Compliance

What is FedRAMP+?

Coalfire Assessment Team

June 30, 2021
Blog Images 2022 Fed RAMP plus tile

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

The Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) Version 1, Release 3 defines FedRAMP Plus (FedRAMP+) as:

“… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. A CSP’s CSO can be assessed in accordance with the criteria outlined in this SRG, with the results used as the basis for awarding a DoD provisional authorization.”

CC SRG Overview

The DoD CC SRG was developed by the Defense Information Systems Agency (DISA) for DoD agencies and DoD Mission Owners. DISA’s requirements build on the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) requirements for authorizing cloud services for use by federal government civilian agencies. FedRAMP+ outlines specific requirements for the implementation of cloud service offerings (CSOs) used by the DoD. The “plus” in FedRAMP+ signifies the additional security requirements that DISA has built on top of what FedRAMP as a program establishes for a risk-based approach in standardizing the adoption and use of cloud services by the federal government.

For any Cloud Service Provider (CSP) interested in providing solutions to the DoD, they must pass an assessment based on the CC SRG requirements to achieve a DoD Provisional Authorization (PA). The DoD PA is the acknowledgement of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks, and is equivalent to achieving a FedRAMP authorization for providing services to federal civilian agencies.

FedRAMP vs CC SRG

The FedRAMP program was established in 2011 to provide a risk-based approach to cloud adoption by the federal government. The program is specific to cloud technologies that store, process, or transmit federal information and is not applicable to non-federal state and local government organizations (though there are public and private organizations interested in CSOs that have achieved FedRAMP authorization).

The CC SRG was released after FedRAMP and, among other things, it defines the additional security requirements and guidance that DoD Mission Owners and CSPs must meet to offer their CSO to DoD departments and agencies. While the CC SRG follows a similar take on the “do once, use many times” framework as FedRAMP does for the authorization of CSOs, there are notable differences in the authorization process itself. Information security objectives in the CC SRG are defined by specific information Impact Levels (IL), which categorize data based on sensitivity – ranging from public to classified secret information. Security controls baselines for an IL are aligned respective to the confidentiality and integrity of the data stored within the CSO. A DoD Mission Owner must carefully assess not only the Federal Information Processing Standards (FIPS) 199 system categorization of the CSO, but also the IL which determines the information sensitivity threshold of what type of data can be processed.

What are the required authorization levels?

There are four ILs presently in use for authorization of cloud service offerings with the DoD and each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. When evaluating the appropriate DoD IL to assess against, the best reference is the Figure 1 - Impact Level Comparison provided in the CC SRG. This figure provides a high-level comparison of the security control requirements, location, connectivity, separation, and personnel requirements associated with each IL.

Impact level

Information sensitivity

Security controls

Location

Off-premises connectivity

Separation

Personnel requirements

2

PUBLIC or Non-critical Mission Information

FedRAMP v2 Moderate

US / US outlying areas
or
DoD on-premises

Internet

Virtual / Logical
PUBLIC COMMUNITY

National Agency Check and Inquiries (NACI)

4

CUI or Non-CUI
Non-Critical Mission Information
Non-National Security Systems

Level 2
+
CUI-Specific Tailored Set

US / US outlying areas
or
DoD on-premises

NIPRNet via CAP

Virtual / Logical
Limited "Public" Community
Strong Virtual Separation Between Tenant Systems & Information

US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)

5

Higher Sensitivity CUI
Mission Critical Information
National Security Systems

Level 4
+
NSS & CUI-Specific Tailored Set

US / US outlying areas
or
DoD on-premises

NIPRNet via CAP

Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal Systems
Strong Virtual Separation Between Tenant Systems & Information

US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency Check with Law and Credit (NACLC)
Non-disclosure Agreement (NDA)

6

Classified SECRET
National Security Systems

Level 5
+
Classified Overlay

US / US outlying areas
or
DoD on-premises
CLEARED/CLASSIFIED FACILITIES

SIPRNET DIRECT
With DoD SIPRNet Enclave Connection Approval

Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastracture Physically Separate from Non-Federal and Unclassified Systems
Strong Virtual Separation Between Tenant Systems & Information

US Citizens w/ Favorably Adjudicated SSBI & SECRET Clearance
NDA

Figure 1 - Impact Level Comparison

Coalfire has experience navigating the requirements of the CC SRG and assisting customers in building upon existing FedRAMP authorized environments to meet the additional FedRAMP+ requirements, or as a standalone authorization within the DoD. We will continue to explore the DoD Cloud Computing requirements in this ongoing blog series.

For more information on FedRAMP, please visit our website.

Contact 3PAO@coalfire.com for more information on how we can help.

This is part one of our series on FedRAMP+ and DoD cloud computing requirements. Click here to continue reading blog #2 in the series, Requirements for DoD Impact Level 2.