ISSUE

BRIEF
Cloud Security for
Federal Agencies
Achieving greater efficiency and better security
through federally certified cloud services

This paper is intended to help federal agency executives to better address federal
security and privacy requirements when choosing cloud computing services. We
explain how using a cloud provider that is certified through the Federal Risk and “It is not sufficient to
Authorization Management Program (FedRAMP) and the General Services consider only the potential
Administration’s Blanket Purchase Agreement (BPA) for Infrastructure as a Service value of moving to cloud
(IaaS) offers agencies real potential for improving efficiency and risk management services. Agencies should
in establishing their IT infrastructure in the cloud. We also delineate the FedRAMP make risk-based decisions
lines of responsibility between agencies and cloud providers, and provide guidance which carefully consider the
for evaluating cloud providers to maximize benefits and minimize delivery risk. readiness of commercial
or government providers to
A critical issue, but not a barrier fulfill their Federal needs.”
–Vivek Kundra,
Cloud computing offers federal agencies a powerful means to reduce costs, deliver U.S. Chief Information Officer
more timely services, and significantly reduce burdens on internal IT resources. Federal Cloud
While the promised value is compelling, agency managers cite security and data Computing Strategy
privacy concerns as primary reasons for not migrating specific systems to the cloud. February 8, 2011
They are concerned about the loss of control from the multi-tenant nature of cloud
computing which requires rigorous controls and continuous monitoring to prevent
potential data leakage and unauthorized access. They also require visibility into
potential security incidents and must be able to respond to security audit findings
and obtain support for investigations.

As a result, security and data privacy were top priorities the General Services
Administration’s (GSA’s) Federal Cloud Computing Initiative sought to address to
facilitate cloud adoption. GSA has collaborated with the Federal Chief Information
Officer (CIO), the National Institute of Science and Technology (NIST), the CIO
Council, and Senior Agency Information Security Officers to build a common cloud
security Assessment and Authorization (A&A) framework called the Federal Risk
Authorization Management Program (FedRAMP). GSA has also required cloud
providers on its Blanket Purchase Agreement (BPA) for Infrastructure as a Service
(IaaS) to receive A&A to support systems requiring Low or Moderate Risk Impact
environments. In addition, these vendors must pass stringent National Agency
Checks with Investigations according to HSPD-12 criteria. Prior to these initiatives,
early movers to the cloud had to take on undue risk to meet desired timeframes.

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.

 Keys to minimizing risk and maximizing value
The Federal Cloud Computing Strategy released February 8, 2011, recommends that agencies
carefully consider their cloud security needs across a number of dimensions, including statutory
compliance, data characteristics, privacy and confidentiality, integrity, data controls and access
policies, and governance. In addition, NIST’s recent draft publication Guidelines on Security and
Privacy in Public Cloud Computing (SP 800-144) identifies nine security and privacy considerations
for planning, reviewing, negotiating or initiating a public cloud service outsourcing arrangement.

Agencies can fast track their realization of cloud savings and other benefits while simultaneously
addressing the security and privacy challenges highlighted by NIST, by leveraging GSA’s IaaS BPA.

By choosing cloud providers on the GSA BPA for IaaS, agencies can confidently achieve:

✓ Physical separation of software in federal clouds from commercial clouds

✓ Tenant and vendor administrators vetted by the federal government

✓ Data ownership and protection approaches clearly stating that agencies own their data
and spelling out mutually agreed processes the agency and cloud provider will follow for
Freedom of Information Act or other data requests

✓ Clear scope of security models and environments that are pre-tested by the government
to meet FISMA Moderate Risk Impact requirements and provide continuous monitoring.
Agencies with higher security requirements can work with certified cloud providers to
design and deploy systems that meet more stringent specifications.

✓ Transparency into what security features are included in a cloud bid, and what additional
services are available or desired by the agency to meet its specific needs
2

✓ Ability to solve many security challenges more efficiently than internal solutions by leveraging
the significant investments made by providers to deliver superior controls and enterprise-
class production environments that are pre-tested and certified by the government

✓ Faster authorization of systems moving to the cloud by re-using existing security

authorizations established via FedRAMP, and separately certifying only additional
agency- and application-specific requirements

✓ Savings in time and money by using existing security authorizations, eliminating the need
to visit data centers and pursue and justify separate infrastructure accreditations (typically
40% of the A&A level of effort)

✓ More time and resources to focus on application security.

“Ensuring data and systems security is one of the biggest and most important challenges
for federal agencies moving to the cloud. FedRAMP’s uniform set of security authorizations can
eliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews.” 1
–David McClure, GSA’s Associate Administrator for Citizen Services and Innovative Technologies

1 “Guidelines would speed certification of cloud products, services”, November 2, 2010, Government Computer News

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.

FedRAMP Highlights
FedRAMP offers a common security A&A framework for cloud infrastructure; defines requirements for
controls such as vulnerability scanning and incident monitoring, logging and reporting; and provides
continuous monitoring services for certified government and commercial cloud computing systems that
are intended for multi-agency use, improving risk management. An agency can leverage an existing
authorization by accepting the findings in that FedRAMP package. The authorization remains in effect
as long as the related security risks are accepted by the agency and the authorization complies with
relevant policies.

Realizing greater security in the cloud

By using the IaaS BPA for cloud solutions, federal agencies can readily comply with the Federal
Information Security Management Act’s (FISMA’s) comprehensive framework for securing their IT for
a large majority of agency systems. The basis for determining the level of risk impact is the Federal
Information Processing Standard (FIPS) 199. Figure 1 shows that 88% of categorized federal systems
are classified as FIPS Low or Moderate Risk Impact. By using cloud environments that have been
certified to meet Moderate Risk Impact requirements, agency applications in fact can be more secure
in the cloud than they are in many existing infrastructures, especially those based on legacy platforms
using legacy controls.

Figure 1: FIPS Risk Impact of Categorized Federal Systems

High
12%

Low
40% 3

Moderate
48%

Source: Fiscal Year 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002

• 40% of categorized systems are classified as Low Risk Impact. Examples include public-facing
websites with non-sensitive data as well as applications such as inventory systems. Systems with
public data that is subject to transparency requirements have been among the first to leverage the
cloud. For example, the Recovery Accountability and Transparency Board deployed Recovery.gov in
the cloud, and NASA has also leveraged the cloud for public information. When considering the public
cloud for such systems, agencies should ensure that cloud providers can provide a security level that
prevents data tampering or disruption of service.

• 48% of categorized systems are classified as Moderate Risk Impact. These include systems
supporting operations and those processing sensitive data such as personally identifiable information
(PII), Confidential Business Information (CBI), and personal health information. Federal financial
systems that process budget and procurement information, purchase card numbers, banking
information for payments, or Social Security Numbers would be categorized as Moderate Risk
Impact. Often, such financial systems are better suited to Virtual Private Clouds for which agencies
can dictate their required levels of security. Virtual Private Clouds give agencies exclusive use of
computing infrastructure and allow them to prescribe specific security measures without requiring
infrastructure investment.

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.

 Inherent security advantages of cloud technology
• Automated security management
• Greater redundancy
• Improved disaster recovery (no matter what happens to a desktop or laptop, data is backed
up in the cloud)
• Simplified security auditing and testing
• Shifting public data to an external cloud reduces risk of exposing internal, sensitive data
• Centralizing data allows skilled experts to ensure that all security measures are taken,
eliminating risks posed by employees with less technical skill

Agency security responsibilities vs. certified cloud provider responsibilities

When determining additional agency security requirements to deploy as part of their move to the cloud,
per the NIST model, it is the agency’s responsibility to address the security and risk management of its
own major applications. Security controls can be provided by the application owner or can be secured
from a qualified vendor (See Figure 2).

Figure 2: Examples of Available Security Controls

Governance, Risk and Data Risk Infrastructure Protection

Compliance Management Management

• Compliance reporting • Application activity • Intrusion protection services

services management • Endpoint protection
• Vulnerability management • Strong authentication • Log management services
• Security event and • Identity management • Firewalls management
4

incident management • Web policy management • System antivirus software

• System operational risk • Data loss prevention configuration
management
• Secure messaging services
• System security measures
• Anti-DDoS
and configurations
• Operating System related
security, patching and
vulnerability scanning
• Configuration management
• Policies and procedures

For agencies preferring that their cloud provider perform continuous monitoring, backup and restore
data, and/or guarantee that data centers are located on U.S. soil, certified providers on GSA’s BPA for
IaaS will meet these requirements.

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.

Figure 3: Comparison of Agency and Certified Cloud Provider Responsibilities shows the security
responsibility boundaries between agencies and certified cloud providers for virtual machines and
web hosting services offered on the BPA for IaaS. For virtual machines, agencies are responsible for
securing the O/S, hosting software and major application. With web hosting, the cloud provider handles
the O/S-related security and some hosting software security. Any responsibility gaps can be identified
clearly so that agencies can decide what additional security controls, performance reporting, or other
standards of compliance are needed, and whether to address those internally or through their cloud
provider.

Figure 3: Comparison of Agency and Certified Cloud Provider Security Responsibilities

Virtual Machines Web Hosting

Major Major
Application Application

Web Hosting Web Hosting

Agency
Software Software
Responsibility

Operating Operating
System System

Boundary

Hypervisor Hypervisor
Cloud
Service
Provider
Responsibility 5
Physical Physical

Note: Agencies must provide the Disaster Recovery (DR) testing and planning for their own cloud-based
applications. This is unlike a typical managed hosting offering that includes the recovery plans and test-
ing. As a result, agencies may require DR services beyond the cloud offering to complete their needs.

Next steps
CGI offers a disciplined transition process to get you to the cloud with confidence. We are one of the
12 awardees under GSA’s BPA for Infrastructure as a Service. One of our expert executive consultants
also chairs TechAmerica’s public sector task group which is providing industry input into FedRAMP.
CGI’s cloud offerings compel the development of well-managed cloud initiatives because processes,
governance, security and compliance are all embedded in our solutions.

In addition, as a full-service cloud and security partner, CGI helps protect operations at the infrastruc-
ture and data layers and provides advisory services designed to assess and strengthen security
strategies. We offer the full range of security services, including security governance and engineering,
cybersecurity and managed security services (e.g. program, configuration, incident and event manage-
ment and business continuity services). Our certified, accredited and security-cleared experts use
proven industry best practices such as ITIL and SANS, continuous monitoring, real-time reporting and
immediate action on suspicious activity.

To learn how to find greater security in the cloud for your agency, or to talk to a CGI cloud expert
about your specific situation, contact your CGI Federal program manager or visit us at
www.cgi.com/federalcloud.

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.

 Why CGI
• Nearly 35 years of experience in managing infrastructure, security and other business and IT services
for complex organizations
• Trusted by more than 180 CIO’s to manage their IT infrastructure
• Experience providing infrastructure support for 50+ federal agencies
• Major cybersecurity practice and significant percentage of federal practice professionals with security
clearances
• Rigorous service management and governance processes that are proven against the most
demanding requirements, with Service Level Agreements that are 98+% exceeded or met
• Ability to deliver entire applications to meet critical needs faster than agency data centers could
deliver just the infrastructure, for example:
– In just six weeks, built and deployed FederalReporting.gov in a virtualized hosting environment
to handle Recovery Act funding recipient reporting
– In just six weeks, built and deployed a cloud-based portal to support a major health reform
initiative. The portal, which includes data from more than 3,000 commercial and public sector
organizations, enables citizens to conduct real-time comparisons so they can make more
informed healthcare decisions.
• Flexible cloud approaches that can include blending with traditional hosting, ability to transfer
customer data back in-house, and access to robust common services
• Vulnerability scanning and patch management for web hosting that provides embedded security
to close the most common exploits.

About CGI
A global leader in IT, business process and professional services, CGI partners with federal agencies
to provide end-to-end solutions for defense, civilian and intelligence missions. For 35 years, we have
delivered quality services to help clients achieve results at every stage of the program, product, and
business lifecycle. We deliver end-to-end solutions in application and technology management,
systems integration and consulting, business process management and services, advanced
engineering and technology services, and operational support services. Our proven capabilities in
high-demand areas include cloud, cybersecurity, biometrics, citizen services, data exchange, health
IT and energy/environment. CGI has 31,000 employees in 125+ offices worldwide.

www.cgi.com/federalcloud © CGI GROUP INC. All rights reserved.