Appendix: First Movers in Cloud Accreditation - Accreditation Models for Secure Cloud Adoption
Decentralized Model Centralized ModelHybrid Model

Appendix: First Movers in Cloud Accreditation

The approaches described in this appendix represent different models with guidance provided by the national government. Each model has benefits and challenges that are instructive for organizations preparing for cloud adoption. For example, FedRAMP is very resource-intensive which makes it cost prohibitive for many governments considering replicating it.

Decentralized Model

United Kingdom’s 14 Principles

The United Kingdom, a first mover in cloud adoption, has an organizational model based on the Cloud Security Guidance published by the UK’s National Cyber Security Centre (NCSC). The Cloud Security Guidance lists 14 principles for public sector and enterprise organizations to consider when evaluating cloud services. Organizations then determine which of the principles are important, and how much (if any) assurance the users require in the implementation of these principles.

These 14 principles are a risk management approach that includes the major factors to consider when evaluating a cloud offering. The defining element of this decentralized model is the delegation of decisions about which principles are most important. Organizations then make decisions based on their risk tolerance and mission.

The NCSC provides recommended guidance for implementing the 14 principles. The guidance includes eight steps to identify cloud services, which are suitably secure for an organization’s intended use. The initial steps, which allow users to determine the most relevant of the 14 Cloud Security Principles, are:

  • Know your business requirements and identify acceptable and unacceptable organizational risks.

  • Understand your information including identifying the information that will be in the cloud and the legal and regulatory implications.

  • Determine relevant security principles based on analysis from the first two steps and the planned use of the service.

The five remaining steps include understanding how the Cloud Security Offering (CSO) implements the pertinent principles and the level of assurance the CSO offers for their implementation. NCSC also recommends identifying additional mitigations, which the organization can take to reduce risk and determining whether any outstanding risks are acceptable to the risk profile the organization is seeking. Finally, the NCSC concludes that periodic reviews are necessary to determine whether the CSO still meets the business and security needs of an organization.

Best Practice

  • Understand shared responsibility. NCSC implementation guidance emphasizes agency responsibility to securely configure as a service user.

Centralized Model

Singapore’s Multi-Tier Cloud Security Singapore Standard (MTCS)

Singapore’s Information Technology Standards Committee (ITSC) for CSPs developed the Singapore Multi-Tier Cloud Security (MTCS) Singapore standard (SS584). CSPs can apply SS584 to meet differing cloud user needs for data sensitivity and business criticality. MTCS seeks to drive cloud adoption across industries by providing clarity around the security provisions of CSPs, while also increasing the level of accountability and transparency from CSPs. 

MTCS certification adopts the ISO standards accreditation approach, whereby the accreditation body is Enterprise Singapore (ESG), (previously known as SPRING Singapore), and the Conformance Assessment Body (CAB) (also known as Certification Body), are companies accredited by ESG to validate CSP compliance with MTCS standards. Alongside certification, CSPs must produce a standardized self-disclosure document. This document creates a consistent disclosure format on services offered and enables users to discern services uniformly across various CSPs. The disclosure areas include, but are not limited to:

  • data retention

  • data sovereignty

  • data portability

  • liability

  • availability

  • business continuity plans and disaster recovery

  • incident and problem management

Best Practices

  • Recognize and accept international certifications, including ISO 27001.

  • Leverage third-party auditor assessments by accepting independent audit reports completed by accredited third-party assessor and using the SOC report as a tool for verification.

Germany’s C5 Cloud Security Standard

Since 1996, the German Federal Office for Information Security (BSI) has issued IT security standards. Based on ISO 27001, BSI developed the Cloud Computing Compliance Controls Catalog (C5), which defines a cloud-focused baseline security standard that looks at both the design and effectiveness of a CSO.

C5 approval is mandatory for the public sector offerings. The commercial sector has also adopted C5, as it previously did with the German IT-Grundschutz, another baseline security approach. Having C5 certification is a requirement for a CSP to sell in Germany.

C5 requires an attestation report from an independent third-party assessor. By using an independent third party, the report implicitly contains the accountability and reliability of the third-party assessors mandate as professional accountants.

Best practices

  • Recognize and accept international certifications by basing its standard on ISO 27001.

  • Leverage third-party auditor assessments by requiring an attestation report from independent third-party assessor.

Hybrid Model

United States’ Federal Risk and Authorization Management Program

The Federal Risk and Authorization Management Program (FedRAMP) is the United States Government model. FedRAMP aspires to provide federal U.S. agencies with “a cost effective, risk-based approach for the adoption and use of cloud services” based on the motto, “do once, use many times.” (2011 U.S. Office of Management and Budget Memo) In this model, significant upfront investments enable future efficiencies.

(It takes approximately six months to receive an accreditation through the Joint Authorization Board (JAB) and often times less for agencies with costs ranging from $350,000 to $865,000 based on a study from one of the largest third-party assessment organizations: https://federalnewsnetwork.com/cloud-computing/2017/05/new-report-tries-to-bust-fedramp-myths-about-cost-usage/ )

FedRAMP provides a pool of trusted cloud services. Third-party assessment organizations (3PAOs) have assessed and verified these services, which have been accredited, or authorized, by the adopting agency. Based on NIST Special Publication 800-53 Rev. 4 security controls, FedRAMP provides CSPs two paths to accreditation: JAB provisional authority to operate (P-ATO) or via individual agencies’ full ATO.

Path 1: JAB

The JAB is headed by the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS), and U.S. General Services Administration (GSA). It has limited capacity each year to authorize new CSOs. Therefore, CSPs must show broad demand for their services for the JAB to consider accreditation.

The JAB pathway involves CSPs working with a 3PAO who attests to the CSO’s readiness for the authorization process and subsequently working with the JAB technical reviewers (TR) to introduce them to new services and infrastructure and/or changes to the current infrastructure. The JAB process involves extensive security assessments developed by the 3PAO and CSP, plans to manage residual security risks, a deep dive into the service offering, system offering, architecture, capabilities and risk posture. Once the CSP has satisfactorily addressed and remediated all JAB TR comments, a provisional authorization to operate (P-ATO) is issued. However, to receive final authorization, each agency is responsible for CSOs used within their environment so each must still review and issue an ATO prior to use.

Path 2: Individual Agencies

Alternatively, CSPs can pursue authorization by entering into a formal partnership with an Agency. The Agency approves, and a 3PAO tests, a security blueprint of their system developed by the CSP. The process is similar to the JAB process with two key distinctions: (1) The individual agency reviews the security plans versus the JAB board and (2) there is no P-ATO.

If the Agency accepts the risk associated with the use of the system, they provide the ATO. The FedRAMP program management office then reviews the CSO’s package in collaboration with the Agency, CSP, and 3PAO and makes a decision about FedRAMP authorization.

Regardless of the path, CSPs must provide monthly continuous monitoring deliverables to the authorizing body and engage a 3PAO to complete an annual security assessment to maintain an acceptable risk posture. FedRamp uploads this annual assessment to a secure FedRAMP repository.

However, in 2016, five years after the start of the FedRAMP program, FedRAMP reported four requests from 85 stakeholders:

  1. Greater certainty of success

  2. More transparency in the process

  3. Faster speed to authorization

  4. Predictability in timeframes for authorization.

Best Practices

  • Leverage third-party auditor assessments by accepting independent audit reports completed by accredited third-party assessor.

  • Establish reciprocity among public sector and industry accreditation programs by implementing a system recognizing FedRAMP and the Cloud Security Alliance STAR Program to reduce the audit burden for CSPs.