Skip to main content

DRAFT FedRAMP-TIC Overlay

Note: This information is currently out of date and will be updated in FY18 with more information.

Intro

The FedRAMP PMO and TIC Initiative are jointly requesting feedback on a DRAFT FedRAMP-Trusted Internet Connection (TIC) Overlay. This DRAFT overlay is the first step in updating TIC’s current reference architecture to allow for greater flexibility as agencies move to the cloud securely. The overlay will enable mobile users to directly connect to Federal cloud system without utilizing a TIC Access Provider (TICAP) or  Managed Trusted IP Service (MTIPS).

The DRAFT FedRAMP-TIC Overlay is the first overlay released as part of the “FedRAMP Forward” initiative. “FedRAMP Forward” is the roadmap to growing the program with three key goals: increasing compliance and agency participation, improving inefficiencies, and facilitating adaptation

Purpose

FedRAMP-TIC Overlay graphic

Once finalized, this overlay will allow agencies to ensure cloud services they use meet the Federal Information Security Management Act (FISMA) requirements through FedRAMP and the OMB Memorandum M-08-05, TIC Initiative for all Federal users, no matter where they access a cloud service. The coordination of these two programs will provide for the security not only of data within cloud environments but the security of the network connections between agency networks and cloud services.

Public Vetting Period Information

FedRAMP and TIC are seeking US Federal Departments and Agencies, CSPs. and other stakeholders to provide comments on this DRAFT overlay. The 30 day open comment period is from April 2, 2015 to May 1, 2015. Please send all suggestions and changes to info@fedramp.gov with the subject line: “FedRAMP-TIC Overlay Feedback”

All feedback must be submitted by May 1 2015 at 5 pm EST.

Documents for Review

Description FedRAMP-TIC Overlay

This document is a synopsis of the background, purpose and public request for comment of the DRAFT FedRAMP-TIC Overlay.

FedRAMP Security Controls Baseline

This document provides context to the FedRAMP security controls as well as provides the baseline of controls the TIC capabilities, were mapped to.

TIC Reference Architecture v2.0

This document provides context to the TIC Initiative as well as the specific TIC capabilities that have been mapped to the FedRAMP security controls baseline.

FedRAMP-TIC Overlay Spreadsheet

This document maps the the applicable TIC capabilities within the TIC Reference Architecture v2.0 to the FedRAMP Security Controls Baseline, currently for low and moderate impact levels. The spreadsheet has three tabs:

  1.    README Tab

This tab provides definitions of each column with the “FedRAMP to TIC Mapping” and “TIC to FedRAMP Mapping” tabs. Additionally it provides a list of relevant acronyms or other terms.

  1.    TIC to FedRAMP Overlay

All comments should be provided in this tab. This is the key tab for reviewers. It identifies which controls map to TIC capabilities and specifies what a CSP must implement in order to demonstrate their ability to meet these capabilities through a FedRAMP assessment.  Some notes on the mapping:

  • Not all TIC capabilities are represented in the FedRAMP-TIC overlay as not all TIC capabilities are applicable to CSPs.
  • The TIC capabilities and the FedRAMP security control requirements are not a one-to-one mapping; some are one-to-many, many-to-one, or many-to-many.
  • The TIC Reference Architecture v2.0 defines TIC capabilities as either Recommended or Critical. For purposes of this overlay, ALL applicable TIC capabilities are considered Critical (and therefore mandatory) for external cloud service providers.
  • Achieve a FedRAMP security authorization by an authorizing official (agency or JAB) based on the 3PAO Security Assessment Report; and
  • Be deemed “TIC Ready” by DHS based on DHS’s review of a 3PAO TIC Capabilities Assessment Report.

This is a mapping of the FedRAMP controls to the TIC capabilities. It is provided as a reference so reviewers can see how the FedRAMP controls map to the TIC capabilities in the context of the TIC program and assessments.

  1.    TIC to FedRAMP Reverse Map

This is a mapping of the FedRAMP controls to the TIC capabilities. It is provided as a reference so reviewers can see how the FedRAMP controls map to the TIC capabilities in the context of the TIC program and assessments.