Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

survey icon Share your experience with the FAS IT-Playbook by taking this brief survey

Cloud Smart Journey

In this section of the playbook, you can learn more of how stakeholders can utilize our cloud services. Pick the one that’s closest to you or browse to see the guidance for various stakeholders.

Cloud Smart Journey

Consumer Persona - Business Application Team - Follow the Cloud Smart Journey of a business application team looking to modernize their applications

Producer Persona - GSA Security Team - Follow the Cloud Smart Journey of GSA Security in their process of updating or implementing a cybersecurity feature

View Cloud Smart Journey Personas
Phase 0 - Intake
Purpose

The purpose of the Intake Phase is to begin a collaborative partnership with the tenant, obtain an understanding of the application needs through the Lean Intake Assessment and application Requirements Template, and assess cloud readiness.

Phase 0 Graph

Cloud Advisory Services*: Any changes related to the architecture, operational model, security boundary to existing services or products. New Capability enablement or Capability enhancements to existing products. New product(s) to be brought into FCS to develop to be a new service.

Google Form: Click on this LINK and follow the navigation path below within GSA Service Now

Navigation Path: Home > Service Catalog > Enterprise Services > Cloud Services > CISS Cloud Service

Outcomes
  • Completed intake request
  • Increased understanding of tenant needs
  • Completed set of requirements
Security Outcomes
FCS Tenant:

  • Completes Security section of the Intake Questionnaire
  • Defines roles and responsibilities, to include POCs such as System Owner (SO), Lead Developer (if applicable)

View Template
Phase 1 - Advisory
Purpose

The purpose of the Advisory Phase is to orient tenants to the Cloud Smart Journey process; and validate requirements which will drive the assessment and target model leading to a cloud migration rationalization strategy.

Phase 1 Graph
Outcomes
  • Completed assessment
  • Initial rationalization strategy
Security Outcomes
FCS Tenant:

  • Obtains FCS ATO Package and Templates
  • Provides details for planned System/Data Interconnections; including disclosure of any additional baseline security requirements
  • Discloses all necessary security requirements to Cloud Advocate

View Template
Phase 2 - Enablement
Purpose

The purpose of the Enablement Phase is to collaborate with FCS Security and FCS Product Team to develop and gain concurrence on the Cloud Modernization Plan. Completion of the Cost Estimate, Schedule, and Onboarding Checklist are put in place to execute the Cloud Modernization Plan.

Phase 2 Graph
Outcomes
  • Rough Order of Magnitude
  • Cloud Modernization Plan
Modernization Agreement Overview
The Modernization Agreement formally defines the relationship between the Cloud Ecosystem and each Tenant and establishes mutually accepted expectations for the partnership. Read the Modernization Agreement Overview for more information.
Security Outcomes
FCS Tenant provides:

  • Clear and achievable strategy to addressing FCS security requirements (example: initial control gap assessment)
  • Plans to address security artifact delivery and identifying potential delivery risks
  • Draft Rough Order of Magnitude (ROM) based on ISSO checklist and other considerable factors
  • Detailed System Description (Use and Purpose required)
  • Synchronize development timeline with security artifact(s) development
  • Determination of applicable Security Documents (example: incident response plan may not be applicable)

View Template
Phase 3 - Adoption
Purpose

The purpose of the Adoption Phase is to enable production readiness, complete all security requirements to achieve the ATO, implement supporting structures to drive adoption, and monitor the project from kickoff to launch to ensure the anticipated outcomes of the Cloud Modernization Plan are met.

Phase 3 Graph
Outcomes
  • Tenants are fully active and onboarded to their environment with operational support structures in place

Cloud Smart Journey Adoption (Phase 3) Kickoff

This Kickoff is the first meeting with CETT on continuation of phases in the Cloud Smart Journey. This presentation will get things started with the right teams and help get everyone on the same page with clear communication between all parties involved. Click on this LINK to view the presentation.

Security Outcomes
FCS Tenant ensures:

  • Clear understanding of Security Assessment Plan (SAP) amongst key stakeholders
  • Initial Security Authorization timeline is approved by all-parties
  • Final FIPS 199 categorization is determined
  • PTA and PIA Forms are reviewed and approved (if applicable)
  • Final e-Auth Level is determined
  • Security review and approval of draft SSPP
  • Actionable next steps to initiating and completing applicable Security Documentation such as but not limited to: Contingency Plan (CP), Business Impact Assessment (BIA), Incident Response Plan (IRP)
  • Security Assessment Report (SAR) and Authorization decision are obtained

View Template
Phase 4 - Optimization
Purpose

The purpose of the Optimization Phase is to provide ongoing service support and maintenance for onboarded tenants, track cloud utilization measures, and partner on continuous modernization efforts.

Phase 4 Graph
Outcomes
  • Tenants are self-managed and operating in optimized environments
  • Feedback is collected to achieve continuous improvement
Security Outcomes
FCS Tenant must partake in recurring Continuous Monitoring activities such as:

  • Discussion for ongoing audits
  • Vulnerability Scans (Weekly/Ad-Hoc)
  • Active ATO Progress (e.g. re-authorization)
  • Planned Security Activities
  • Security Roadblocks
  • Executive Orders, Updates to NIST Publications/RMF/ FISMA Data Calls
  • ISSO Self Assessments and Checklist status update
  • Plan Of Action and Milestones (POA&M) updates
  • Discuss Risk Based Decisions for risk acceptance (when applicable)
  • Review list of SecOps approved security tools to determine tenant's operational needs.
  • Payment Card Industry (PCI-DSS) Assessment progress (if applicable)

View Template