Phases of the Cloud Smart Journey
The Cloud Smart Journey consists of five phases that can only be accomplished through collaboration across FCS, the Modernization Teams, Business leadership. Utilize the contents of this page to obtain a deeper understanding of the tasks, outcomes, and artifacts encompassed in each phase of the Cloud Smart Journey.
Click on the following link to view the Cloud Smart Journey Personas
- Consumer Persona- Business Application Team - Follow the Cloud Smart Journey of a business application team looking to modernize their applications
- Producer Persona - GSA Security Team - Follow the Cloud Smart Journey of GSA Security in their process of updating or implementing a cybersecurity feature
Explore the FCS Procedural Security Guide for Authorization for a detailed list of milestones to achieve ATO.
This document is intended to navigate an FCS Tenant through the FCS Security Authorization process.
Phase 0 - Intake
Purpose
The purpose of the Intake Phase is to begin a collaborative partnership with the tenant, obtain an understanding of the application needs through the Lean Intake Assessment and application Requirements Template, and assess cloud readiness.
- Cloud Advisory Services*: Any changes related to the architecture, operational model, security boundary to existing services or products. New Capability enablement or Capability enhancements to existing products. New product(s) to be brought into FCS to develop to be a new service.
- Google Form: Click on this LINK and follow the navigation path below within GSA Service Now
Navigation Path: Home > Service Catalog > Enterprise Services > Cloud Services > CISS Cloud Service
Outcomes
- Completed intake request
- Increased understanding of tenant needs
- Completed set of requirements
Security Outcomes
- Completes Security section of the Intake Questionnaire
- Defines roles and responsibilities, to include POCs such as System Owner (SO), Lead Developer (if applicable)
Phase 1 - Advisory
Purpose
The purpose of the Advisory Phase is to orient tenants to the Cloud Smart Journey process; and validate requirements which will drive the assessment and target model leading to a cloud migration rationalization strategy.
Outcome
- Completed assessment
- Initial rationalization strategy
Security Outcomes
- Obtains FCS ATO Package and Templates
- Provides details for planned System/Data Interconnections; including disclosure of any additional baseline security requirements
- Discloses all necessary security requirements to Cloud Advocate
Phase 2 - Enablement
Purpose
The purpose of the Enablement Phase is to collaborate with FCS Security and FCS Product Team to develop and gain concurrence on the Cloud Modernization Plan. Completion of the Cost Estimate, Schedule, and Onboarding Checklist are put in place to execute the Cloud Modernization Plan.
Outcomes
- Rough Order of Magnitude
- Cloud Modernization Plan
Security Outcomes
- Clear and achievable strategy to addressing FCS security requirements (example: initial control gap assessment)
- Plans to address security artifact delivery and identifying potential delivery risks
- Draft Rough Order of Magnitude (ROM) based on ISSO checklist and other considerable factors
- Detailed System Description (Use and Purpose required)
- Synchronize development timeline with security artifact(s) development
- Determination of applicable Security Documents (example: incident response plan may not be applicable)
Phase 3 - Adoption
Purpose
The purpose of the Adoption Phase is to enable production readiness, complete all security requirements to achieve the ATO, implement supporting structures to drive adoption, and monitor the project from kickoff to launch to ensure the anticipated outcomes of the Cloud Modernization Plan are met.
Outcomes
Tenants are fully active and onboarded to their environment with operational support structures in place
Security Outcomes
- Clear understanding of Security Assessment Plan (SAP) amongst key stakeholders
- Initial Security Authorization timeline is approved by all-parties
- Final FIPS 199 categorization is determined
- PTA and PIA Forms are reviewed and approved (if applicable)
- Final e-Auth Level is determined
- Security review and approval of draft SSPP
- Actionable next steps to initiating and completing applicable Security Documentation such as but not limited to: Contingency Plan (CP), Business Impact Assessment (BIA), Incident Response Plan (IRP)
- Security Assessment Report (SAR) and Authorization decision are obtained
Phase 4 - Optimization
Purpose
The purpose of the Optimization Phase is to provide ongoing service support and maintenance for onboarded tenants, track cloud utilization measures, and partner on continuous modernization efforts.
Outcomes
- Tenants are self-managed and operating in optimized environments
- Feedback is collected to achieve continuous improvement
Security Outcomes
- Discussion for ongoing audits
- Vulnerability Scans (Weekly/Ad-Hoc)
- Active ATO Progress (e.g. re-authorization)
- Planned Security Activities
- Security Roadblocks
- Executive Orders, Updates to NIST Publications/RMF/ FISMA Data Calls
- ISSO Self Assessments and Checklist status update
- Plan Of Action and Milestones (POA&M) updates
- Discuss Risk Based Decisions for risk acceptance (when applicable)
- Review list of SecOps approved security tools to determine tenant's operational needs.
- Payment Card Industry (PCI-DSS) Assessment progress (if applicable)