FedRAMP Offerings
IBM offers an alternate SaaS security profile for both Maximo and TRIRIGA SaaS as defined by the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program defines security standards for Cloud Service Providers (CSP’s), assessment procedures for Third Party Assessment Organizations (3PAO’s), and risk assessment guidelines for Federal agencies. IBM offers the FedRAMP SaaS alternative for Federal agencies, state and local governments, and commercial entities.
The FedRAMP program defines security controls to be implemented and documented by CSP’s, audited by 3PAO’s, and assessed by Authorizing Agencies and the FedRAMP Program Management Office. IBM followed this process using the FedRAMP Moderate controls and security level. Approximately 325 high level controls, many that decompose to multiple detailed controls, are documented and reviewed. The list of controls can be found at www.fedramp.gov. These controls are based on the NIST controls such as NIST 800-53.
IBM leverages the IBM SmartCloud for Government Infrastructure-as-a-Service (IaaS) offering that has achieved a FedRAMP ATO at the Moderate and High levels. The Maximo and TRIRIGA FedRAMP offerings are provisioned in IBM Cloud Federal Data Center locations exclusively. The Dallas, TX IBM Cloud site is the primary location with Ashburn, VA is the secondary location. These two sites are connected to each other through an independent, high-speed private network. All personnel directly supporting the FedRAMP environments are US Citizens.
Security Package Access – Federal Agencies
For US Federal Agencies (civilian and military), a Chief Information Security Officer (CISO) can submit a Package Access Request form available at www.fedramp.gov. After review and approval of the request by the FedRAMP PMO, IBM will be notified to make the entire documentation package available for viewing. Instructions will be forwarded along with the approval to reach the package contents. Access to this package is available prior to completing a subscription to IBM Maximo and/or TRIRIGA SaaS.
Security Package Access – State/Local Agencies, Commercial Entities
For entities other than US Federal agencies, (i.e. State/Local/Commercial), contact your sales representative to request access to the FedRAMP package. Identify the individual responsible for systems security compliance at the CIO or direct report to the CIO level. A non-disclosure form specific to individuals who will be reviewing the documents is required, independent of any other non-disclosure agreement between IBM and your organization.
Security Reviews and Authorizations
Once the IBM Maximo and TRIRIGA SaaS FedRAMP security package is available, a cursory review of the contents should be performed to see that the program generally aligns with expectations. Once that review is completed, an Authority to Operate (ATO) letter must be sent to IBM in order to receive access to the originally provisioned environments. This is a pre-formatted letter available with the security package. This ATO letter is generally considered a preliminary or provisional authority, subject to the completion of the remaining controls and a final review of the total package.
Once the provisional ATO letter is approved, the local team and security administrators can commence work on either migration or implementation of the Maximo or TRIRIGA software. Of the 325 FedRAMP Moderate controls, there are approximately 50 “hybrid” controls that require input from both IBM and the client. Completing these controls, along with a comprehensive review of the IBM controls, is generally required by the CISO/CIO in order to promote the system to full production.
Ongoing Operations
Under the FedRAMP program, IBM is required to implement, document, and independently assess the controls prior to receiving an authorization to operate. Ongoing operations, security testing, remediation, and updated documentation are all required to be performed as documented in the System Security Plan. Significant changes to the FedRAMP environment require documentation and assessment as they are implemented. Annually, the IBM program is assessed by the 3PAO with a partial audit of areas of concern or of priorities established by the FedRAMP PMO.
Disclaimer: Information provided in this wiki is for informational purposes only. Content is not to be considered part of any existing IBM®️ Maximo or TRIRIGA customer subscription, agreement, license or contract. From time to time, this site may contain technical inaccuracies or typographical errors, and IBM do not warrant the accuracy of any posted information. The information contained in this wiki is subject to change without notice. By visiting this wiki, you consent to use of cookies and other tracking technologies by IBM’s subcontractor, Atlassian, in accordance with the Atlassian Cookies & Tracking Notice found at https://www.atlassian.com/legal/cookies. If you do not consent to the collection of your data by Atlassian at any time, please leave the wiki and delete the cookies and other web-tracking technologies through your browser.