Azure Blueprint: architecting secure solutions just got easier!

Nate Johnson, Sr. Program Manager

Azure Government Engineering is pleased to announce the initial release of the Azure Blueprint program! The program is designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government.

Azure Government has been granted a JAB Provisional Authority to Operate (P-ATO) based on Microsoft internal security protections and processes. Customers can leverage this P-ATO to reduce the scope of security responsibilities in a cloud-based system. Inheriting security control implementations from Azure Government allows customers to focus on implementations specific to their IaaS, PaaS, or SaaS environments built in Azure.

One of the greatest challenges we see when working with Agency customers on their ATO efforts is understanding the scope of what can be inherited from Azure Government. Responsibility for each security control must be defined to ensure that controls are properly implemented through the entire stack. Without these responsibilities defined, ISSOs face a daunting task of determining how security controls must be implemented in a cloud environment. This challenge is the focus of Azure Blueprint Phase 1.

The initial release includes documentation to assist Azure customers with documenting their security control implementations as part of their individual agency ATO processes. The FedRAMP Moderate baseline Customer Responsibility Matrix (CRM) and System Security Plan (SSP) template are designed for use by Program Managers, Information System Security Officers (ISSO), and other security personnel who are documenting system-specific security controls within Azure Cloud.

The FedRAMP Moderate CRM document explicitly lists all control requirements that include a customer implementation requirement. This includes both controls with a shared responsibility between Azure Government and Azure customers, as well as controls that are fully implemented by Azure customers. The format is conducive to focused documentation of only the customer portions of security controls.

The FedRAMP Moderate SSP Template is customer focused and designed for use in developing a SSP that includes both customer implementations as well as control inheritance from Azure Government. Customer responsibility sections include guidance on how to write a thorough and compliant control response. Azure inheritance sections include information on how the control is implemented by Azure Government on behalf of the customer.

The NIST Cybersecurity Framework Customer Responsibilities Matrix is available on the Service Trust Portal under Trust Documents. To provide feedback on the documentation, please e-mail

Future iterations of the CRM and SSP Template will include the security control baselines for FedRAMP High, DISA Impact Level 4, and DISA Impact Level 5.

Many thanks to the customers and partners who have provided feedback on these documents during our pilot phase. We value your feedback and look forward to assisting you with ATO efforts in the future!

To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails by clicking “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial. 


Discussion is closed.

Feedback usabilla icon