Azure Government Engineering has come out with the initial version of the Azure Blueprint program, which is designed to ensure that Azure is used securely and compliantly by government agencies and third-party government contractors.
Azure Government comes with JAB Provisional Authority to Operate (ATO), which it was granted based on its built-in internal security protections, security control implementations and processes. This means that using Azure Government frees customers to focus on their IaaS, Paas, or SaaS implementations and reduces their security responsibilities in a cloud-based system.
That being said, one of the major challenges with implementing security controls in a cloud environment is defining the responsibilities for each security control throughout the entire stack. Agency customers and Information System Security Officers (ISSO) need understand what Azure Government is bringing to the table in terms of security in order to complete their ATO processes, which is where Azure Blueprint Phase 1 comes in.
The initial release comes with documentation to help customers to document their security control implementations. Two tools that assist with security control documentation within Azure Cloud are the FedRAMP Moderate baseline Customer Responsibility Matrix (CRM) and System Security Plan (SSP) template.
The FedRAMP Moderate baseline CRM lists all control requirements that include a customer implementation requirement, allowing for focused documentation of the customer side of security controls. The two types of control requirements it lists, broadly, include 1) controls with shared responsibility between Azure Government and Azure customers, and 2) controls that are completely implemented by Azure customers.
The FedRAMP Moderate baseline SSP Template, on the other hand, is meant to help develop an SSP that includes both customer implementations and security controls that have been inherited through Azure Government. The customer responsibility sections of the SSP Template provide instructions on writing a “thorough and compliant control response” while the Azure inheritance sections detail how Azure Government implements the control on behalf of the customer.
Forthcoming iterations of CRM and SSP Template will bring security control baselines for FedRAMP High, DISA Impact Level 4, and DISA Impact Level 5.