Compliance program overview

Accelerating your path to compliance in Azure is a focused program that targets the provisioning of learning resources and implementation tools by educating, providing architectural references, and support during the scoping and implementation of your project. In addition, we work with key assessment and automation partners to share reference architectures, solutions, alternatives both first party and third party that can help you meet your compliance needs.

As a partner who provides a service in this field, you can publish your offering in the marketplace that will expand the reach of your services.

Customers

The US Government, as well as many other organizations, relies on commercial software companies to achieve its mission. As part of the procurement and consumption processes, the Authority to Operate (ATO) was implemented to ensure that the development, use, and operation of such commercial software and platforms, is done in accordance with security and data protection necessary to safeguard government information. While the process has the best intentions, the inherent complexity creates a long and expensive project that discourages many Independent Software Vendors (ISVs) to go down this path.

The adoption of cloud technologies by the Federal Government is predicated on the Federal Risk Authorization Management Program (FedRAMP). This is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments. The program is based on the NIST SP 800-53 security controls.

There are two types of FedRAMP authorizations for cloud services:

  • A Provisional Authority to Operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB)
  • An Agency Authority to Operate (ATO)

P-ATO process

A FedRAMP P-ATO is an initial approval of the cloud service provider (CSP) authorization package by the JAB that an Agency can leverage to grant an ATO for the acquisition and use of the cloud service within their Agency. The JAB consists of the Chief Information Officers (CIOs) from DoD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. A P-ATO means that the JAB has reviewed the cloud service’s authorization package and provided a provisional approval for Federal Agencies to leverage when granting an ATO for a cloud system. For a cloud service to enter the JAB process, it must first be prioritized through FedRAMP Connect.

Agency ATO process

As part of the Agency authorization process, a CSP works directly with the Agency sponsor who reviews the cloud service’s security package. After completing a security assessment, the head of an Agency (or their designee) can grant an ATO.

Taking the above into consideration, an ISV can choose to go for JAB authorization, which grants a generalized authorization to its solution and can be used with multiple agencies. This process tends to be longer. They can also choose to go for an Agency ATO, which is specific to the Government customer they are serving. This customer acts as the sponsor and may even have “reciprocity” with other agencies which allows for a faster, smoother adoption of the company’s solution with a different customer.

Partners

Microsoft is able to scale through its partners. Scale is what will allow us to create a more predictable, cost-effective, and speedy delivery. These concerns are also common with perusing an ATO. We are focusing on enabling two main kinds of partnerships:

  • Advisory: enables partners to create offerings based on Azure that shepherd a customer through individual steps or the entire ATO process. These partners offer consulting services bundled with some automated solutions that add value to what Azure Compliance Launchpad provides. They can usually be contracted directly, by reference, or via the Marketplace.
  • Automation: there are two types of automation partners we focus on:
    • Foundational partners, which enable integrated 3rd party solutions with Azure and help you achieve / meet controls from your FedRAMP Package. These partners are part of our recommended reference architectures.
    • True automation partners that help automate certain aspects of the ATO journey such as the System Security Plan (SSP) generation, self-healing, alerts, and monitoring.

Note

Partners are asked to publish their solutions to Microsoft Azure Marketplace. Steps on how to achieve that are presented below.

Publishing to Azure Marketplace

  1. Join the Partner Network - It’s a requirement for publishing but easy to sign up. Instructions are located here: Ensure you have a MPN ID and Partner Center Account.
  2. Enable your partner center account as Publisher / Developer for Marketplace, follow the instructions here.
  3. With an enabled Partner Center Account, publish listing as a SaaS App as instructed here.

For a list of existing Azure Marketplace offerings in this space, visit this page.

Additional resources

Note

The information provided here will allow partners and customers to sign up and learn about the compliance program. The program is designed to help Azure and Azure Government customers successfully prepare their environments for authorization and request a FedRAMP ATO. This information does not constitute an offer of any kind, and submitting the forms below in no way guarantees participation in the program. At this time, the program details shared with partners and customers are notional and subject to change without notice.

Next steps

Review the documentation above. If you are still facing issues reach out to Azure Government Partner Inquiries.