Background

A federal agency that had traditionally used only local infrastructure for their systems and had never accredited a cloud-based system, was planning to build a new database to meet their training requirements. Specifically, a Software as a Service (SaaS) learning management system was chosen to be hosted on the Amazon Web Services (AWS) GovCloud.

Since this agency had never previously accredited a cloud-based system, the government team requested industry expertise to work with them in understanding and implementing the steps in the process that would ensure proper controls would be in place for authority to operate and connect to the cloud-based training system.

Method

The SMS Subject Matter Expert (SME) began the process of accreditation by first identifying the required artifacts, or evidence that a system puts forward to show that each of the security requirements of the system is being met. We linked them to the appropriate controls after developing an artifact distribution template. The template listed all possible controls (862 controls using the latest NIST Special Publication, 800-53), which were mapped and tailored down to 453 individual controls. SMS reviewed these controls and their requirements, matched the appropriate vendor documents for each control, and identified which controls required local policies to address the requirements. For this migration, 86 controls were needed to meet the local policy requirements.

SMS then worked with the local system administrators to find the specific details regarding how they addressed those 86 controls. The SMS SME wrote the necessary local policies, then uploaded and linked them to the appropriate controls after approval. The Security Control Assessor (SCA) evaluated the policies to ensure the requirements had been met prior to granting authorization to be on the network. Acting as a local SCA, the SMS SME worked jointly with the government SCA in order create a more efficient process.

The overall system security plan was developed and quickly approved by the SCA, then approved for Interim Authorization to Test (IATT) for the standard six-month period with no rework and, after the entire package addressing all controls was submitted, SMS successfully received a one-year authority to operate. All system approvals were obtained without delays. 

Benefit

The government customer has access to an accredited training requirements information system with an artifact distribution template that can be used for all future cloud efforts to identify the necessary artifacts and cross-check them with their required controls. The template allows the agency to summarize policy into an easy-to-read format, saving time and resources in any future systems accreditation efforts through a repeatable, easy-to-use process.