GSA’s FedRAMP PMO has been continually evolving the compliance framework for driving the wider adoption of commercial cloud services. Last year, they released for public comment the TIC Overlay initiative as well as the FedRAMP High baseline. Both of these are critical to enhanced cloud adoption and helping Federal customers solve some of the critical connectivity and security related concerns.
TIC Overlay – Secure CloudBahn is here?
The FedRAMP PMO and DHS TIC Program provided a DRAFT overlay for comment and feedback in helping update TIC’s current reference architecture to allow for greater flexibility as agencies move to the cloud securely. The goal of the TIC overlay is to enable mobile users to directly connect to Federal cloud system without having to go through a TIC Access Provider (TICAP) or Managed Trusted IP Service (MTIPS). The TIC Overlay program is a key “on-ramp” that creates a “TIC-ready” cloud platform providing clarity on the compliance framework. Last week, there was significant progress as AWS announced the results of their FedRAMP-Trusted Internet Connection (TIC) Overlay pilot program with the FedRAMP Program Management Office (PMO), Department of Homeland Security (DHS) PMO, GSA 18F, and FedRAMP third-party assessment organization (3PAO), Veris Group. The figure below shows the target state for cloud connectivity with the new TIC overlay.
The objective of the pilot was to:
- Identify whether and how agencies can use TIC overlay controls, via mapping to the FedRAMP Moderate control baseline, to provide remote agency users access to AWS while enforcing TIC compliance.
- Determine whether the required capabilities exist within AWS to implement and enforce TIC compliance.
- Determine the allocation of responsibility for implementing and enforcing TIC compliance.
An initial analysis of the TIC overlay controls by AWS revealed that over 80 percent of the TIC capability requirements map directly to one or more existing FedRAMP Moderate controls satisfied under the current AWS FedRAMP Authority to Operate (ATO). With the control mapping in-hand and in collaboration with our 3PAO, AWS developed a TIC security requirements traceability matrix (SRTM) that included control responsibilities. The results from this exercise, shown in Table 2 above, demonstrated that only 16 TIC capabilities would rest solely with the customer. Please refer to the TIC readiness guide published by AWS’ Compliance team.
FedRAMP High Baseline – All bases covered?
The FedRAMP PMO launched the draft baseline for the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199. This baseline is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Numerous agencies, cloud service providers and key stakeholders have been working to provide feedback and refine the DRAFT baseline which is expected to be released by March 2016. Clearly, once the FedRAMP High baseline is established, Federal agencies can have a rapidly maturing security compliance framework that has steadily made progress to meet the security and compliance requirements of agencies. The FedRAMP High baseline will allow agencies to make informed decisions about the security posture they want in cost-efficient commercial cloud platforms. Cloud providers such as AWS have already published FedRAMP High Workbooks. Please contact us if you are interested in learning more about the TIC overlay or FedRAMP High program.