{"id":105571,"date":"2020-01-29T06:00:27","date_gmt":"2020-01-29T14:00:27","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=105571"},"modified":"2020-01-27T13:28:26","modified_gmt":"2020-01-27T21:28:26","slug":"cloud-federal-data-protection","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/01\/cloud-federal-data-protection\/","title":{"rendered":"Navigating Federal Data Protection Compliance Requirements in the Cloud"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Government contractors and military suppliers are increasingly utilizing cloud services in the execution of their contracts. Many assume that if the cloud service provider\u2019s (CSP) underlying infrastructure is compliant then their work is complete.\u00a0<\/span><\/p>\n<p><b>However,<\/b> <b>while the CSP\u2019s underlying infrastructure and services may meet Federal requirements, government contractors and suppliers must <\/b><b><i>establish<\/i><\/b><b> that <\/b><b><i>they<\/i><\/b><b> have cloud services configured in compliance with <\/b><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-171r1.pdf\" rel=\"nofollow,noopener\" ><b>NIST 800-171<\/b><\/a><b>. <\/b><span style=\"font-weight: 400;\">The challenge typically lies in the cloud\u2019s infamous <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/cloud-security-is-a-shared-responsibility\"><span style=\"font-weight: 400;\">shared responsibility model<\/span><\/a><span style=\"font-weight: 400;\">. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">When using cloud services to process, store or transmit data related to work with the Federal government, contractors and vendors must ensure they are Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliant. Doing this in the cloud across multiple accounts and service providers can be a challenge without the proper processes and tools in place.<\/span><\/p>\n<p><b>History<\/b><\/p>\n<p><span style=\"font-weight: 400;\">In 2010, the White House issued Executive Order (EO) 13556 to address the hodgepodge of controls and processes surrounding the protection of <\/span><a href=\"https:\/\/www.archives.gov\/cui\/about\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Controlled Unclassified Information<\/span><\/a><span style=\"font-weight: 400;\"> (CUI). Following this Order, the Department of Defense (DoD) published its Final Rule in 2013, revising DFARS 252.204-7012. Originally relying upon NIST 800-53 r4 as the standard set of controls, this was later revised to use NIST 800-171. NIST 800-171 provides a list of controls through 14 control families. It also addresses cyber incident reporting. All of this is squarely directed at government contractors whose systems process, store or transmit CUI.<\/span><\/p>\n<p><b>Cloud Impact<\/b><\/p>\n<p><span style=\"font-weight: 400;\">NIST 800-171 compliance is challenging for many in the Federal community for two primary reasons. Suppliers often use multiple public clouds across their various business units, and contractors regularly use multiple subcontractors in the execution of their contracts. Regardless of size, many are increasingly using cloud services to process, store or transmit CUI. In these cases, each and every cloud environment must be NIST 800-171 compliant for each of the 14 control families.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Continually monitoring compliance with NIST 800-171 is challenging, but this is made increasingly complex by the dynamic nature of cloud environments. <\/span><b>Consider that in the on-premises world, the lifespan of an application could often be measured in years. In the cloud, this lifespan drops to an average of just two hours!<\/b><span style=\"font-weight: 400;\"> This means that for many cloud resources if you are not continually monitoring compliance with NIST 800-171, it\u2019s highly likely you will miss key changes that could create potential compliance challenges. <\/span><b>While each of the cloud vendors offer some native security services within their platforms, this has proven to be insufficient for compliance and security across multiple cloud accounts and vendors.<\/b><span style=\"font-weight: 400;\"> When it comes to anything outside their ecosystem, the cloud vendors have little incentive to provide the visibility and compliance government contractors need with a multi-cloud strategy.<\/span><\/p>\n<p><b>Multi-cloud Continuous Compliance Monitoring<\/b><\/p>\n<p><span style=\"font-weight: 400;\">When looking to ensure their multi-cloud strategy is compliant with NIST 800-171 and other Federal standards, it is important that security leaders and their teams keep visibility, compliance and security in clear focus. This is where cloud-agnostic security tools such as <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\"><span style=\"font-weight: 400;\">Prisma Cloud<\/span><\/a><span style=\"font-weight: 400;\"> by Palo Alto Networks can help.<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"1572\"><span class=\"ar-custom\" style=\"padding-bottom:38.68%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter wp-image-105585 size-full lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8.png\" alt=\"Prisma Cloud shows real-time compliance status of NIST 800-171\" width=\"1572\" height=\"608\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8.png 1572w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-230x89.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-500x193.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-768x297.png 768w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-1536x594.png 1536w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-510x197.png 510w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-103x40.png 103w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-650x251.png 650w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-8-874x338.png 874w\" sizes=\"auto, (max-width: 1572px) 100vw, 1572px\" \/><\/span><\/div><\/p>\n<p><i><span style=\"font-weight: 400;\">Figure 1 - Prisma Cloud shows real-time compliance status of NIST 800-171<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Prisma Cloud is a comprehensive cloud-native security platform with broad security and compliance coverage\u2014for applications, data and the entire cloud-native technology stack\u2014throughout the development lifecycle and across multi- and hybrid cloud deployments. The Prisma Cloud integrated approach enables security operations and DevOps teams to stay agile, collaborate effectively and accelerate secure, cloud native application development and deployment. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Prisma Cloud also simplifies compliance by utilizing a comprehensive library of industry compliance standards and policies, including NIST 800-53, ISO 27000, SOC 2, NIST CSF and many others. <\/span><b>If your organization is subject to DFARS 252.204-7012 and NIST 800-171, Prisma Cloud is a powerful tool to help you navigate your regulatory obligations. <\/b><span style=\"font-weight: 400;\">For those who require<\/span><span style=\"font-weight: 400;\"> Federal Risk and Authorization Management Program (<\/span><span style=\"font-weight: 400;\">FedRAMP) security controls, <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/01\/cloud-federal-clouds\/\"><span style=\"font-weight: 400;\">Prisma Cloud is part of Palo Alto Networks Government Cloud Services, which is currently In Process<\/span><\/a><span style=\"font-weight: 400;\"> with FedRAMP. This important milestone indicates progress for Prisma Cloud toward a FedRAMP Moderate Agency Authorization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Learn more about how Palo Alto Networks and its cloud products, including Prisma Cloud, can help<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/security-for\/government\/federal\"> <span style=\"font-weight: 400;\">secure federal networks<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A primer on federal data protection compliance and proper configuration for using cloud services for data related to work with the federal government.<\/p>\n","protected":false},"author":623,"featured_media":105601,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[484,6768],"tags":[6594,428,123,6890],"coauthors":[6679],"class_list":["post-105571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-government","category-secure-the-cloud","tag-cloud-compliance","tag-compliance","tag-government2","tag-prisma-cloud"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/CS-prosecution-cybercriminals-r2d1-1200x630.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/105571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/623"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=105571"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/105571\/revisions"}],"predecessor-version":[{"id":105614,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/105571\/revisions\/105614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/105601"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=105571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=105571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=105571"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=105571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}