|
| 1 | +--- |
| 2 | +title: How to accelerate your journey to compliance with Azure |
| 3 | +description: Provides an overview of resources for Development, Automation, and Advisory partners and how they can accelerate their path to ATO with Azure |
| 4 | +titleSuffix: Azure Government |
| 5 | +services: azure-government |
| 6 | +cloud: gov |
| 7 | +documentationcenter: '' |
| 8 | +author: todorgb |
| 9 | +manager: pathuff |
| 10 | + |
| 11 | +ms.assetid: |
| 12 | +ms.service: azure-government |
| 13 | +ms.devlang: na |
| 14 | +ms.topic: article |
| 15 | +ms.tgt_pltfrm: na |
| 16 | +ms.workload: azure-government |
| 17 | +ms.date: 02/19/2020 |
| 18 | +ms.author: todorb |
| 19 | + |
| 20 | +--- |
| 21 | +# Program Overview |
| 22 | + |
| 23 | +Accelerating your path to compliance in Azure is a focused program that targets the provisioning of learning resources and implementation tools by educating, providing architectural references, and support during the scoping and implementation of your project. In addition, we work with key assessment and automation partners to share reference architectures, solutions, alternatives both first party and third party that can help you meet your compliance needs. |
| 24 | + |
| 25 | +As a partner who provides a service in this field, you can publish your offering in the marketplace that will expand the reach of your services. |
| 26 | + |
| 27 | +## Customers |
| 28 | + |
| 29 | +The Government, as many other organizations, relays on commercial software companies to achieve its mission. As part of the procurement and consumption processes, the ATO (Authority to Operate) was implemented to ensure that the development, use, and operation of such commercial software and platforms, is done in accordance with security and data protection necessary to safeguard government information. While the process is best intentioned, the complexity across all swim lanes creates a long and expensive project that discourages many Independent Software Vendors (ISVs) to go down this path. |
| 30 | + |
| 31 | +With the adoption of cloud technologies by the Federal Government as well as other industries, we have seen the development of certification/accreditation standards such as HIPA, GDPR, SOX, ISO, FISMA, and others and in the case of the Federal Government, FedRAMP or Federal Risk Authorization Management Program. This is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments. This program is based, as well as FISMA, on the NIST SP 800-53 security controls. |
| 32 | +There are two types of FedRAMP authorizations for cloud services: |
| 33 | + * A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB) |
| 34 | + * An Agency Authority to Operate (ATO) |
| 35 | + |
| 36 | +###### P-ATO Process |
| 37 | + |
| 38 | +A FedRAMP P-ATO is an initial approval of the CSP authorization package by the JAB that an Agency can leverage to grant an ATO for the acquisition and use of the cloud service within their Agency. The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. A P-ATO means that the JAB has reviewed the cloud service’s authorization package and provided a provisional approval for Federal Agencies to leverage when granting an ATO for a cloud system. For a cloud service to enter the JAB process, it must first be prioritized through FedRAMP Connect. |
| 39 | + |
| 40 | +###### Agency ATO Process |
| 41 | + |
| 42 | +As part of the Agency authorization process, a CSP works directly with the Agency sponsor who reviews the cloud service’s security package. After completing a security assessment, the head of an Agency (or their designee) can grant an ATO. |
| 43 | +Taking the above into consideration, an ISV can choose to go for JAB authorization, which grants a generalized authorization to its solution and can be used with multiple agencies, this process tends to be longer. They can also choose to go for an Agency ATO which is specific to the Government customer they are serving. This customer acts as the sponsor and may even have “reciprocity” with other agencies which allows for a faster, smoother adoption of the company’s solution with a different customer. |
| 44 | + |
| 45 | +## Partners |
| 46 | + |
| 47 | +Microsoft is able to scale through its partners. Scale is what will allow us to create a more predictable, cost-effective, and speedy delivery. These so happen to be the concerns with perusing an ATO. We are focusing on enabling two main kinds of partnerships: |
| 48 | + * **Advisory:** enables partners to create offerings based on Azure that shepherd a customer through steps or the entire ATO process. These partners offer consulting services bundled with some automated solutions that are valu-add to what Azure Compliance Launchpad provides. They can usually be contracted directly, by reference or via the Marketplace. |
| 49 | + * **Automation:** there are two types of automation partners we focus one, foundational partners which enable integrated 3rd party solutions with Azure and help you achieve / meet controls from your FedRAMP Package. These partners are part of our recommended reference architectures. The second kind is true automation partners that help automating certain aspects of the ATO journey such as the SSP generation, self-healing, alerts and monitoring. |
| 50 | + |
| 51 | + > [!NOTE] |
| 52 | +> Partners are asked to publish their solutions to the Azure Marketplace. Steps on how to achieve that are presented below. |
| 53 | +
|
| 54 | +## Publishing to the Azure Marketplace for Partners in the Compliance space |
| 55 | + |
| 56 | +1. Join the Partner Network - It’s a requirement for publishing but easy to sign up. Instructions are located here: [Ensure you have a MPN ID and Partner Center Account](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-account#create-an-account-using-the-partner-center-enrollment-page) |
| 57 | +2. Enable your partner center account as Publisher / Developer for Marketplace, follow the instructions [here](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-account) |
| 58 | +3. With an enabled Partner Center Account, publish listing as a SaaS App as instructed [here](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-new-saas-offer) |
| 59 | + |
| 60 | +For a list of existing Azure Marketplace offerings in this space, visit [this page](https://aka.ms/azclmarketplace). |
| 61 | + |
| 62 | +## Additional resources |
| 63 | + |
| 64 | + > [!NOTE] |
| 65 | +>The information provide here will allow partners and customers to sign up and get information about this program. The program is designed to help customers of Azure and Azure Government successfully prepare their environments for Accreditation and request FedRAMP ATO. This information does not constitute an offer of any kind, and submitting the forms below in no way guarantees participation in the program. At this time, the program details shared with partners and customers are notional and subject to change without notice. |
| 66 | +
|
| 67 | + * Are you a customer in look of compliance help on Azure and don't know where to start? Fill out our [form](https://aka.ms/azcl) |
| 68 | + * Free training on what is FedRAMP can be found [here](https://www.fedramp.gov/learning/) |
| 69 | + * Templates you will need to start understanding controls and what is needed are [here](https://www.fedramp.gov/templates/) |
| 70 | + * Get familiarized with the [FedRAMP Marketplace](https://marketplace.fedramp.gov/#/products) |
| 71 | + * Are you a partner and want to join our program? Fill out the [form](https://aka.ms/partnerazcl) |
| 72 | + * Learn more about Blueprint [here](https://azure.microsoft.com/services/blueprints/) |
| 73 | + * To learn how Blueprint helps you when using Azure Policy review the [blog post here](https://azure.microsoft.com/blog/new-azure-blueprint-simplifies-compliance-with-nist-sp-800-53/) |
| 74 | + |
| 75 | +## Next steps |
| 76 | +Review the documentation above, if you are still facing issues reach out to [Azure Compliance Acceleration Program ](mailto:[email protected]). |
0 commit comments