DoD Cloud
What makes selling to DoD different than selling to the Civilian sector? What is this FedRAMP+ that people are talking about?
Leverage our cloud security consultants to navigate the waters of DoD so that you can obtain a provisional authorization (PA) to sell to all of DoD. Fortreum team members have supported numerous DoD assessments and will help guide your team to success.
The Department of Defense maintains their own security requirements for cloud service providers. These are defined within the Security Requirements Guide (SRG) and are aligned to various impact levels. Fortreum’s Federal Risk and Authorization Management Program (FedRAMP) DoD Gap Assessment provides the following:
- Overview of the DoD authorization process, Impact Levels (IL) and similarities to FedRAMP
- Identifies implementation gaps for security control implementations
- DoD boundary review and validation
- Roadmap to DoD Provisional Authorization (PA)
DoD maintains an Addendum to the FedRAMP PMO-provided System Security Plan template. This addendum is used to document the control implementation details associated to the additional DoD security controls, more stringent security parameters, and associated general readiness
- Preparation activities to validate the boundary and document the security package
- Develop addendum system security plan specific to DoD requirements
- Complete FedRAMP/DoD program development to prepare our clients for a DoD PA
Conduct a 3PAO assessment, specific to a DoD organization for your cloud service offering. This can be of just the additional controls for an associated impact level, or be a full assessment inclusive of the DoD SRG controls.
- Detailed assessment of the DoD authorization boundary for the cloud service offering
- Assessment consists of the following activities:
- Security Assessment Plan
- Control Assessment (based on the FedRAMP baseline)
- Vulnerability Scans (operating systems, web applications, network devices, and databases)
- Penetration Test
- Security Assessment Report
- DoD Readiness Assessment Report
- The DoD Readiness Assessment Report is used as the starting point for the DISA review team to get a handle on the authorization boundary and how the rest of the assessment was performed.
- Upon reviewing the entire package, the DISA review team makes an associated recommendation to the DoD authorizing official
Upon signature, the DoD PA must be continuously maintained by the cloud service provider. This is to ensure there is no drift in the implementation of security controls or patching processes.
- Continuous monitoring means exactly that – ongoing validations throughout the course of the year
- Focus is on the DoD overlay controls in the SRG, but aligned to the FedRAMP baseline as well as they are done concurrently
- 3PAO assessment done annually or whenever a significant change request arises
- Continuous monitoring report due to the sponsoring organization, and DISA, on a monthly basis
Why Choose Fortreum?
We simplify cloud and cybersecurity for our customers
Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.
Contact us to discuss your cyber and cloud business needs. We’re happy to share our insights and work with you as your business evolves.
Business Considerations
FedRAMP+ is not the same as FedRAMP
FedRAMP+ is the overlay of DoD SRG requirements above FedRAMP’s baseline. FedRAMP is required for anyone selling to a federal agency; FedRAMP+ builds upon FedRAMP and is required for anyone selling to a DoD organization. Thus, knowing who your end customer is up front will help ensure you have the proper requirements incorporated into your cloud service offering.
Provisional Authorization Takes Time
The DoD authorization process is quite lengthy as the reviewers want to ensure the package is comprehensive. DoD states that the estimated duration is 11-17 weeks (excluding the 3PAO assessment), however this will vary widely depending on the scope and complexity of the cloud service offering (excluding system package preparation activities).
DISA Plays a Critical Role
The DISA Cloud Assessment Division serves as reviewers on the JAB, but when it comes to DoD sponsoring organizations, they provide additional support to DoD component sponsors and mission owners. Where applicable, DoD assigns a Joint Validation Team (JVT) to perform the review, which is also the same team that provides recommendations for authorization and briefs the authorizing official.
Reciprocity Exists
FedRAMP and reciprocity has been a government and industry problem. To address this, DoD signed a DoD-wide provisional authorization in 2019 to allow DoD organizations to utilize FedRAMP Moderate authorizations for DoD SRG Impact Level 2. It quickly opened the door for the 200+ cloud service offerings to be adopted within the DoD community.
Why is DoD Cloud important?
Similar to FedRAMP, if a cloud service provider wants to sell a cloud service offering to a Federal Agency, the specific offering must obtain a DoD Provisional Authorization (PA). This is above and beyond what is covered in FedRAMP and is defined within the DoD SRG. If there is no DoD PA in place, then the cloud service offering cannot be utilized by any DoD organization.
The requirements are outlined within the SRG and are above and beyond what is outlined in the FedRAMP-defined baseline. These additional requirements are quite extensive and oftentimes require the provider to think through how they will meet these prior to the 3PAO assessment.
Why should my organization care?
The use of cloud services continues to rise at statistically high rates. This continues to hold true for the US Government, including DoD organizations. And while DoD was slow to adopt the cloud in the early days of FedRAMP, DoD has exponentially increased the number of authorizations year over year. On top of that, more and more DoD organizations are sponsoring new authorizations through the process.
This trend will continue as more cloud service offerings are brought into the DoD marketplace. In fact, the more niche of the product, the more likely that a DoD organization will be interested in procuring it if it aligns to their mission. Fortreum recommends cloud service providers understand these points when approaching a potential DoD organization about sponsoring them through the program.
