to provide independent assessments of CSPs’ implementation of the Federal Risk and Authorization Management Program security authorization requirements**;

iv. Establish and publish priority queue requirements for authorization package reviews;

v. Review authorization packages for cloud services based on the priority queue;

vi. Grant provisional authorizations for cloud services that can be used as an initial approval that Executive departments and agencies leverage in granting security authorizations and an accompanying authority to operate (ATO) for use;

vii. Ensure that provisional authorizations are reviewed and updated regularly and notify Executive departments and agencies of any changes to provisional authorizations including removal of such authorizations; and

viii. Establish methods for input to the security authorization requirements from all Executive departments and agencies.

* Security authorization requirements will include a standardized baseline of security controls, privacy controls, and controls selected for continuous monitoring from NIST Special Publication 800-53 (as amended) and in accordance with accompanying NIST publications.

** Inspection bodies are organizations accredited to provide independent, third-party assessments of security and privacy controls based on ISO/IEC standards and technical competency criteria. Accreditation bodies are organizations that apply the ISO/IEC standards and technical competency criteria to inspection bodies to determine if those bodies have the requisite skills, expertise, and quality systems to conduct such assessments.

PMO

i. Create a process for Executive departments and agencies and CSPs to adhere to the security authorization requirements created by the JAB to include, but not limited to:

  1. A methodology for harmonizing agency-specific security and privacy controls with the security authorization requirements;
  2. A mechanism for Executive departments and agencies and CSPs to request security authorization initiation through the PMO and JAB;
  3. Guidance for Executive departments and agencies to satisfy security authorization requirements when a proposed cloud service is not prioritized for review by the PMO and JAB;
  4. A framework for Executive departments and agencies to leverage security authorization packages processed by; and
  5. In coordination with DHS, a framework for continuous monitoring, incident response and remediation, and FISMA reporting.

ii. Prioritize requests for authorization and authorization package review by the JAB in accordance with the JAB-approved priority queue requirements and publish and update on a continuous basis the  priority queue;

iii. Establish a centralized, secure repository detailing requests for authorization, agency-provided authorization packages, CSP-provided authorization packages, and JAB provisional authorization packages of cloud services that Executive departments and agencies can leverage to grant security authorizations;

iv. Coordinate and collaborate with the NIST to develop and implement a formal conformity assessment program to accredit 3PAOs to provide independent assessments of how CSPs implement the requirements;

v. Develop and make available to Executive departments and agencies templates that can satisfy security authorization requirements through standard contract language and service level agreements (SLAs) for use in the acquisition of cloud services; and

vi. Develop and make available to Executive departments and agencies template Memoranda of Understanding (MOU) and/or Memoranda of Agreement (MOA) that will govern the exchange of information between Executive departments, agencies and the PMO.

Federal Agencies

i. Use when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services;

ii. Use the PMO process and the JAB-approved security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services*;

iii. Ensure applicable contracts appropriately require CSPs to comply with security authorization requirements;

iv. Establish and implement an incident response and mitigation capability for security and privacy incidents for cloud services in accordance with DHS guidance;

v. Ensure that acquisition requirements address maintaining security authorization requirements and that relevant contract provisions related to contractor reviews and inspections are included for CSPs;

vi. Consistent with DHS guidance, require that CSPs route their traffic such that the service meets the requirements of the Trusted Internet Connection (TIC) program; and

vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the security authorization requirements with appropriate rationale and proposed resolutions.

* For all currently implemented cloud services or those services currently in the acquisition process prior to being declared operational, security authorizations must meet the security authorization requirement within 2 years of being declared operational.

Federal CIO Council

i. Publish and disseminate information from the PMO and JAB to Executive departments and agencies.

 Operational Capability:

The CIO Council will publish the standardized baseline of security controls, privacy controls, and controls selected for continuous monitoring from NIST Special Publication 800-53 (as amended) included within the security authorization requirements.
The PMO shall publish a Concept of Operations (CONOPS) for providing the initial process for Executive departments and agencies and CSPs to adhere to the security authorization requirements created by the JAB. The CONOPS shall be updated, as required, by the PMO and made available to Executive departments and agencies and CSPs.
The JAB shall publish a charter which defines its governance model.
The PMO will provide an initial operating capability for the Federal Risk and Authorization Management Program.
* Authorization packages contain the body of evidence needed by authorizing officials to make risk-based decisions regarding the information systems providing cloud services. This includes, as a minimum, the Security Plan, Security Assessment Report, Plan of Action and Milestones and a Continuous Monitoring Plan.

** Executive departments or agencies that: (i) select a private cloud deployment model (i.e., the cloud environment is operated solely for the use of their organization); (ii) implement the private cloud on premise (i.e., within a Federal facility); and (iii) are not providing cloud services from the cloud-based information system to any external entities (including bureaus, components, or subordinate organizations within their agencies), are exempted from the requirements. In such situations, Executive departments or agencies shall continue to comply with the current requirements and the appropriate NIST security standards and guidelines for their private cloud-based information systems.