5 FAM 1100
CLOUD COMPUTING

5 FAM 1110

CLOUD COMPUTING POLICY

(CT:IM-167; 10-19-2015)
(Office of Origin: IRM/BMP)

5 FAM 1111 SCOPE

(CT:IM-167; 10-19-2015)

a. The scope of this subchapter provides Department-wide direction, policy, and governance requirements for the use of cloud services.

b. This policy applies to the use of all cloud services.

5 FAM 1112 AUTHORITIES

(CT:IM-167; 10-19-2015)

The authorities for this policy include:

(1) 25 Point Implementation Plan to Reform Federal IT (published Dec. 9, 2010);

(2) Federal Cloud Computing Strategy (published Feb. 8, 2011);

(3) National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145, NIST Definition of Cloud Computing;

(4) NIST SP 800-146, NIST Cloud Computing Synopsis and Recommendations;

(5) NIST SP 800-144 Guideline on Security and Privacy in Public Cloud Computing

(6) NIST SP 500‐291, NIST Cloud Computing Standards Roadmap;

(7) NIST SP 800-63 Rev 2 Electronic Authentication Guideline;

(8) NIST SP 800-53 Rev 4, Security and Privacy Controls For Federal Information Systems and Organizations;

(9) NIST SP 800-37 Risk Management Framework;

(10) OMB Memorandum M-7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information;

(11) FedRAMP Policy Memo (OMB Memorandum December 8, 2011);

(12) FedRAMP Concept of Operations; and Security Controls for Cloud Service Providers (CSPs);

(13) Federal Information Security Management Act of 2002 (FISMA) (Public Law 107-347, 44 U.S.C ch35);

(14) Federal Information Security Modernization Act of 2014 (FISMA Reform) (Public Law 113-283);

(15) OMB Circular A-11 Preparation, Submission, and Execution of the Budget; and

(16) Federal Information Technology Reform Act (FITARA) (Public Law 113-291, sec. 831-837)

5 FAM 1113 CLOUD COMPUTING DEFINITIONS

(CT:IM-167; 10-19-2015)

Cloud computing: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing promotes availability and is composed of five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. NIST SP 800-145 defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service-provider interaction. For further guidance on cloud computing, see NIST Special Publication 800-145 -The NIST Definition of Cloud Computing

Cloud computing deployment models: Cloud technologies can be deployed as private, community, public, or hybrid clouds. Refer to NIST SP 800-145, NIST Definition of Cloud Computing for further guidance.

Cloud Computing Governance Board (CCGB): The CCGB provides recommendations to the authorizing official (AO). The board will be chaired by the PD/CIO for IRM and will review all cloud based projects and programs during the planning phase (5-FAH-8 H-350).

Cloud service models: The three basic service models for cloud technologies are as follows: infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). Refer to NIST SP 800-145, NIST Definition of Cloud Computing for further guidance.

The Federal Risk and Authorization Management Program (FedRAMP): A unified, government-wide risk management program focused on large outsourced and multi-agency systems. FedRAMP has been established to provide a standard approach to Assessment and Authorization (A&A) of cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for U.S. Government and commercial cloud computing systems intended for multi-agency use. The objective of FedRAMP is threefold:

(1) To ensure that information systems/services used government-wide have adequate information security;

(2) To eliminate duplication of effort and reduce risk-management costs; and

(3) To enable rapid and cost-effective procurement of information systems/services for Federal agencies.

Federal Information Processing Standard (FIPS) Impact Levels: FISMA mandates that all Federal agencies assess information systems requirements for confidentiality, integrity, and availability. Systems are assigned a low, moderate, or high risk based on the potential impacts of a loss of confidentiality, integrity, or availability. All Department systems and data are categorized in accordance with the current version of the Federal Information Processing Standard Publication 199 (FIPS 199), FIPS 200 Minimum Security Requirements for Federal Information and Information Systems, and NIST SP 800-60: Guide for Mapping Information and Information Systems to Security Categories.

5 FAM 1114 CLOUD POLICY

(CT:IM-167; 10-19-2015)

a. Department policies and procedures, national regulations, legal mandates, and responsibilities of System Owners (SOs) for managing and securing information systems, either cloud based or on-premise, remain unchanged unless explicitly outlined in this policy.

b. Only information that conforms with Department-specific definitions for FISMA low or moderate based on impact categorization in the cloud, regardless of location or service provider, is permitted unless specifically authorized by the CCGB. Information related to consular services, financial transactions, medical records, and personnel records, as defined in 5 FAH-8 H-354.1, will be subject to additional Department of State specific controls as defined by the CCGB and approved by the authorizing official (AO).

c. The chief information officer (CIO) is the AO for all cloud services for the Department.

d. Approval by the AO must occur before any production deployment of commercial cloud products or services. All requests for these services sent to procurement must contain a certification that the services have been approved by the AO. Procurement officials will solely rely on this certification as approved to procure these systems. Additionally, while the list identifies approved modules, it does not automatically authorize sole source procurements.

e. All bureaus, offices, and posts must adhere to the policies, procedures, and directives issued by the Departments AO and the Cloud Computing Governance Board (CCGB) for new cloud services and products.

f. All contracts and procurements of cloud services must utilize standardized contract language, including Statements of Work (SOW) and any other contract sections and clauses as deemed appropriate to ensure vendors agree to comply with federal mandates for IT systems, such as cyber security protections, FISMA compliance, and federal records management.

g. An approved catalog of commercial cloud services and providers will be maintained by the CCGB as they are approved.

h. IRM will coordinate with DS, L, and A bureaus to identify and leverage standard contract language from other federal sources to acquire cloud services.

i. SOs are responsible for understanding and identifying risk for leveraging cloud services. SOs can seek assistance from IRM to assess and mitigate risk.

j. Once an SO has received approval from the AO and an Authority To Operate (ATO) has been issued, SOs are responsible for annual recertification of the risk and impact associated with the data in their cloud-based system as part of the Authorization and Accreditation process as published by IRM/IA.

k. In conformance with the Federal Cloud First policy, all new Department IT projects must implement cloud services (e.g., private or U.S. Government-owned, community, public, or hybrid) whenever they are cost effective, meet system/owner mission requirements, and provide the required level of security and performance. IRM/BMP/SPO monitors compliance through the Departments Capital Planning Investment Control (CPIC) process. (See 5 FAM 610.)

l. Systems utilizing commercial cloud offerings that are FedRAMP approved or have an ATO issued by a federal agency for an implementation with a similar impact and risk level will be able to inherit FISMA controls in most instances, if recommended by the CCGB and approved by the AO. Controls beyond what is required by FISMA or FedRAMP may be required at the discretion of the AO.

m. All cloud services seeking or granted an ATO must be registered properly in the Department's IT Inventory System of Record, iMATRIX (see 1 FAM 270 and 5 FAM 814). Each distinct application and system must be registered separately within iMATRIX, even if those applications and systems are provisioned through the same cloud service provider or license agreement.

n. All cloud services that are part of a major or non-major investment, as mandated by OMB Circular A-11, must follow the Departments IT CPIC process (see 5 FAM 1040), and ensure that accurate information is reported in iMATRIX, specifically the reporting of cloud computing costs and assessment of cloud computing during the development of an investments alternatives analysis.

o. Failure to adhere to federal mandates or policy for information systems or adhere to the policies, procedures, and directives issued by the CCGB can result in revocation of a system ATO and/or the responsible official(s) being unable to continue in the role of SO. This is at the discretion of the AO.

p. Per OMB Exhibit 53 guidance in Circular A-11, system, application and data owners are required to perform an alternatives analysis to explore possibilities for developing and hosting the cloud service. The alternatives analysis should consider life cycle, mission importance, information sensitivity, complexity, throughput or latency sensitivity, user population, costs, and privacy impacts. For existing projects, each system, application, or data owner shall evaluate the viability of migrating the legacy system to a cloud computing environment. Factors might include major system changes, more flexible access models, or improved cloud technologies. Additional guidance is provided by IRM/BMP/SPO/PM program manager training, 5 FAM 1040, 5 FAH-8 H-352, and OMB Circular A-11 (OMB Exhibit 53c).

q. All SOs must complete training related to implementing commercial cloud computing products at the Department. The SO must successfully complete this training prior to procurement and implementation or formally assuming the role of system owner for an existing cloud deployed IT system. The CCGB will specify all cloud training requirements.