Azure offers several options for ISVs to deploy and sell their solutions to US Government customers. The important first steps for any ISV to consider before embarking on the journey to sell to US Government customers are:
Azure meets differing levels of compliance considerations across our regions. Select the region that meets the needs of your end customers.
Figure 1: Compliance by Azure Region
Azure services achieve overall compliance and ATOs based upon the required audit scope. As pictured above, our US Public Commercial regions meet the FedRAMP Moderate/High needs of our US Government customers. Higher level ATOs are met within our US Government Regions. The overall regulatory requirements that the ISV solution must meet will inform the regional selection decision.
Azure services are submitted to the US Government for authorization on a monthly basis. For an up-to-date reference by audit scope for our Commercial and Government regions, please refer to Azure Services in FedRAMP and DoD SRG Audit Scope - Azure Government | Microsoft Docs. The top of the page refers to our Azure Public Commercial regions and the second half is specific to our Azure Government regions.
FedRAMP is a government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services.
There are two ways most ISV’s authorize a cloud service through FedRAMP:
An Agency ATO is the most common method for sponsorship as often there is a specific agency that wants to purchase the ISV’s solution. For help deciding which option to pursue, refer to this guide: https://www.fedramp.gov/jab-or-agency-how-do-i-get-a-fedramp-ato/.
Based upon how the ISV intends to sell/operate the solution, they may or may not need their own ATO.
IF |
THEN |
· The ISV is hosting within its own tenant/ subscription that the end customer will access (typical for a SaaS offering) and/or, · The ISV has control/management of the end customer’s data |
The ISV is responsible for compliance and must attain their own ATO |
· The ISV provides software to the end customer (COTS model) and, · The end customer operates the solution within their own tenant/subscription |
The end customer is responsible for compliance |
· The end customer hosts the solution within their own tenant/subscription and, · The ISV is responsible for managing/operating the solution on behalf of the end customer |
Joint responsibility for compliance |
In general, there are three methods to achieve an ATO for an ISV’s solution.
Once your solution is ready to be audited, a Third Party Assessment Organization (3PAO) needs to be engaged to perform an audit of the solution and produce a Security Assessment Report (SAR) which establishes the basis for the resulting ATO.
If the ISV determines that they need a US Government enrollment to meet their regulatory requirements, they must first meet the requirements:
Once it is determined that the eligibility requirements are met, the ISV needs to request an enrollment. There is then a vetting process that gets started to verify that the requirements are met before the ISV is approved. This process typically takes 10 – 15 business days to complete.
There are 5 regions in the US Government Unclassified space:
Request customer responsibility matrix, SSPs: azfeddoc@microsoft.com
This topic will be discussed on the first Tuesday of every month, beginning February 2nd. Visit the event page and sign up for a delivery that fits your schedule. The US Government specific deliveries are entitled “The Azure Government Marketplace Opportunity”.
Principal Program Manager
Azure Global US Government Engineering
Chris is part of Microsoft's Azure Global Engineering team specifically focused on US Government customer and ISV adoption of the Azure platform. Chris helps customers/ISVs understand their regulatory requirements and how to select the appropriate Azure region for their workloads. He also works as a liaison between our end customers/ISVs and our product groups when features/deployment timelines need to be prioritized in support of anticipated production workloads.
Chris attended Bloomsburg University of Pennsylvania and earned a BS in Computer Science with a focus on Application Development. In 1994 Chris started his career as a software developer at an ISV that provided solutions to the Healthcare industry, specifically Hospital Management Systems. In 2003, Chris earned his MBA from Penn State University in a part-time night school program.
In 1999 Chris joined Microsoft as an Enterprise Strategy Consultant based in Philadelphia and worked with many SLG and Education customers in the Northeast. In 2004, he transitioned to a Program Management role in the Windows Product Group and subsequently a startup Product Group within DevDiv in Redmond. Transitioning back to field services in 2008, he supported SLG and Education customers from a consulting and Premier support perspective in the Southeast, based in the Tampa Bay area. In 2018, Chris returned to an engineering role, joining Azure Global Engineering with a focus on supporting our US Government customers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.