5 FAH-8 H-350
CLOUD COMPUTING
(CT:WEB-20; 04-15-2019)
(Office of Origin: IRM/BMP)
5 FAH-8 H-351 Cloud Computing
Governance Board
(CT:WEB-10; 10-19-2015)
a. The Cloud Computing Governance Board (CCGB) exists
to provide advice to the Authorizing Official (AO) regarding Department
Business and/or System Owners (SOs) use of cloud services and providers. The
boards recommendation to the AO must balance the need to mitigate risks to
systems with the business need being proposed. The CCGB will act as a
sub-group of the Departments E-Governance (E-Gov) activities and the CCGB
Executive Secretariat (CCGB-ES) will be determined by the CIO.
b. The CCGB is composed of functional members and
general members. The functional members act as subject matter experts and
verify compliance with key functional areas for the use of cloud services. The
general members, with the Secretariat, formulate recommendations to the AO and
present business need based on program knowledge. Additional members can
request to participate in accordance with the CCGB charter. A simple majority
of general members are needed to approve services.
5 FAH-8 H-351.1 Board Membership
(CT:WEB-20; 04-15-2019)
Functional Membership:
|
Functional Member
|
Subject Matter Expertise
|
|
Chief Information Security Officer (CISO)
|
FISMA compliance and IT Security
|
|
Directorate of Cyber and Technology Security (DS/CTS)
|
IT Security
|
|
Office of the Legal Adviser (L)
|
Legal issues
|
|
The Office of Global Information Services (A/GIS)
|
Privacy and Records Issues
|
|
Office of the Procurement Executive (A/OPE) and the Office
of Acquisitions Management (A/OPE/AQM)
|
Acquisition Policies
|
General Membership:
|
General Member
|
Notes
|
|
PD/CIO for IRM
|
CCGB Chair
|
|
Chief Architect (IRM/BMP/OCA)
|
|
|
Strategic Planning Office (IRM/BMP/SPO)
|
Cloud Reporting to OMB
|
|
Chief Technology Officer for Diplomatic Security
(DS/EX/CTO)
|
|
|
Director of the Office of Management Policy, Rightsizing
and Innovation (M/PRI)
|
Director of Management Innovation or another
representative appointed by the Director of the Office of Management Policy,
Rightsizing and Innovation (M/PRI)
|
|
Under Secretary for Public Diplomacy and Public Affairs
|
R-Family Representative nominated by the U/S
|
|
Secretarys Executive Secretariat (S/ES)
|
|
|
Regional Executive Directors
|
Two Regional Representatives jointly nominated by the
Regional Executive Directors
|
5 FAH-8 H-351.2 Review of Cloud
Products by the CCGB
(CT:WEB-15; 07-10-2017)
CCGB Requirements for Reviewing AO
Approved Cloud Products or Services:
|
Due Diligence Requirements
|
Cloud Computing Review Packet (CCRP)
Submission Requirements
|
|
System Categorization
Existing volume purchase agreement (such as a BPA or IDIQ)
|
Response to spillage of information
Monitoring and response to cyber incidents
Business contingency plans
Cloud provider support for federal mandates
Records management plan
System Security Plan
Concept of Operations
Business justification
|
CCGB Requirements for Reviewing Cloud Products
or Services with FedRAMP Approval or an Existing Agency Authority to Operate
(ATO):
|
Due Diligence Requirements
|
CCRP Submission Requirements
|
|
System Categorization
Existing volume purchase agreement (such as a Blanket Purchase
Agreement [BPA] or Indefinite Delivery/Indefinite Quantity [IDIQ]) or
creation of a new vehicle to allow the Department to coordinate the purchase
of cloud products or services
FedRAMP Approval or ATO that matches the risk and impact
identified in the System Categorization
|
Response to spillage of information
Monitoring and response to cyber incidents
Business contingency plans
Cloud provider support for Federal mandates
Records management plan
|
CCGB Requirements for Reviewing Cloud
Products or Services without FedRAMP Approval or an Existing Agency ATO:
|
Due Diligence Requirements
|
CCRP Submission Requirements
|
|
System Categorization
Existing volume purchase agreement (such as a BPA or IDIQ) or
creation of a new vehicle to allow the Department to coordinate the purchase
of cloud products or services
Complete Department Assessment and Authorization (A&A)
process for the cloud service or product
|
System Security Plan
Concept of Operations
Business justification Response to spillage of information
Monitoring and response to cyber incidents
Business contingency plans
Cloud provider support for federal mandates
Records management plan
System Security Plan
Concept of Operations
Business justification
Alternative of Analysis (AoA) justifying the use of a
non-approved cloud service
|
The CCGB favors implementations that meet
the following criteria:
(1) Programs or projects utilizing a cloud product or
service previously reviewed by the CCGB and approved by the AO;
(2) The requested cloud product has an existing ATO
issued by a federal agency or is FedRAMP approved at the appropriate risk and
impact level;
(3) The procurement utilizes a contract vehicle
negotiated by the Department or a federal agency that provides high value and
return on investment (ROI) through volume pricing in addition to standardized
language for compliance with federal and Department regulations for IT systems;
and
(4) SOs seeking approval of the AO and review by the
CCGB must provide a CCRP. Unless a requirement is provided via another
Department process, the documentation template will be provided by the
Executive Secretariat of the CCGB. The CCRP must include the following
information:
(a) Response to spillage of information:
Because the Department does not have physical control of the hardware, procedures
for removing information from systems hosted on cloud systems must be
explicitly developed. These procedures may vary from provider to provider, but
must meet Department standards. See 5 FAM 480 and 12 FAM 530 for
initial guidance;
(b) Monitoring for and response to
cyber incidents: System, application, and data owners and project
managers must ensure that contracts with cloud providers have clauses that
allow the Department timely access to the appropriate data to monitor and
respond to cyber incidents. See 1 FAM 262.7
for guidance;
(c) Business contingency plans:
System, application and data owners and project managers must document
contingency plans to execute in the event that a cloud provider goes out of
business, undergoes a catastrophic hardware failure, or experiences some other
event that severely impacts the availability of data or the service. See 12 FAH-10 H-232,
Contingency Planning Security Controls (CP), for more information;
(d) Cloud provider support for federal
mandates: Requirements for Federal IT systems are constantly evolving.
System, application, and data owners should ensure that providers are
contractually bound to support federal requirements;
(e) Records management: The
National Archives and Records Administration has requirements for the types and
lengths of time that data that must be preserved. Systems implemented in the
cloud must meet these requirements. See 5 FAM 400 for more information;
(f) System Security Plan: The
System Security Plan, or equivalent documentation from an independent auditor,
is designed and written in accordance with National Institute Standards and
Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for
Developing Security Plan for Information Technology Systems;
(g) Concept of Operations: A
document describing the characteristics of a proposed system from the viewpoint
of an individual who will use that system. It is used to communicate the
quantitative and qualitative system characteristics to all stakeholders;
(h) Business Justification:
This document will clearly and succinctly outline the business need the cloud
product or service fulfills for the Department. The justification should,
where possible, reference the impacts of the product or services on overseas
operations in the execution of U.S. foreign policy;
5 FAH-8 H-351.3 Process for
Reviewing Cloud Products
(CT:WEB-10; 10-19-2015)
a. To add a new cloud service into the Cloud Computing
Service Catalog, an SO must perform the due diligence and submit a CCRP with
the information prescribed in 5 FAH-8
H-351.2 to the Secretariat of the CCGB. Requests for cloud products or
services to be reviewed by the CCGB must be submitted via the CCRP process, as
defined in the CCGB charter:
(1) The Office of Information Assurance (IA) will make
a recommendation to the CCGB based on the documentation submitted for review
outlined in 5
FAH-8 H-351.2 using an A&A framework suitable for cloud computing
services. The recommendation will also be provided to the organization
requesting approval;
(2) Any cloud computing service that requires new
software to run on a workstation (e.g., software download and installation)
must follow configuration management policy to include approval by the
Information Technology Configuration Control Board (IT CCB) for the
workstation-based software. See 5 FAM 650
Configuration Management and 5 FAM 861
Hardware and Software Maintenance Configuration Management for more
information;
(3) The CCGB reviews the CCRP and IAs recommendation
and issues a recommendation. The recommendation is provided to the AO and
submitting organization;
(4) The CCGB submits its evaluation to the AO for
adjudication. The evaluation is based on criteria, such as:
(a) Identifying qualifying cloud providers already
approved by the CCGB that could meet the requester's requirements;
(b) Recommendations for additional contract language to
address risks or deviations from policy;
(c) Additional mitigation actions or a Plan of Action
and Milestones (POA&M) necessary to address perceived risks;
(d) Additional security controls or a POA&M
necessary to address perceived risks;
(e) A risk analysis that balances a requested services
or products business need with any unresolvable or unmitigated risks.
b. AO Approval: Approved requests are forwarded to
IRM/IA, which serves as the Departments cloud computing clearinghouse:
(1) The reviewed cloud service or product receives an
ATO based upon the CCRP and all other required documentation;
(2) IRMs Governance, Resource, and Performance Management
Office (IRM/BMP/GRP) adds the newly-approved service to the approved department
catalog of cloud computing services as part of its catalog maintenance
function;
(3) This catalog will be integrated into the
Integrated Logistics Management System (ILMS), maintained by the Bureau of
Administrations Office of Logistics Management, Program Management and Policy
(A/LM/PMP). For a cloud service that previously exists on the Cloud Service
Catalog, A/LM will facilitate the contracting, and purchasing of the service as
part of its current process (see 14 FAM 123).
c. AO Denial: In the event that the AO does not
approve a recommendation, the denial, at the discretion of the AO, can be sent
back to the CCGB for further review to address concerns or risks cited by the
AO. If issues in the denial cannot be addressed to the satisfaction of the AO,
the request is denied until such time as concerns/risks can be appropriately
mitigated or a POA&M can be generated to mitigate the risks.
5 FAH-8 H-352 E-Gov and Cloud Reporting
and Analysis (IRM/BMP/SPO)
5 FAH-8 H-352.1 Coordination of
Cloud Reporting Requirements and E-Gov
(CT:WEB-20; 04-15-2019)
a. The Department requires SOs to determine whether a
cloud computing options are appropriate, and the selection of a cloud-based
solution whenever a secure, reliable, and cost-effective option exists as part
of an investment Analysis of Alternatives (AoA). For detailed guidance on how
to perform an AoA, please reference the Strategic
Planning Office (IRM/BMP/SPO) Intranet website.
b. New system projects in the Department should seek to
optimize cloud technology use in order to benefit from its business value. New
projects should include a Cloud First compliance statement as part of the
concept document to affirm their inclusion of cloud-based solutions in their
AoA.
c. Bureaus must ensure all cloud computing information
for IT investments is accurately reported in accordance with the Office of
Management and Budget (OMB) Circular A-11 the Preparation, Submission, and
Execution of Budget as part of the Departments IT Capital Planning Investment
Control (CPIC) process. For detailed guidance on reporting requirements,
please contact IRM/BMP/SPO.
d. Investment owners must use Integrated Management
Analytics, Tracking, and Resource Information Exchange (iMATRIX)the
Departments IT portfolio management toolto report all cloud computing IT
spending in their IT Investment Business Case. iMATRIX can be accessed via
state.gov/. Training for Investment Owners and Program and Project Managers on
the Departments IT Investment Business Case requirements is available from IRM/BMP/SPO through the Foreign Service
Institute (FSI) course catalog.
e. Investment owners must work with asset owners to
ensure cloud assets or services are entered into iMATRIX and designated under
the appropriate asset subtype.
5 FAH-8 H-352.2 Cloud Computing
Analysis
(CT:WEB-10; 10-19-2015)
All commercial cloud computing AoAs for IT investments
must be reported as part of the Capital Planning and Investment Control (CPIC)
process. When selecting applications for migration to a cloud environment,
consider the following:
(1) Lifecycle: If a legacy
system is due to be replaced or undergo a major update within a year, a
replacement system must consider a cloud solution; low risk systems must
provide justification why they cannot be moved to the cloud upon refresh. This
justification must be presented while seeking CCGB approval, an ATO, and during
the CPIC process;
(2) Mission importance:
Migrate the least critical systems before mission-critical applications;
(3) Information sensitivity:
Cloud solutions must meet security controls per National Institute of Standards
and Technology (NIST) 800-53, FedRAMP, and Department standards;
(4) Complexity: Systems that
are smaller or standalone (no interfaces to other systems) are prime candidates
for migration;
(5) Throughput or latency sensitivity:
Factor user experience into the analysis when evaluating systems which are
bandwidth-intensive or delay-sensitive;
(6) User population: Systems
that service external users (other Federal agencies, non-government
organizations (NGOs), and the public) are often prime candidates for a cloud
solution;
(7) Costs: The analysis
should document the ROI, including operational costs of cloud computing, both
disclosed and hidden. Systems that realize an ROI within 3 years should be
strongly considered for a cloud solution; and
(8) Privacy Impact Assessment:
The risk of disclosure of personally identifiable information (PII) must be
considered in the use of cloud solutions.
5 FAH-8 H-353 Contracting for Cloud
Products and Services
(CT:WEB-10; 10-19-2015)
a. Contracting for cloud services has the opportunity
to generate significant benefits for the government but also contains inherent
risks. SOs and personnel initiating requisitions maintain the ultimate
responsibility for ensuring the requirements of 5 FAM 1100 are met.
b. Regardless of the cost of a cloud service purchase,
such as falling below the micro-purchase threshold, the cloud approval policy
must still be followed to ensure management of any risk associated with the
purchase.
c. The requesting party must clearly mark all cloud
services procurements as cloud (title and description) within Ariba.
d. Prior to any procurement, CCGB must approve each
cloud services procurement request. The approvals must be obtained prior to
submitting a requisition for procurement services. All requests for these services
sent to procurement must contain a certification that the services have been
approved by the AO. When the requisition is received by the procurement
officials, it will be deemed as approved by all necessary officials.
e. SOs electing to acquire cloud services shall use
existing CCGB-approved contract vehicles to the maximum extent practicable.
When existing contract vehicles do not exist, or are inappropriate, extra care
shall be taken. Contract language must be added to ensure that all security,
safeguards for sensitive information, and necessary access for cyber security
officials are included in the vendor agreement.
f. None of the above alleviates the responsibility to
fulfill contracting legal requirements.
g. In addition to standard FedRAMP security controls,
all contracts should contain standard language that affords the Department the
opportunity to implement additional controls and/or restrictions.
h. The utilization of cloud services may result in data
residing in a non-government controlled environment. Numerous items pose a
threat to data when housed in this environment (i.e., natural disasters,
cyber-attack, or financial stability of the third-party). Therefore, careful
consideration should be given to backup and recovery. A backup and recovery
strategy commensurate with the risk level of the assessed use of a cloud
product, as determined by CCGB, must be included in all contracts to acquire
cloud services. Unless specifically waived, contract language shall be
inserted to ensure that the government maintains ownership of data residing on
third-party systems, and the government has a means of obtaining this data.
IRM will have lead and worked with all interested parties to define objectives
for backup and recovery strategies.
i. The SO must follow remediation plans as specified
by AO and the risk level approved for a cloud-based service to include any
contingency that could seriously impact the confidentiality, integrity, or
availability of Department data or systems, such as malware infection, insider
threat, or natural disaster in accordance with the guidelines given in National
Institute of Science and Technology Special Publication 800-34: Contingency
Planning for Information Technology Systems as standard contract language.
j. For cloud services storing and processing PII, the
SO must document a plan to manage the business impact of a suspected or actual
unauthorized access to the information.
k. Upon adoption of a government-wide standard
protecting national security and privacy information, the requirement for use
of the Trusted Internet Connection (TIC) program must be included as standard
contract language for any procured cloud service. However, if the contractor
cannot meet the TIC requirements, the contractor must notify the CCGB with an
alternative solution in accordance with federal standards. The CCGB will then
conduct a risk management review and make notifications as required.
l. Contract language should stipulate that use of
unidentified and non-vetted sub-contractors is not permitted.
m. Service providers shall affirm that all Department
data will be stored and backed up within the legal boundaries of the United
States and at no time shall the data in any form be stored outside those
confines, unless approved by the CCGB. Data exchanged and stored on Department
premises abroad is exempt.
5 FAH-8 H-354 Cloud Computing Security
5 FAH-8 H-354.1 Information Requiring
Additional Security Controls for Use in a Cloud Computing Product or Service
(CT:WEB-17; 11-15-2017)
a. Consular data: Data
gathered for the purpose of processing requests for visa or passports.
b. Personnel records: Data
gathered for the purpose of hiring, processing personnel actions, and other HR
functions.
c. Financial transaction information:
Systems or data related to the transfer of funds either internally or
externally to the Department.
d. Medical records: Data
gathered for medical clearances or for the maintenance of Department medical
records.
5 FAH-8 H-354.2 Cloud Security
Requirements
(CT:WEB-20; 04-15-2019)
a. All cloud services that process Department of State
information must be authorized or registered as appropriate, by the Department
of State Authorizing Official (formerly known as Designated Approving
Authority), based upon a system categorization in accordance with Federal
Information Processing Standard (FIPS) 199 and registration in the Department's
IT Inventory System of Record (currently iMATRIX). (See 5 FAM 814.)
Security measures and safeguards for information will differ depending on the
Federal Information Security Modernization Act
(FISMA) classification of the information being processed in the cloud product
or service. More sensitive information and systems will require more stringent
review from Department cyber security and data categorization experts before
they are approved for use.
b. Use of cloud services to store, process, or transmit
data categorized as FISMA moderate and/or include PII requires:
(1) Cloud products and services that contain
Department PII or Sensitive But Unclassified (SBU) information must meet the
security requirements of 5 FAM 460
(Privacy Act and PII) and 12 FAM 540 (SBU
Information), respectively;
(2) Cloud computing technologies using software
installed on OpenNet must be CCGB and ITCCB approved;
(3) Commercial cloud applications/services should
address the security principles (e.g., access requirements, encryption,
monitoring, network communications/routing, penetration testing) outlined in
the Cloud Security Principles document available on the Directorate of Cyber
and Technology Security (DS/CTS) website along with vendor specific guidance,
where possible; and
(4) Encryption keys must be maintained, generated and
controlled in a Department data center under the control of the US Government.
All implementations of cloud products above a low FISMA impact and risk level
must keep data encrypted at rest and in-transit. Deviation from this
encryption requirement must be approved in writing by the AO.
c. In the event of an actual or suspected compromise
of the commercial cloud services/application (e.g., malware, system breach),
the vendor or SO must immediately contact the DS Cyber Incident Response Team
(DS/SI/CS/MIRD/CIRT). The vendor or SO must report an actual or suspected PII
data breach immediately by completing the PII Breach Incident Form found on the
Privacy Divisions Customer Center website. If unable to access the form, the
user should notify DS/CIRT of cyber and PII incidents or the Privacy Division
of non-cyber PII incidents. The Cyber Incident Response Team (CIRT) may be
contacted at CIRT@state.gov. The Privacy Division may be contacted at
privacy@state.gov.
d. Clearance Requirements for cleared Americans
providing cloud services:
(1) Appropriate level National Security Institute
(NSI) clearances for any system containing classified data (see 12 FAM 631.2
Security Clearances, for classified systems), regardless of the impact level;
(2) High Risk Public Trust (HRPT) determination for
users with elevated privileges, e.g., system admin, on an unclassified/SBU High
Impact system;
(3) Moderate Risk Public Trust (MRPT) determination
for users with elevated privileges, e.g., system admin, on an unclassified/SBU
Moderate Impact system; and
(4) MRPT determination for users with elevated privileges,
e.g., system admin, on an unclassified/SBU Low Impact system.
e. The relevant cyber security offices in IRM and DS in
coordination with the SO are responsible for jointly monitoring system
integrity, security and ensuring overall system and network security.
5 FAH-8 H-354.3 Secure
Communication Between OpenNet and Cloud Providers
(CT:WEB-17; 11-15-2017)
This section outlines the high level requirements for
exchange of Department data (in any form) from cloud to cloud and cloud to
internal systems including OpenNet:
(1) DS/CTS maintains detailed and evolving security
specifications in a Cloud Security Principles reference document. The document
provides guidance on how cloud communications should be secured, including
encryption standards and approved means of transporting information.
(2) When specifying requirements for commercial cloud
services, SOs should detail with service providers the restrictions that are to
be applied if exchange of Department data must be performed between different cloud
platforms or with Department systems.
(3) Any connection that requires exchange of data from
cloud to cloud and/or cloud to Department systems is subject to review and
explicit approval by IRM/IA and DS/CS to ensure compliance with current
information security standards and that the connection falls within the
existing ATO for the parent or host system.
5 FAH-8 H-355 through H-399 Unassigned