5 FAH-8 H-351 CLOUD COMPUTING

Transcription

1 5 FAH-8 H-350 CLOUD COMPUTING (Office of Origin: IRM/BMP) 5 FAH-8 H-351 CLOUD COMPUTING GOVERNANCE BOARD a. The Cloud Computing Governance Board (CCGB) exists to provide advice to the Authorizing Official (AO) regarding Department Business and/or System Owners (SOs) use of cloud services and providers. The board s recommendation to the AO must balance the need to mitigate risks to systems with the business need being proposed. The CCGB will act as a sub-group of the Department s E- Governance (E-Gov) activities and the CCGB Executive Secretariat (CCGB-ES) will be determined by the CIO. b. The CCGB is composed of functional members and general members. The functional members act as subject matter experts and verify compliance with key functional areas for the use of cloud services. The general members, with the Secretariat, formulate recommendations to the AO and present business need based on program knowledge. Additional members can request to participate in accordance with the CCGB charter. A simple majority of general members are needed to approve services. 5 FAH-8 H Board Membership Functional Membership: Functional Member Chief Information Security Officer (CISO) Director of the Office of Cybersecurity (DS/SI/CS) Office of the Legal Adviser (L) The Office of Global Information Subject Matter Expertise FISMA compliance and IT Security IT Security Legal issues Privacy and Records Issues 5 FAH-8 H-350 Page 1 of 12

2 Services (A/GIS) Office of the Procurement Executive (A/OPE) and the Office of Acquisitions Management (A/LM/AQM) Acquisition Policies General Membership: General Member PD/CIO for IRM Notes CCGB Chair Chief Architect (IRM/BMP/OCA) Strategic Planning Office (IRM/BMP/SPO) Cloud Reporting to OMB Chief Technology Officer for Diplomatic Security (DS/EX/CTO) Director of the Office of Management Policy, Rightsizing and Innovation (M/PRI) Under Secretary for Public Diplomacy and Public Affairs Director of Management Innovation or another representative appointed by the Director of the Office of Management Policy, Rightsizing and Innovation (M/PRI) R-Family Representative nominated by the U/S Secretary s Executive Secretariat (S/ES) Regional Executive Directors Two Regional Representatives jointly nominated by the Regional Executive Directors 5 FAH-8 H Review of Cloud Products by the CCGB CCGB Requirements for Reviewing AO Approved Cloud Products or Services: 5 FAH-8 H-350 Page 2 of 12

3 Due Diligence Requirements System Categorization Existing volume purchase agreement (such as a BPA or IDIQ) Cloud Computing Review Packet (CCRP) Submission Requirements Response to spillage of information Monitoring and response to cyber incidents Business contingency plans Cloud provider support for federal mandates Records management plan System Security Plan Concept of Operations Business justification CCGB Requirements for Reviewing Cloud Products or Services with FedRAMP Approval or an Existing Agency Authority to Operate (ATO): Due Diligence Requirements System Categorization Existing volume purchase agreement (such as a Blanket Purchase Agreement [BPA] or Indefinite Delivery/Indefinite Quantity [IDIQ]) or creation of a new vehicle to allow the Department to coordinate the purchase of cloud products or services FedRAMP Approval or ATO that matches the risk and impact identified in the System Categorization CCRP Submission Requirements Response to spillage of information Monitoring and response to cyber incidents Business contingency plans Cloud provider support for Federal mandates Records management plan CCGB Requirements for Reviewing Cloud Products or Services without FedRAMP Approval or an Existing Agency ATO: Due Diligence Requirements CCRP Submission Requirements 5 FAH-8 H-350 Page 3 of 12

4 System Categorization Existing volume purchase agreement (such as a BPA or IDIQ) or creation of a new vehicle to allow the Department to coordinate the purchase of cloud products or services Complete Department Assessment and Authorization (A&A) process for the cloud service or product System Security Plan Concept of Operations Business justification Response to spillage of information Monitoring and response to cyber incidents Business contingency plans Cloud provider support for federal mandates Records management plan System Security Plan Concept of Operations Business justification Alternative of Analysis (AoA) justifying the use of a nonapproved cloud service The CCGB favors implementations that meet the following criteria: (1) Programs or projects utilizing a cloud product or service previously reviewed by the CCGB and approved by the AO; (2) The requested cloud product has an existing ATO issued by a federal agency or is FedRAMP approved at the appropriate risk and impact level; (3) The procurement utilizes a contract vehicle negotiated by the Department or a federal agency that provides high value and return on investment (ROI) through volume pricing in addition to standardized language for compliance with federal and Department regulations for IT systems; and (4) SOs seeking approval of the AO and review by the CCGB must provide a CCRP. Unless a requirement is provided via another Department process, the documentation template will be provided by the Executive Secretariat of the CCGB. The CCRP must include the following information: (a) Response to spillage of information: Because the Department does not have physical control of the hardware, procedures for removing information from systems hosted on cloud systems must be explicitly developed. These procedures may vary from provider to provider, but must meet Department standards. See 5 FAM 480 and 12 FAM 530 for initial guidance; (b) Monitoring for and response to cyber incidents: System, application, and data owners and project managers must ensure that contracts with cloud providers have clauses that allow the Department timely access to the appropriate data to monitor and respond to cyber 5 FAH-8 H-350 Page 4 of 12

5 incidents. See 1 FAM for guidance; (c) Business contingency plans: System, application and data owners and project managers must document contingency plans to execute in the event that a cloud provider goes out of business, undergoes a catastrophic hardware failure, or experiences some other event that severely impacts the availability of data or the service. See 12 FAM Backup and Contingency Plans for more information; (d) Cloud provider support for federal mandates: Requirements for Federal IT systems are constantly evolving. System, application, and data owners should ensure that providers are contractually bound to support federal requirements; (e) Records management: The National Archives and Records Administration has requirements for the types and lengths of time that data that must be preserved. Systems implemented in the cloud must meet these requirements. See 5 FAM 400 for more information; (f) System Security Plan: The System Security Plan, or equivalent documentation from an independent auditor, is designed and written in accordance with National Institute Standards and Technology (NIST) Special Publication (SP) , Revision 1, Guide for Developing Security Plan for Information Technology Systems; (g) Concept of Operations: A document describing the characteristics of a proposed system from the viewpoint of an individual who will use that system. It is used to communicate the quantitative and qualitative system characteristics to all stakeholders; (h) Business Justification: This document will clearly and succinctly outline the business need the cloud product or service fulfills for the Department. The justification should, where possible, reference the impacts of the product or services on overseas operations in the execution of U.S. foreign policy; 5 FAH-8 H Process for Reviewing Cloud Products a. To add a new cloud service into the Cloud Computing Service Catalog, an SO must perform the due diligence and submit a CCRP with the information prescribed in 5 FAH-8 H to the Secretariat of the CCGB. Requests for cloud products or services to be reviewed by the CCGB must be submitted via the CCRP process, as defined in the CCGB charter: (1) The Office of Information Assurance (IA) will make a recommendation to the CCGB based on the documentation submitted for review outlined in 5 FAH-8 H using an A&A framework suitable for cloud computing services. The recommendation will also be provided to the organization 5 FAH-8 H-350 Page 5 of 12

6 requesting approval; (2) Any cloud computing service that requires new software to run on a workstation (e.g., software download and installation) must follow configuration management policy to include approval by the Information Technology Configuration Control Board (IT CCB) for the workstation-based software. See 5 FAM 650 Configuration Management and 5 FAM 861 Hardware and Software Maintenance Configuration Management for more information; (3) The CCGB reviews the CCRP and IA s recommendation and issues a recommendation. The recommendation is provided to the AO and submitting organization; (4) The CCGB submits its evaluation to the AO for adjudication. The evaluation is based on criteria, such as: (a) Identifying qualifying cloud providers already approved by the CCGB that could meet the requester's requirements; (b) Recommendations for additional contract language to address risks or deviations from policy; (c) Additional mitigation actions or a Plan of Action and Milestones (POA&M) necessary to address perceived risks; (d) Additional security controls or a POA&M necessary to address perceived risks; (e) A risk analysis that balances a requested service s or product s business need with any unresolvable or unmitigated risks. b. AO Approval: Approved requests are forwarded to IRM/IA, which serves as the Department s cloud computing clearinghouse: (1) The reviewed cloud service or product receives an ATO based upon the CCRP and all other required documentation; (2) IRM s Governance, Resource, and Performance Management Office (IRM/BMP/GRP) adds the newly-approved service to the approved department catalog of cloud computing services as part of its catalog maintenance function; (3) This catalog will be integrated into the Integrated Logistics Management System (ILMS), maintained by the Bureau of Administration s Office of Logistics Management, Program Management and Policy (A/LM/PMP). For a cloud service that previously exists on the Cloud Service Catalog, A/LM will facilitate the contracting, and purchasing of the service as part of its current process (see 14 FAM 123). c. AO Denial: In the event that the AO does not approve a recommendation, the denial, at the discretion of the AO, can be sent back to the CCGB for further review to address concerns or risks cited by the AO. If issues in the denial 5 FAH-8 H-350 Page 6 of 12

7 cannot be addressed to the satisfaction of the AO, the request is denied until such time as concerns/risks can be appropriately mitigated or a POA&M can be generated to mitigate the risks. 5 FAH-8 H-352 E-GOV AND CLOUD REPORTING AND ANALYSIS (IRM/BMP/SPO/PM) 5 FAH-8 H Coordination of Cloud Reporting Requirements and E-Gov a. The Department requires SOs to determine whether a cloud computing options are appropriate, and the selection of a cloud-based solution whenever a secure, reliable, and cost-effective option exists as part of an investment Analysis of Alternatives (AoA). For detailed guidance on how to perform an AoA, please reference the E-Government (E-Gov) Program Management Office (PMO) website at the following address for the latest internal guidance on the AoA process. b. New system projects in the Department should seek to optimize cloud technology use in order to benefit from its business value. New projects should include a Cloud First compliance statement as part of the concept document to affirm their inclusion of cloud-based solutions in their AoA. c. Bureaus must ensure all cloud computing information for IT investments is accurately reported in accordance with the Office of Management and Budget (OMB) Circular A-11 the Preparation, Submission, and Execution of Budget as part of the Department s IT Capital Planning Investment Control (CPIC) process. For detailed guidance on reporting requirements, please contact the E-Gov PMO for the latest guidance. d. Investment owners must use Integrated Management Analytics, Tracking, and Resource Information Exchange (imatrix) the Department s IT portfolio management tool to report all cloud computing IT spending in their IT Investment Business Case. imatrix can be accessed via state.gov/. Training for Investment Owners and Program and Project Managers on the Department s IT Investment Business Case requirements is available from E-Gov PMO through the Foreign Service Institute (FSI) course catalog. e. Investment owners must work with asset owners to ensure cloud assets or services are entered into imatrix and designated under the appropriate asset subtype. 5 FAH-8 H-350 Page 7 of 12

8 5 FAH-8 H Cloud Computing Analysis All commercial cloud computing AoAs for IT investments must be reported as part of the Capital Planning and Investment Control (CPIC) process. When selecting applications for migration to a cloud environment, consider the following: (1) Lifecycle: If a legacy system is due to be replaced or undergo a major update within a year, a replacement system must consider a cloud solution; low risk systems must provide justification why they cannot be moved to the cloud upon refresh. This justification must be presented while seeking CCGB approval, an ATO, and during the CPIC process; (2) Mission importance: Migrate the least critical systems before missioncritical applications; (3) Information sensitivity: Cloud solutions must meet security controls per National Institute of Standards and Technology (NIST) , FedRAMP, and Department standards; (4) Complexity: Systems that are smaller or standalone (no interfaces to other systems) are prime candidates for migration; (5) Throughput or latency sensitivity: Factor user experience into the analysis when evaluating systems which are bandwidth-intensive or delay-sensitive; (6) User population: Systems that service external users (other Federal agencies, non-government organizations (NGOs), and the public) are often prime candidates for a cloud solution; (7) Costs: The analysis should document the ROI, including operational costs of cloud computing, both disclosed and hidden. Systems that realize an ROI within 3 years should be strongly considered for a cloud solution; and (8) Privacy Impact Assessment: The risk of disclosure of personally identifiable information (PII) must be considered in the use of cloud solutions. 5 FAH-8 H-353 CONTRACTING FOR CLOUD PRODUCTS AND SERVICES a. Contracting for cloud services has the opportunity to generate significant benefits for the government but also contains inherent risks. SOs and personnel initiating requisitions maintain the ultimate responsibility for ensuring the requirements of 5 FAM 1100 are met. b. Regardless of the cost of a cloud service purchase, such as falling below the micro-purchase threshold, the cloud approval policy must still be followed to 5 FAH-8 H-350 Page 8 of 12

9 ensure management of any risk associated with the purchase. c. The requesting party must clearly mark all cloud services procurements as cloud (title and description) within Ariba. d. Prior to any procurement, CCGB must approve each cloud services procurement request. The approvals must be obtained prior to submitting a requisition for procurement services. All requests for these services sent to procurement must contain a certification that the services have been approved by the AO. When the requisition is received by the procurement officials, it will be deemed as approved by all necessary officials. e. SOs electing to acquire cloud services shall use existing CCGB-approved contract vehicles to the maximum extent practicable. When existing contract vehicles do not exist, or are inappropriate, extra care shall be taken. Contract language must be added to ensure that all security, safeguards for sensitive information, and necessary access for cyber security officials are included in the vendor agreement. f. None of the above alleviates the responsibility to fulfill contracting legal requirements. g. In addition to standard FedRAMP security controls, all contracts should contain standard language that affords the Department the opportunity to implement additional controls and/or restrictions. h. The utilization of cloud services may result in data residing in a nongovernment controlled environment. Numerous items pose a threat to data when housed in this environment (i.e., natural disasters, cyber-attack, or financial stability of the third-party). Therefore, careful consideration should be given to backup and recovery. A backup and recovery strategy commensurate with the risk level of the assessed use of a cloud product, as determined by CCGB, must be included in all contracts to acquire cloud services. Unless specifically waived, contract language shall be inserted to ensure that the government maintains ownership of data residing on third-party systems, and the government has a means of obtaining this data. IRM will have lead and worked with all interested parties to define objectives for backup and recovery strategies. i. The SO must follow remediation plans as specified by AO and the risk level approved for a cloud-based service to include any contingency that could seriously impact the confidentiality, integrity, or availability of Department data or systems, such as malware infection, insider threat, or natural disaster in accordance with the guidelines given in National Institute of Science and Technology Special Publication : Contingency Planning for Information Technology Systems as standard contract language. j. For cloud services storing and processing PII, the SO must document a plan to manage the business impact of a suspected or actual unauthorized access to the information. 5 FAH-8 H-350 Page 9 of 12

10 k. Upon adoption of a government-wide standard protecting national security and privacy information, the requirement for use of the Trusted Internet Connection (TIC) program must be included as standard contract language for any procured cloud service. However, if the contractor cannot meet the TIC requirements, the contractor must notify the CCGB with an alternative solution in accordance with federal standards. The CCGB will then conduct a risk management review and make notifications as required. l. Contract language should stipulate that use of unidentified and non-vetted subcontractors is not permitted. m. Service providers shall affirm that all Department data will be stored and backed up within the legal boundaries of the United States and at no time shall the data in any form be stored outside those confines, unless approved by the CCGB. Data exchanged and stored on Department premises abroad is exempt. 5 FAH-8 H-354 CLOUD COMPUTING SECURITY 5 FAH-8 H Information Prohibited For Use In A Cloud Computing Product Or Service a. Consular Data: Data gathered for the purpose of processing requests for visa or passports. b. Personnel Records: Data gathered for the purpose of hiring, processing personnel actions, and other HR functions. c. Financial Transaction information: Systems or data related to the transfer of funds either internally or externally to the Department. d. Medical Records: Data gathered for medical clearances or for the maintenance of Department medical records. 5 FAH-8 H Cloud Security Requirements a. All cloud services that process Department of State information must be authorized or registered as appropriate, by the Department of State Authorizing Official (formerly known as Designated Approving Authority), based upon a system categorization in accordance with Federal Information Processing Standard (FIPS) 199 and registration in the Department's IT Inventory System of Record (currently imatrix). (See 5 FAM 814.) Security measures and safeguards for information will differ depending on the Federal Information Security Management Act (FISMA) classification of the information being processed in the cloud product or service. More sensitive information and 5 FAH-8 H-350 Page 10 of 12

11 systems will require more stringent review from Department cyber security and data categorization experts before they are approved for use. b. Use of cloud services to store, process, or transmit data categorized as FISMA moderate and/or include PII requires: (1) Cloud products and services that contain Department PII or Sensitive But Unclassified (SBU) information must meet the security requirements of 5 FAM 460 (Privacy Act and PII) and 12 FAM 540 (SBU Information), respectively; (2) Cloud computing technologies using software installed on OpenNet must be CCGB and ITCCB approved; (3) Commercial cloud applications/services should address the security principles (e.g., access requirements, encryption, monitoring, network communications/routing, penetration testing) outlined in the Cloud Security Principles document available on the DS/SI/CS website along with vendor specific guidance, where possible; and (4) Encryption keys must be maintained, generated and controlled in a Department data center under the control of the US Government. All implementations of cloud products above a low FISMA impact and risk level must keep data encrypted at rest and in-transit. Deviation from this encryption requirement must be approved in writing by the AO. c. In the event of an actual or suspected compromise of the commercial cloud services/application (e.g., malware, system breach), the vendor or SO must immediately contact the DS Cyber Incident Response Team (DS/SI/CS/MIRD/CIRT). The vendor or SO must report an actual or suspected PII data breach immediately by completing the PII Breach Incident Form found on the Privacy Division s Customer Center website. If unable to access the form, the user should notify DS/CIRT of cyber and PII incidents or the Privacy Division of non-cyber PII incidents. The Cyber Incident Response Team (CIRT) may be contacted at [email protected]. The Privacy Division may be contacted at [email protected]. d. Clearance Requirements for cleared Americans providing cloud services: (1) Appropriate level National Security Institute (NSI) clearances for any system containing classified data (see 12 FAM Security Clearances, for classified systems), regardless of the impact level; (2) High Risk Public Trust (HRPT) determination for users with elevated privileges, e.g., system admin, on an unclassified/sbu High Impact system; (3) Moderate Risk Public Trust (MRPT) determination for users with elevated privileges, e.g., system admin, on an unclassified/sbu Moderate Impact system; and (4) MRPT determination for users with elevated privileges, e.g., system admin, 5 FAH-8 H-350 Page 11 of 12

12 on an unclassified/sbu Low Impact system. e. The relevant cyber security offices in IRM and DS in coordination with the SO are responsible for jointly monitoring system integrity, security and ensuring overall system and network security. 5 FAH-8 H Secure Communication Between OpenNet and Cloud Providers This section outlines the high level requirements for exchange of Department data (in any form) from cloud to cloud and cloud to internal systems including OpenNet: (1) DS/SI/CS maintains detailed and evolving security specifications in their Cloud Security Principles document. The document provides guidance on how cloud communications should be secured, including encryption standards and approved means of transporting information. (2) When specifying requirements for commercial cloud services, SOs should detail with service providers the restrictions that are to be applied if exchange of Department data must be performed between different cloud platforms or with Department systems. (3) Any connection that requires exchange of data from cloud to cloud and/or cloud to Department systems is subject to review and explicit approval by IRM/IA and DS/CS to ensure compliance with current information security standards and that the connection falls within the existing ATO for the parent or host system. 5 FAH-8 H-350 Page 12 of 12