As a Cloud Service Provider (CSP) on GSA’s Infrastructure as a Service (IaaS) BPA, CGI has learned we must help our customers understand the extent of the security features they inherit from our certified IaaS services. GSA appropriately made these boundary distinctions a key issue during the risk assessment process. Since different CSPs have chosen different boundaries, it is very important that customers be aware of the extent of the security provided with their IaaS.  

The system security plan (SSP) is used to define the assessment boundary. For customers, it makes definitive the guidelines of scope and selection in NIST Special Publication (SP) 800-53 rev 3, Recommended Security Controls for Federal Information Systems and Organizations for each service model.

This diagram shows the differences in scope and control between the cloud provider and customer for each service model, as described in NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing. Depending on the services procured, different CSPs provide different security controls within a service model.

The Federal Risk Assessment Management Program (FedRAMP), which represents the next evolution of cloud security, recently released version 1.0 of NIST SP 800-53 rev 3 controls (ZIP) for assessing CSPs. To narrow the differences among CSPs, FedRAMP is raising the precision of its control assessments.

As an example, one control that will be thoroughly assessed is the IA-2 Identification and Authentication control for organizational users. IA-2 includes three enhancements. The CSP’s SSP now needs to provide implementation details for privilege, non-privilege and local access by CSP employees and contractors to applicable layers of the cloud environment. It should also describe how the base control and enhancements apply, or do not apply, to customers accessing the specific service model.

When comparing cloud services from BPA or non-BPA providers, customers need to evaluate closely what security they get with their service. While one CSP may seem less expensive, the comparison may not be apples-to-apples. For example, does each CSP provide operating system and web host scanning? Does each give customers the ability to perform a scan providing meaningful results? What kind of security transparency does each provide? Since customers accept the CSP’s security control of their infrastructure in the cloud, they will want to compare cloud controls to their own set of NIST SP 800-53 rev 3 controls, and should know what the deltas mean.