Dear Dr. RMF,
Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems. Yet, there is confusion about how to implement RMF when the systems move to the cloud. Should government organizations contractually mandate audits? Should the IT Security Department request the RMF packages from the cloud vendor for review? Should the vendor be required to update the RMF compliance software tools and be treated like all other systems that are part of the RMF process?
In an RMF Dilemma
Dear Dilemma,
First of all, Dr. RMF wants to reassure you that you are not alone. Numerous organizations are being “encouraged” (or “compelled”) by their management to start moving systems and applications to the cloud. Most are feeling uneasy about the information security implications of the move. High on the list of their concerns is, of course, RMF.
A healthy dose of concern is a good thing, but there is no reason to panic. The truth is a government-owned system hosted by a commercial Cloud Service Provider (CSP) is not that much different than a system hosted in a government data center. Think about it. Commercial CSPs use virtualization technology to provision resources (e.g., servers) for their hosted customers. Modern government data centers are doing the same. Government data centers provide numerous RMF controls for inheritance by hosted systems. Ditto for commercial CSPs. Just like you would for a hosting data center, you’ll need to ask a potential CSP for a list of the controls they are authorized to offer as inherited or shared. Government data centers have an Authorization to Operate (ATO) in accordance with RMF, which provides assurance to hosted customers that they are being configured and operated in a secure fashion. CSPs are subject to a very similar process, variously called FedRAMP in the civil agency sector and DISA Provisional Authorization in the DoD world. Again, you’ll need to ask potential CSPs for a copy of their FedRAMP or DISA ATO.
Government agencies are implementing solutions to facilitate the “interface” between government networks and the cloud. For example, DoD offers a Cloud Access Point (CAP) to control and monitor network traffic between government and cloud. Also, DoD Cyber Security Service Providers (CSSPs), also known as Computer Network Defense Service Providers (CNDSPs), are available to systems hosted in the cloud.
Any tools you are using to support your RMF efforts in your current environment should be applicable to the cloud environment as well. CSPs are making efforts to facilitate the use of tools, e.g., by “publishing” their suite of inheritable/sharable controls in DoD eMASS.
You will undoubtedly face numerous challenges in migrating your systems to the cloud environment, but Dr. RMF is confident the RMF challenge will be a manageable one.