Compliance

What is FedRAMP+?

Keith 70px jpg

Keith Kidd

Director, FedRAMP Assessment, Coalfire

Blog Images 2022 Fed RAMP plus tile

The Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) Version 1, Release 3 defines FedRAMP Plus (FedRAMP+) as:

“… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. A CSP’s CSO can be assessed in accordance with the criteria outlined in this SRG, with the results used as the basis for awarding a DoD provisional authorization.”

CC SRG Overview

The DoD CC SRG was developed by the Defense Information Systems Agency (DISA) for DoD agencies and DoD Mission Owners. DISA’s requirements build on the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) requirements for authorizing cloud services for use by federal government civilian agencies. FedRAMP+ outlines specific requirements for the implementation of cloud service offerings (CSOs) used by the DoD. The “plus” in FedRAMP+ signifies the additional security requirements that DISA has built on top of what FedRAMP as a program establishes for a risk-based approach in standardizing the adoption and use of cloud services by the federal government.

For any Cloud Service Provider (CSP) interested in providing solutions to the DoD, they must pass an assessment based on the CC SRG requirements to achieve a DoD Provisional Authorization (PA). The DoD PA is the acknowledgement of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks, and is equivalent to achieving a FedRAMP authorization for providing services to federal civilian agencies.

FedRAMP vs CC SRG

The FedRAMP program was established in 2011 to provide a risk-based approach to cloud adoption by the federal government. The program is specific to cloud technologies that store, process, or transmit federal information and is not applicable to non-federal state and local government organizations (though there are public and private organizations interested in CSOs that have achieved FedRAMP authorization).

The CC SRG was released after FedRAMP and, among other things, it defines the additional security requirements and guidance that DoD Mission Owners and CSPs must meet to offer their CSO to DoD departments and agencies. While the CC SRG follows a similar take on the “do once, use many times” framework as FedRAMP does for the authorization of CSOs, there are notable differences in the authorization process itself. Information security objectives in the CC SRG are defined by specific information Impact Levels (IL), which categorize data based on sensitivity – ranging from public to classified secret information. Security controls baselines for an IL are aligned respective to the confidentiality and integrity of the data stored within the CSO. A DoD Mission Owner must carefully assess not only the Federal Information Processing Standards (FIPS) 199 system categorization of the CSO, but also the IL which determines the information sensitivity threshold of what type of data can processed.

What are the required authorization levels?

There are four ILs presently in use for authorization of cloud service offerings with the DoD and each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. When evaluating the appropriate DoD IL to assess against, the best reference is the Figure 1 - Impact Level Comparison provided in the CC SRG. This figure provides a high-level comparison of the security control requirements, location, connectivity, separation, and personnel requirements associated with each IL.

Impact levelInformation sensitivitySecurity controlsLocationOff-premises connectivitySeparationPersonnel requirements
2PUBLIC or Non-critical Mission InformationFedRAMP v2 ModerateUS / US outlying areas
or
DoD on-premises		InternetVirtual / Logical
PUBLIC COMMUNITY		National Agency Check and Inquiries (NACI)
4CUI or Non-CUI
Non-Critical Mission Information
Non-National Security Systems		Level 2
+
CUI-Specific Tailored Set		US / US outlying areas
or
DoD on-premises		NIPRNet via CAPVirtual / Logical
Limited "Public" Community
Strong Virtual Separation Between Tenant Systems & Information		US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)
5Higher Sensitivity CUI
Mission Critical Information
National Security Systems		Level 4
+
NSS & CUI-Specific Tailored Set		US / US outlying areas
or
DoD on-premises		NIPRNet via CAPVirtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal Systems
Strong Virtual Separation Between Tenant Systems & Information		US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)
6Classified SECRET
National Security Systems		Level 5
+
Classified Overlay		US / US outlying areas
or
DoD on-premises
CLEARED/CLASSIFIED FACILITIES		SIPRNET DIRECT
With DoD SIPRNet Enclave Connection Approval		Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal and Unclassified Systems
Strong Virtual Separation Between Tenant Systems & Information		US Citizens w/ Favorably Adjudicated SSBI & SECRET Clearance
NDA

Figure 1 - Impact Level Comparison

Coalfire has experience navigating the requirements of the CC SRG and assisting customers in building upon existing FedRAMP authorized environments to meet the additional FedRAMP+ requirements, or as a standalone authorization within the DoD. We will continue to explore the DoD Cloud Computing requirements in this ongoing blog series.

For more information on FedRAMP, please visit https://www.coalfire.com/Solutions/Audit-and-Assessment/FedRAMP/Consulting-Advisory.

Contact 3PAO@coalfire.com for more information on how we can help.

This is part one of our series on FedRAMP+ and DoD cloud computing requirements. Click here to continue reading blog #2 in the series, Requirements for DoD Impact Level 2.