Cloud.gov Shared Responsibility Model
Overview
Cloud.gov operates on a shared responsibility model where the platform manages infrastructure and platform-level security while customers maintain their applications and data. Understanding this division ensures proper security implementation and helps agencies accurately document control inheritance for their FedRAMP authorization. This model varies based on your deployment method: standard buildpacks, custom buildpacks, or Docker containers.
Prerequisites
- Understanding of your application architecture
- Organization Manager or Space Developer role
- Familiarity with chosen deployment method (buildpack or Docker)
- Access to your agency's System Security Plan (SSP) template
Process / Steps
1. Understand Platform Responsibilities
Cloud.gov is responsible for:
- Infrastructure: AWS GovCloud services and configuration
- Platform: Cloud Foundry, container runtime, networking
- Security: OS patching, platform updates, monitoring
- Compliance: FedRAMP controls, continuous monitoring
- Standard Buildpacks: Language runtime updates and patches
2. Identify Your Responsibilities by Deployment Type
Standard Buildpack Applications
Customer Responsibility:
- Application code and dependencies
- Security scanning of your code
- Application configuration
- Data protection within application
# Example: Deploy with standard buildpack
cf push your-app -b nodejs_buildpack
Custom Buildpack Applications
Customer Responsibility includes all above plus:
- Buildpack maintenance and updates
- Runtime security patches
- Dependency vulnerability management
- Buildpack configuration security
# Example: Deploy with custom buildpack
cf push your-app -b https://github.com/your-org/custom-buildpack.git
Docker Container Applications
Customer Responsibility includes all above plus:
- Base image maintenance
- OS-level security updates
- Container configuration
- Full stack vulnerability management
# Example: Deploy Docker container
cf push your-app --docker-image your-registry/your-app:latest
3. Document Shared Controls
For shared controls in your SSP:
| Control | Cloud.gov Responsibility | Customer Responsibility |
|---|---|---|
| CM-2 (Baseline Configuration) | Platform configuration | Application configuration |
| RA-5 (Vulnerability Scanning) | Infrastructure/platform scanning | Application code scanning |
| SI-2 (Flaw Remediation) | Platform patches | Application updates |
| AU-12 (Audit Generation) | Platform events | Application logging |
4. Implement Your Security Responsibilities
Customer Responsibility:
- Configure application logging
- Implement authentication/authorization
- Manage secrets and credentials
- Perform security testing
- Maintain incident response procedures
5. Maintain Ongoing Compliance
Regular maintenance tasks:
- Daily: Monitor application health and logs
- Weekly: Review security alerts
- Monthly: Update dependencies and restage
- Quarterly: Security assessment review
- Annually: Update SSP documentation
FAQs
Q: Where is the responsibility model documented? A: The detailed RACI matrix is in Cloud.gov's FedRAMP CRM (Customer Responsibility Matrix), available with Package ID F1607067912.
Q: How often should I update standard buildpack applications?
A: Restage monthly at minimum to receive security updates: cf restage your-app
Q: Who handles zero-day vulnerabilities? A: Cloud.gov patches platform vulnerabilities. Customer Responsibility: Patch application-level vulnerabilities immediately upon disclosure.
Q: Can Cloud.gov manage my application security? A: No. Cloud.gov provides a secure platform but customers must implement and maintain application-level security controls.