Azure Government Engineering is pleased to announce the release of Azure Blueprint for the FedRAMP High Baseline. As previously announced, the Azure Blueprint program is designed to facilitate the secure and compliant use of Azure Government, providing a simplified way to understand the scope of customer security responsibilities when architecting solutions in Azure, and streamlining the path to attain a Federal Risk and Authorization Management Program (FedRAMP) Authorizations to Operate (ATO).
This release includes documentation to assist Azure customers with documenting their security control implementations as part of their individual agency ATO processes. The FedRAMP High Baseline Customer Responsibility Matrix (CRM) and System Security Plan (SSP) template are designed for use by Program Managers, Information System Security Officers (ISSO), and other security personnel who are implementing and documenting system-specific security controls within Azure.
The FedRAMP High CRM explicitly lists all control requirements that include a customer implementation requirement. This includes both controls with a shared responsibility between Azure Government and Azure customers, as well as controls that are fully implemented by Azure customers.
The FedRAMP High SSP template is customer-focused and designed for use in developing an SSP that includes both customer implementations as well as control inheritance from Azure Government. Customer responsibility sections include guidance on how to write a thorough and compliant control response. Azure inheritance sections include information about how the control is implemented by Azure Government on behalf of the customer.
With this release, Azure Blueprint now supports the FedRAMP Moderate and High Baselines and DoD L4.
The NIST Cybersecurity Framework Customer Responsibilities Matrix is available on the Service Trust Portal under Trust Documents. To provide feedback on the documentation, please e-mail AzureBlueprint@Microsoft.com.
We welcome your comments and suggestions to help us continually improve your Azure Government experience.
To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed, and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.