Azure ISV Solutions for US Government Customers

This article is contributed. See the original author and article here.

Background

Azure offers several options for ISVs to deploy and sell their solutions to US Government customers.  The important first steps for any ISV to consider before embarking on the journey to sell to US Government customers are:

• How do you intend to sell your solution?
  
  
  
  • Is this sold as traditional COTS (Commercial Off-The-Shelf) where the US Government customer will simply buy the solution and then operate it within its own Azure tenant, or
  
  
  • Is this a fully hosted SaaS offering where the US Government customer will consume the solution from the ISV’s tenant, or
  
  
  • Will it be a combination of the two, where the US Government customer hosts the solution within their tenant but the ISV owns the operational aspect of the solution?
  
  
  
  


• What are your regulatory requirements?
  
  
  
  • Typically, most Federal agencies will require a FedRAMP Moderate or High ATO.
  
  
  • If doing business with the DoD, it is likely that they will require a DoD CC SRG IL4/IL5 ATO.
  
  
  • Specialized compliance requirements such as CJIS, IRS 1075, ITAR, and DFARS may also be required by the end customer.
  
  
  
  

Choose the Appropriate Azure Region

Azure meets differing levels of compliance considerations across our regions.  Select the region that meets the needs of your end customers.

Figure 1: Compliance by Azure Region

 

Azure Services Compliance by Region

Azure services achieve overall compliance and ATOs based upon the required audit scope.  As pictured above, our US Public Commercial regions meet the FedRAMP Moderate/High needs of our US Government customers.  Higher level ATOs are met within our US Government Regions.  The overall regulatory requirements that the ISV solution must meet will inform the regional selection decision.

 

Azure services are submitted to the US Government for authorization on a monthly basis.  For an up-to-date reference by audit scope for our Commercial and Government regions, please refer to Azure Services in FedRAMP and DoD SRG Audit Scope – Azure Government | Microsoft Docs.  The top of the page refers to our Azure Public Commercial regions and the second half is specific to our Azure Government regions.

 

Understanding FedRAMP/DoD Compliance Requirements

FedRAMP is a government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services. 

1. Cloud services that hold/manage federal data must have a FedRAMP ATO.


2. FedRAMP High has essentially the same control requirements as DoD CC SRG IL4, although they require separate submissions for authorization.


3. DoD CC SRG IL5 requires everything from IL4 and then adds controls.

There are two ways most ISV’s authorize a cloud service through FedRAMP: 

1. Joint Authorization Board (JAB) provisional authorization (P-ATO), and/or


2. Using an individual Agency as a sponsor, called an “Agency ATO”.

 

An Agency ATO is the most common method for sponsorship as often there is a specific agency that wants to purchase the ISV’s solution.  For help deciding which option to pursue, refer to this guide: https://www.fedramp.gov/jab-or-agency-how-do-i-get-a-fedramp-ato/.

 

Does the ISV Need Their Own ATO?

Based upon how the ISV intends to sell/operate the solution, they may or may not need their own ATO.

IF	THEN
·       The ISV is hosting within its own tenant/ subscription that the end customer will access (typical for a SaaS offering) and/or, ·       The ISV has control/management of the end customer’s data	The ISV is responsible for compliance and must attain their own ATO
·       The ISV provides software to the end customer (COTS model) and, ·       The end customer operates the solution within their own tenant/subscription	The end customer is responsible for compliance
·       The end customer hosts the solution within their own tenant/subscription and, ·       The ISV is responsible for managing/operating the solution on behalf of the end customer	Joint responsibility for compliance

 

Options to Achieve an Independent ATO for an ISV’s Solution

In general, there are three methods to achieve an ATO for an ISV’s solution.

1. Contract for Compliance Consulting
   
   
   
   • Guides the ISV through the controls required and how to architect, build, and deploy the solution such that it will meet the requirements.
   
   
   • Consultative in nature, generally time & materials-based approach.
   
   
   • Most time consuming (12 – 18 months) and expensive method to achieve an ATO.
   
   
   • Example: CoalFire, Quzara
   
   
   
   


2. Utilize a Compliance Automation Solution
   
   
   
   • Pre-built cloud environment that deploys within an ISV’s tenant.
   
   
   • Automated SecOps, DevOps, and document production.
   
   
   • ISVs can be audit-ready in 60 – 90 days at typically less than half the cost of the consultative model.
   
   
   • Examples: Anitian, CoalFire Accelerated Cloud Engineering
   
   
   
   


3. Utilize a Managed Cloud Service Provider
   
   
   
   • Contract with a provider to host and manage the ISV’s solution within their FedRAMP compliant Azure cloud offering.
   
   
   • Typically the fastest way to achieve an ATO and bring the solution to market.
   
   
   • Costs vary depending on the level of services consumed.
   
   
   • Example: ProjectHosts
   
   
   
   

 

Once your solution is ready to be audited, a Third Party Assessment Organization (3PAO) needs to be engaged to perform an audit of the solution and produce a Security Assessment Report (SAR) which establishes the basis for the resulting ATO.

• 3PAO Examples: A-LIGN, Kratos

 

Obtaining an Enrollment in Azure US Government

If the ISV determines that they need a US Government enrollment to meet their regulatory requirements, they must first meet the requirements:

• Must be providing services/solutions to a government entity, be a GSA vendor, or have a government contract vehicle in place.


• Must have a US-based HQ with a physical address within the US.  It is ok if it is a foreign parent company as long as they have a US subsidiary with a domestic physical HQ.

Once it is determined that the eligibility requirements are met, the ISV needs to request an enrollment.  There is then a vetting process that gets started to verify that the requirements are met before the ISV is approved.  This process typically takes 10 – 15 business days to complete.

• It is recommended that the ISV request a free trial subscription to start this process and get familiar with the US Government tenants and regions.


• Once the trial period is over, the ISV can transition to their normal procurement process for Microsoft technologies (Enterprise Agreement or via a Cloud Solution Provider).

 

Azure US Government Regions

There are 5 regions in the US Government Unclassified space:

• US Gov VA (Primary, includes Availability Zones, GA as of Feb 2021)


• US Gov AZ (Primary)


• US Gov TX (DR for both VA and AZ)


• US DoD Central (DoD workloads only)


• US DoD East (DoD workloads only)

 

Additional Resources

Request customer responsibility matrix, SSPs: azfeddoc@microsoft.com

• US Government FedRAMP Home


• FedRAMP on Azure


• Azure Government Developer Guide


• Azure Security and Compliance Blueprint


• Overview of the FedRAMP Moderate Blueprint Sample


• DoD in Azure Government


• Isolation Guidelines for Impact Level 5 Workloads

 

Join our Upcoming Webinars

This topic will be discussed on the first Tuesday of every month, beginning February 2^nd.  Visit the event page and sign up for a delivery that fits your schedule.  The US Government specific deliveries are entitled “The Azure Government Marketplace Opportunity”.

 

About the Author

 

Chris Billet | LinkedIn

Principal Program Manager

Azure Global US Government Engineering

 

Chris is part of Microsoft’s Azure Global Engineering team specifically focused on US Government customer and ISV adoption of the Azure platform. Chris helps customers/ISVs understand their regulatory requirements and how to select the appropriate Azure region for their workloads. He also works as a liaison between our end customers/ISVs and our product groups when features/deployment timelines need to be prioritized in support of anticipated production workloads.

 

Chris attended Bloomsburg University of Pennsylvania and earned a BS in Computer Science with a focus on Application Development. In 1994 Chris started his career as a software developer at an ISV that provided solutions to the Healthcare industry, specifically Hospital Management Systems. In 2003, Chris earned his MBA from Penn State University in a part-time night school program.

 

In 1999 Chris joined Microsoft as an Enterprise Strategy Consultant based in Philadelphia and worked with many SLG and Education customers in the Northeast. In 2004, he transitioned to a Program Management role in the Windows Product Group and subsequently a startup Product Group within DevDiv in Redmond. Transitioning back to field services in 2008, he supported SLG and Education customers from a consulting and Premier support perspective in the Southeast, based in the Tampa Bay area. In 2018, Chris returned to an engineering role, joining Azure Global Engineering with a focus on supporting our US Government customers.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.