Cloud Environment Business Rules

This topic provides a core set of Cloud Infrastructure (CI) business rules that are binding on all CMS business applications hosted and operated in a cloud solution.

BR-CI-1: Choosing a Cloud Deployment and Service Model

CMS business owners will use the CMS Cloud Computing Standard, CMS Office of the Chief Information Security Officer, Risk Management Handbook Volume III, Version 1.0, May 3, 2011, as a point of reference in (a) choosing the cloud deployment model (private, community, hybrid) and service model (IaaS, PaaS, or SaaS) based upon the business application’s identified security risk; and (b) employing CMS Chief Information Officer (CIO)-approved Cloud Service Providers.

BR-CI-3: Document the Impact of Cloud Deployment

A business application identified for deployment to and operation in a cloud environment must include in its Requirements Document those specific functional, technical, performance, service, and support requirements of the cloud environment as mandated by the CMS Target Life Cycle (TLC). The business owner must also include documentation of the Analysis of Alternatives used to determine the suitability-for-the-cloud assessment in accordance with the guidance of HHS Cloud Computing Tactical Implementation and Transition.

BR-CI-4: Engage TRB Consulting for CMS-Owned Equipment

Business owners should consult with the CMS TRB when planning to install and operate CMS-provided Government-Furnished Equipment (GFE) hardware at the cloud service provider’s facility.

Rationale:

This rule is necessary because of the increased costs and complexity in managing physical devices at a cloud provider, which run counter to cloud efficiency principles. The increased complexity also increases security risk. An analysis of alternatives should be conducted to communicate and document choices.

Examples of CMS-owned GFE include networking equipment used to connect the cloud service provider’s network to the CMSNet.

BR-CI-5: Acquisition of New IaaS or PaaS Cloud Service Providers

The acquisition and procurement of an IaaS or PaaS Cloud Service Provider must follow the guidelines set forth in Federal Risk and Authorization Management Program (FedRAMP), Office of Management and Budget (OMB) memoranda, and other appropriate federal, HHS, and CMS guidelines. Business owners are not permitted to acquire such services directly.

Only a CMS CIO-designated Cloud Management organization or HHS Office of the CIO cloud authority may procure and manage cloud environments.

Related CMS ARS Security Controls include: CA-6 - Authorization.

Rationale:

Only the CMS CIO can issue an ATO for a CMS IT processing environment.

BR-CI-6: Define Data Backup and Contingency Plans in a Cloud

All CMS business applications must evaluate and establish that defined backup and contingency plans, including the desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), are achievable and specified within established or planned Service Level Agreements (SLA).

Related CMS ARS Security Controls include: CP-6 - Alternate Storage Site, CP-7 -Alternative Processing Site, and CP-9 - System BackupCP-9(8) - Cryptographic Protection.

Rationale:

While it is true that many CSPs provide services that maintain multiple copies in multiple data centers, this does not constitute data backup but rather addresses reliability and availability concerns. Hosting in a cloud environment does not inherently provide data backup or contingency planning.

BR-CI-7: Cloud Resource Capacity Planning

Anticipated resource capacity needs, along with the expected need for elasticity, must be documented and communicated both in the TLC-specified document templates (such as the System Design Document) and to the CSP if these capacity levels are required. Automated actions required for exceeding those established ceilings must be established either through SLAs or with automated management rules/responses with the CMS management tools and previously agreed to by CMS Cloud as well as the business owner. This may incur additional charges to which business owners must agree. Capacity planning must be included as part of contingency plans as well.

Related CMS ARS Security Controls include: CP-2 - Capacity Planning.

Rationale:

Clouds are capable of fulfilling requests rapidly, which can potentially commit the government to unexpected or unforeseen charges. Capacity planning is necessary to maintain control over existing usage and forecast future usage, to inform business owners of costs and budgetary impacts. Additional guidance is available in NIST SP 800-34.

BR-CI-8: Separate Production, Management, and Non-Production Resource Clusters

Production and Non-Production environments must use distinct resource clusters, as defined above in Cloud Architecture, Resource Aggregation – Resource Clusters and Resource Pools. In addition, the Management Zone (for both Production and Non-Production) must have at least one resource cluster distinct from the Production and Non-Production environments.

Related CMS ARS Security Controls include: SC-6 - Resource AvailabilitySC-6 - Resource Availability

Discussion:

This means there are at least three (3) resource clusters in any CMS TRA-compliant IaaS or PaaS cloud.

Rationale:

The Management Zone cluster is distinct from the Production and Non-Production clusters to ensure that there is no contention for resources.

BR-CI-9: Applicability of Multi-Zone Architecture

IaaS clouds must implement the CMS Multi-Zone Architecture as defined in the CMS TRA. PaaS clouds must be based on an infrastructure that meets the CMS Multi-Zone Architecture.

Rationale:

The CMS Multi-Zone Architecture can and has been implemented in IaaS clouds. The benefits of defense-in-depth architecture can be achieved using cloud technologies, even if the architecture is not an exact one-for-one match with virtualized data centers. For example, clouds may offer different services to perform the role of the firewall in the multi-zone architecture. System developers utilizing cloud technologies are encouraged to consult with the TRB to ensure TRA and defense-in-depth principles are being addressed. Business Rule CI-11 enables the use of such services.

Consider leveraging FedRAMP to make it easier to embrace tested and commercially available cloud services. IaaS clouds must separate information flows logically or physically using FedRAMP-approved mechanisms and/or techniques to accomplish required separations.

BR-CI-10: (Rule Withdrawn after TRA 2016R1): Required Physical Components

BR-CI-11: Cloud Services Covered by a CMS ATO May Be Used in Lieu of Virtual Network Elements

The CMS TRA Multi-Zone Architecture permits the use of certain cloud services instead of virtual machines or applications only if those services hold a CMS ATO.

Rationale:

Some CSPs may offer services rather than virtual machines to provide critical CMS services, such as firewalls, load-balancing, or XML acceleration.