Using Microsoft Azure U.S. Government Cloud for Security & Compliance

Overview of the Microsoft Azure U.S. Government Cloud

Microsoft Azure U.S. Government Cloud (Azure Government) is designed specifically for the U.S. government (USG). It adheres to federal and state policies, and provides a secure, compliant infrastructure-as-a-service (IaaS) for federal information systems. It offers several security levels to align with standardized government information classification levels, keeps data within U.S. boundaries, and ensures U.S. citizens staff any related facilities.

Azure Government also offers a government approved “marketplace” of cloud services (PaaS/SaaS), allowing government entities to leverage its’ underlying infrastructure and cloud services without having to create their own. With this type of shared services delivered in a subscription model, come shared responsibilities between the infrastructure provider, application owner, and end-user. Contractually, customers are strictly responsible for the security, recovery, and portability of their own data, not Azure Government as the cloud provider. This is where Veeam can help (more later).

In short, entities can tap into Azure Government’s scalability, security, and guaranteed infrastructure and application uptime for accelerated compliance with continuous Authority to Operate (cATO) requirements. 

Who is Eligible to Use Azure Government?

Azure Government saves public sector entities the cost and time involved in building their own government compliant infrastructure and applications. But not just anyone can use this IaaS/PaaS/SaaS platform. Only Microsoft authorized government and cloud service provider (CSP) partners serving US federal, state, and local government entities can use Azure Government. Microsoft has a strict validation program to determine eligibility. To qualify, an organization must prove they regularly work with government customers as a Cloud Service Provider or hold a General Services Administration (GSA) or other government contract. Types of proof can include, but are not limited to, government contract numbers and a letter of sponsorship from a government customer.

Basic eligibility criteria for partners and customers seeking approval to use Azure Government per Microsoft are below.

• A Cloud Service Provider must be enrolled in the Microsoft Cloud Solution Provider (CSP) program and be one of the following types of organizations:
  • A qualified partner serving US federal, state, local or tribal government entities.
  • An organization that provides services or solutions to US government customers through direct (e.g. GSA) or indirect contracts (e.g. subcontractor of a NASA SEWP contract holder).
• A U.S. government entity (e.g. bureau, agency, department) that handles government-controlled data including:
  • Federal, tribal, state, or local government entities
  • Regional or interstate government entities (but no international entities)
  • Federally funded research and development centers (FFRDCs) which are public-private partnerships that conduct research and development for the United States (e.g. NSF)
  • Commercial private entities (contractors) with data that’s subject to regulations such as:
    • International Traffic in Arms (ITAR)
    • Controlled Unclassified Information (CUI)
    • Department of Defense (DoD) Unclassified Controlled Nuclear Information (UCNI)
    • Department of Energy (DoE) UCNI
    • Criminal Justice Information (CJI)
    • Department of Defense Impact Level Data
    • Other types of data that require Azure Government

Security & Compliance in Azure Government Cloud

For optimal security and compliance, Azure Government services for the public sector operate on a physically isolated instance of Microsoft Azure. This provides segmentation and the world-class security services critical to US government systems, as well as the secure, compliant cloud applications built on its architecture.

As shown below, Azure Government, Azure Government Secret, and Azure Government Top Secret enclaves are designed for differing security classification levels. Operated by screened and cleared US persons, Azure Government supports various scenarios for building, deploying, and managing cloud-based and cloud-native infrastructure and applications. Azure Government already has the required formal credentials and authorizations in place and is supporting thousands of public sector customers, eliminating the need for a customer to obtain similar certifications via a long, complicated process.

According to Microsoft’s Azure Government website, authorizations and credentials listed below make compliance much easier and more efficient for government entities and contractor customers.

• Federal Risk and Authorization Management Program (FedRAMP)
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level (IL) 2, 4, 5, and 6
• Joint Special Access Program (SAP) Implementation Guide (JSIG)
• Azure Government maintains the following authorizations that pertain to all Azure public regions in the United States:
  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)
• Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions):
  • FedRAMP High P-ATO issued by the JAB
  • DoD IL2 PA issued by DISA
  • DoD IL4 PA issued by DISA
  • DoD IL5 PA issued by DISA

As shown in the chart, Azure Government provides a secure and compliant environment for U.S. government entities, offering different levels of security depending on the classification and sensitivity of data. Each level supports various compliance standards and offers dedicated security functions to ensure data integrity and sovereignty within U.S. borders.

Ask how Veeam can help Azure Government customers meet data and application security, recovery, and portability compliance needs related to cATO.

Risk Management: Continuous Authority to Operate (cATO)

With this basic understanding of Azure Government and how it helps public sector customers meet compliance requirements more quickly, let’s turn to Continuous Authority to Operate (cATO) certification requirements. First, a little background.

In 2022, the U.S. Department of Defense (DoD) issued a  on Continuous Authority to Operate (cATO) certification requirements for DevOps organizations. The goal of cATO, as with more recent zero trust architecture requirements, is to standardize acceptable cybersecurity risk levels for government agencies and contractors per DoD, Risk Management Framework (RMF), and FedRAMP standards.  per DoD, Risk Management Framework (RMF), and FedRAMP standards.

cATO certification requires the software development and operations efforts of agencies and USG DevOps contractors to be continuously monitored. Continuous monitoring of DevOps infrastructure and application environments helps proactively (not reactively) identify and mitigate potential risks and vulnerabilities in real-time. cATO also requires a government approved third party regularly conduct security and compliance assessments on the organization. Then, if a product and organization’s risk posture is deemed acceptable by the DoD CISO, a cATO certification is awarded. Once awarded, there is no expiration date for a cATO. It remains in effect as long as the organization’s real time risk posture is maintained.

According to the DoD memo, “cATOs are a privilege and represent the gold standard for cybersecurity risk management for systems. They represent a raise the bar effort for system risk monitoring and management.” If through continuous monitoring and regular external assessments an organization is deemed to have inadequate cybersecurity, suffers a major breach, or there is a change in risk tolerance, its’ cATO can be suspended until the issues are addressed.

Ask us how Veeam can help you leverage another agency’s ATO or gain certain required competencies for your own cATO certification.

Azure Government Certifications vs. cATO Certification

Microsoft works closely with agencies like the Defense Information Systems Agency (DISA) and the General Services Administration (GSA), ensuring that Azure Government meets evolving federal standards. This close collaboration can help agencies in their cATO journey by ensuring their cloud provider is well-aligned with accrediting processes.

The USG is using Azure Government as part of a larger USG government risk management strategy. Similar to Azure Government, cATO certification also helps continuously manage risk but it applies specifically to the DevOps processes and activities conducted by government entities and contractors (e.g. develop, update, migrate or modernize software). If you are a USG entity or commercial contractor DevOps organization doing business with the USG and want to continue doing so, you need to apply for a cATO.

USG agencies can get certified themselves or use another cATO certified entity like Azure Government. Without cATO certification, DevOps contractors and agencies can face these and other challenges:

• Security Risks: Without continuous monitoring, applications and data may become vulnerable to security threats and breaches.
• Compliance Issues: Many industries, such as healthcare (HIPAA) and financial services (SOX), already have strict data protection regulations that require continuous monitoring and assessment. Failing to comply can result in hefty fines and legal issues.
• Operational Inefficiencies: Without a cATO, organizations may have to undergo lengthy and costly reauthorization processes periodically.
• Reputation Damage: Security breaches and non-compliance can harm an organization’s reputation, leading to loss of citizen and customer trust.
• Tougher Competition: cATO certification can be a competitive differentiator for contractors selling to the USG. If you don’t have it, you lower your odds of winning USG DevOps related business.

Since Azure Government already has numerous USG approved security capabilities and certifications, organizations can leverage its infrastructure to obtain portions of cATO certification for their cloud services and applications faster and more efficiently. Leveraging Azure Government shortens the organization’s time to 1) compliance and 2) offer digital services that can be used by other agencies and the public (e.g. lower cost, increase fees).

In summary, Azure Government simplifies the cATO certification process by providing pre-validated, compliant cloud infrastructure; advanced security tools for monitoring and threat detection; robust access management; and continuous monitoring/reporting tools. This infrastructure and toolset allow government organizations to maintain high levels of security and demonstrate compliance more easily, supporting both initial and continuous ATO processes.

Industry Migration to Kubernetes Virtualization

You may be wondering how Kubernetes fits with Azure Government and cATO certification. Let’s first dive into the details of what Kubernetes is and why industry is migrating to it.

Kubernetes is an industry standard container orchestration technology that manages and organizes standardized containers of data. Kubernetes helps manage or “orchestrate” the deployment, scaling, and operation of applications via containers. Kubernetes’ underlying philosophy revolves around the concept of “Immutable Infrastructure.” Immutable infrastructure is a model that mandates that no updates, security patches, or configuration changes happen in-place on production workloads. Instead, when a change is needed, the application is built on new temporary virtual infrastructure and tested in a staging or sandbox environment. Only when validated as meeting compliance requirements is it then deployed into production (e.g. Crowdstrike outage). Automation of this process helps maintain consistent highly available system and application processes avoiding configuration or compliance problems.

Given that Kubernetes has robust built-in automation capabilities, it becomes easier to scale applications up or down as required, ensuring that all the rules assigned to the parent application apply to each of its replicas automatically. This attribute ensures that your application environment remains compliant irrespective of scalability.

Azure Kubernetes Service (AKS) on Azure Government

Azure Kubernetes Service (AKS) is a Microsoft service provided in Azure Government. Using AKS within the Azure Government Cloud has multiple benefits. It provides application scalability, seamless automated integration with other Azure services, and supports a microservices architecture, multi-region availability, and adherence to strict security and compliance requirements.

Kubernetes-native tools and plugins can make achieving compliance much easier. One such tool is Open Policy Agent (OPA), which allows an authorized user to enforce fine-grained, context-aware access policies across the Kubernetes environment. By putting detailed controls over who can do what in the Azure Cloud environment, you help maintain compliance for access control policies per FIPS, NIST, FedRAMP, and others compliance requirements.

Reducing Risk with AKS on Azure Government Cloud

When it comes to DevOps shops getting cATO certification, cloud native agnostic container technologies like Kubernetes enable consistent deployment, management, and dynamic scaling of any type of applications in any technical environment (i.e. agnostic). The inherent security and isolation provided by Kubernetes for DevOps means that each application can run in a contained environment that is automatically spun up and down only as needed (impermanent), minimizing the risk of vulnerabilities spreading across applications.

Azure Government incorporates Kubernetes technology (AKS), enabling continuous integration and deployment (CI/CD) for mission-critical software pipelines, yet ensures modifications are traceable, replicable, and compliant. cATO requires this tracking and validation for all changes in the DevOps environmentAzure Government provides the built-in tools below to help agencies monitor, maintain, and demonstrate continuous, zero trust security to reduce overall risk:

• Azure Security Center: Offers threat detection, vulnerability assessments, and compliance monitoring to ensure security policies are enforced in real time.
• Azure Policy and Blueprints: Helps organizations apply consistent security controls and compliance policies. This allows agencies to configure cloud environments based on predefined regulatory templates, ensuring security baselines are continuously met.
• Azure Sentinel: A cloud native SIEM that provides analytics, intelligent security, and threat hunting to help organizations detect and respond to security incidents quickly, essential for maintaining cATO.
• Continuous Monitoring and Reporting: cATO requires continuous oversight of the system’s security state. Azure Government supports this through:
• Automated Compliance Reporting: Tools like Azure Monitor provide continuous insights into system performance, security, and compliance.
• Compliance Dashboard: Provides visibility into security controls and their compliance status, allowing organizations to easily audit their systems and provide reports to accrediting authorities.
• Log Analytics and Event Tracking: Critical for detecting anomalies, tracking events, and maintaining operational transparency, helping agencies demonstrate compliance to accrediting bodies.
• Managed Security Services: Azure Government Cloud offers Managed Security Services from third-party vendors that specialize in providing continuous security monitoring and incident response. This helps organizations maintain a robust security posture required for cATO and reduces the operational complexity of managing ongoing compliance.
• Identity and Access Management: Azure Government uses Azure Active Directory (Azure AD) for robust identity and access management, including:
  • Multi-factor Authentication (MFA): Provides additional layers of security.
  • Role-Based Access Control (RBAC): Ensures least-privilege access, a key requirement for cATO, ensuring that only authorized personnel have access to sensitive systems and data.
  • Accelerated ATO Process
• Documentation and Templates: Azure Government provides agencies with a wealth of documentation, templates, and compliance blueprints, reducing the time and effort needed to implement security controls. This helps organizations configure and assess their environment in alignment with cATO requirements.

cATO certification can be facilitated using Azure Government because it uses cloud-native agnostic container technologies that allow for uniform management and deployment of applications across different technical environments. With Azure Government implementing Kubernetes technology, agencies can ensure continuous integration/continuous delivery (CI/CD) for critical software, and that modifications are traceable and compliant. Additionally, Azure Government provides numerous tools, like Azure Security Center and Azure Active Directory, to monitor and maintain security for achieving cATO.

AKS on Azure Government Cloud provides a powerful and scalable platform to develop and deploy applications swiftly and effectively — all while prioritizing data security and regulatory compliance.

Running VMWare on Azure Government Cloud or moving to a new hyper visor? Consult with a Veeam subject matter expert on how migrate VMware-based workloads to Azure Government with AKS, or to modernize disaster recovery and business continuity strategies, without changing existing workflows.

Better Together Solutions Leverage Best-in-Class Partners

Utilizing technologies such as Kubernetes, Microsoft Azure, and Veeam under the umbrella of Azure Government Cloud offers “better together” solutions to meet requirements while facilitating compliance. The containerization provided by Kubernetes segregates application environments, thus reducing potential breaches exponentially. Kubernetes also supports automated deployment and management of applications, thereby accelerating compliance.

Azure Kubernetes Service (AKS) is a fully managed container orchestration service provided by Azure Government. AKS orchestrates and automates deployment, scaling, and management of containerized applications to simplify it. Then developers can focus on creating needed applications instead of managing infrastructure. In the context of Azure Government Cloud, AKS offers the following features:

• Seamless Integration: AKS works with several Azure services like Azure Logic Apps, Azure Functions, Azure DevOps, and Cosmos DB to provide a comprehensive, unified environment for application development and deployment.
• Scalability: Kubernetes in AKS allows automatic scaling. This scaling adjusts to the traffic load, ensuring the efficient use of resources. It can scale up during peak times and scale down during quieter periods.
• Microservices Architecture: AKS supports a microservices architecture, a design approach where applications are built as a collection of services that can be developed, tested, and versioned independently. This architecture provides increased agility and maintainability compared to traditional monolithic architectures.
• Multi-Region Availability: AKS on Azure Government Cloud ensures that the containerized applications are closer to the end-users reducing latency. The services are available across multiple regions offering high availability and disaster recovery.
• Security and Compliance: AKS on Azure Government Cloud adheres to the stringent compliance offerings that the Azure Government Cloud has. This includes FedRAMP High, DoD SRG, and others ensuring the secure deployment of government applications.

Fortunately, in this era of zero trust, strategic partners Veeam and Microsoft Azure Government Cloud offer modern “better together” solutions for the USG. These best-in-class solutions leverage Veeam and ProPartner products/services for a commercial-off-the-shelf (COTS) solution that delivers application and data resiliency:

• Veeam Kasten for Kubernetes
• Veeam Data Platform
• Microsoft Azure Government Cloud services

Veeam with partners Microsoft Azure and Red Hat, can help you modernize to meet and maintain continuity of operations (COOP) requirements, moving you one step closer to a Continuous Authority to Operate (cATO) certification.

Modernization efforts for government IT systems are well underway. DevOps processes, applications, and data protection methods/tools are also getting modernized due primarily to VMware price hikes. These changes are accelerating the migration of legacy virtual machines (VMs) to other hypervisors like Microsoft Hyper-V or Proxmox VE, and newer cloud native platforms such as RedHat OpenShift and Rancher Harvester.

When undergoing IT and application modernization, be sure to update and create new continuity of operations (COOP) and incident response plans. When implemented, you will comply with standards and DoD mandates such as cATO and zero trust.