Site icon

Cloud Architecture and FedRAMP Authorization Boundaries

Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the issues related to this complexity and ensure the security of any given cloud offering used by federal agencies.

NIST and Defining Cloud Computing Resources

Cloud computing is the partitioning and provisioning of resources to users from third-party providers. In fact, much of FedRAMP is predicated on the fact that there is such demand in the federal space). While this provides great flexibility for companies that don’t maintain on-site specialists or IT teams, it also lends itself to unexpected interactions between secure and potentially insecure systems. 

The National Institute of Standards and Technology (NIST) Special Publication 800-145, “The NIST Definition of Cloud Computing,” specifies critical terminology around cloud computing used by federal agencies within different frameworks (FISMA, FedRAMP, etc.). 

Foundationally, NIST defines “cloud computing” as follows:

Service Types

Following these definitional criteria, SP 800-145 articulates the three standard service models that we are familiar with:

Deployment Models

Cloud stacks are only sometimes uniform or managed by a single organization. Modern cloud infrastructure often comes with several deployment models, each providing additional benefits and challenges.

These deployment models include:

Authorization and the System Stack

Many larger providers will have several offerings that include all three of these categories, often with higher-level applications (SaaS) running on lower-level platforms (PaaS) and infrastructure (IaaS). Because of this, every layer of that stack (SaaS–PaaS–IaaS) must be FedRAMP Authorized individually.

This fact aligns with the overall approach that FedRAMP takes with cloud technology. Per requirements, every cloud offering from a provider must be authorized on a per-system basis before it is listed on the FedRAMP Marketplace. This is not on a per-provider basis–if a provider offers several solutions (especially those that cover SaaS, PaaS, or IaaS capabilities) then each must undergo the authorization process individually. 

Additionally, complications may arise when some of a provider’s cloud architecture stack is itself hosted by another provider. For example, a CSP may offer cloud platforms for app development that are themselves built within a third-party IaaS system. In this example, even though the third-party component isn’t hosted or maintained by the CSP, it still falls within their stack and must be considered part of the authorization process. If that IaaS provider isn’t FedRAMP Authorized, then the entire stack built upon it won’t be either.

So, Authorization and inventories become critical in hybrid and cloud environments… especially the latter. Adding additional cloud vendors means you have to track compliance across systems or more or less isolate those systems from one another such that no data or apps move between compliant and non-compliant cloud instances. 

Per the recommendations of the FedRAMP PMO, a complete understanding of a cloud stack should be part of the inventory provided as part of the FedRAMP assessment. This inventory creates a FedRAMP system boundary for all components to be assessed. 

Is Your Cloud Infrastructure Ready for FedRAMP Authorization?

Platforms, software, user interfaces, third-party vendors–each component of a cloud system can potentially impact FedRAMP compliance. It takes serious attention to detail regarding inventories, component interactions, and proper security protocols to ensure that every device and module within your FedRAMP boundary is adequately protected. 

[wpforms id=”137574″]

Exit mobile version