FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure and cost effective cloud-based IT. The good news is Azure is FedRAMP compliant and has been for years. For those that don't know FedRAMP has multiple governing bodies:
Now that we know who is telling us the standards, who do we apply that to Azure?
When I was working in a Federal agency years ago one of the early misconceptions was that you could only get FedRAMP compliance in the Azure Gov but that isn't the case at all, you can achieve FedRAMP compliance in both public and gov region, but you have to make sure to evaluate each service as some services are complain and some are not. To verify the service you want to use has been audited please review Azure services by FedRAMP.
To be complaint during auditing you will have to show that the FedRAMP controls have been mapped to security settings in Azure, of course you knew at this point you would be using Azure Policy to help achieve this right? You can find the documentation of the controls for FedRAMP High and FedRAMP Medium already done for you.
Microsoft has done some of the heavy lifting for you here and have provided you an Azure Blueprint to guide your Azure Policy deployments. These will provide you the governance guard rails to deploy compliant services in your Azure environment. You will find both FedRAMP High and FedRAMP Medium blueprints.
The other requirement you will need to provide to get your approval will be the audit report for the Microsoft aspects of the controls that are required. You can find a copy here.
Just remember while these policies will give you a great head start on your authority to operate (ATO) there will still need to be very specific configurations depending on what systems you deploy especially if you are using IaaS as there are configurations inside the OS level you must account for. It is not a speedy process to get approved but the more info you can provide at the start the easier it will be to get through the process.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.