See CIO 2100.1L – GSA IT Security Policy
- Chapter 3, Policy for Identify Function, which covers:
- CA-1 policy control, CA-2, CA-3, CA-7, CA-8, CA-9
- Chapter 4, Policy for Protect Function, which covers:
- CA-2, CA-7
- Chapter 5, Policy for Detect Function, which covers:
- CA-2, CA-3, CA-7
- Chapter 6, Policy for Respond Function, which covers:
- CA-2, CA-7
The latest version can be found on the GSA IT Security Policies page.
Implement the NIST Risk Management Framework, and ensure compliance with all relevant laws, regulations, policies, and Executive Orders.
See the Applicability section of the GSA IT Security Policy.
For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the Technology Transformation Service's (TTS) Common Control Policy.
As a cloud service provider that is also part of the General Services Agency (GSA), a federal agency, GSA TTS ensures cloud.gov invests in comprehensive risk management assessments.
The main assessment procedures used are the Federal Risk and Authorization Management Program (FedRAMP). Further, GSA TTS engages an accredited third-party assessment organization (3PAO) to provide an independent review of the cloud.gov system and organizational operations.
Assessments of cloud.gov operations are performed in tandem with vulnerability scanning, malicious user testing, insider threat assessments, and other tests regularly conducted by the following teams: the cloud.gov team, TTS Technology Portfolio, GSA Information Security, and a 3PAO. The system is also under continuous monitoring from cloud.gov's Cloud Operations team.
GSA TTS takes any results seriously, and it remediates issues as soon as possible. Plans of action and milestones (POA&Ms) are maintained to ensure any findings are resolved, compensated for, or accepted as an operational requirement.
See CA-2, CA-2(1), CA-2(2), CA-2(3), CA-5, CA-7, CA-7(1), CA-8, CA-8(1).
The cloud.gov system does not establish any direct connections to external system. Network connections are on a deny-all, permit-by-exception basis.
See CA-3, CA-3(3), CA-3(5)
The FedRAMP JAB through the program management office (PMO) is the Authorizing Official (AO) for cloud.gov.
See CA-6
Complete version history: https://github.com/cloud-gov/cg-compliance-docs/commits/master/CA-Policy.md
- 2016-10: Initial version for authorization
- 2017-09: Security policy link updates
- 2019-12: Update links to GSA security policy
- 2020-11: Update links to GitHub and GSA policies, split controls by CSF, add version history
- 2021-11: Fix "remediations", clarify no direct connect, permit-by-exception