John Q. Todd

Sr. Business Consultant/Product Researcher

Total Resource Management (TRM), Inc.

One significant decision an organization must make when moving their software tools and solutions to the cloud is the level of security that is required. The first thought is that the highest and most restrictive environments are desired. But the real question remains what is truly required? In the commercial world the corporate IT security organization drives and documents the requirements, making them clear. However, in other contexts, there may be a perceived requirement that the only cloud environment allowed is FedRAMP.

It is important to know for sure if FedRAMP is a requirement or a preference. In some cases, a non-FedRAMP environment, while still deemed high security, is sufficient to meet the actual security requirements.

What is FedRAMP all about?

FedRAMP is secure cloud services for Maximo and TRIRIGA, established to reduce the barriers to operating in the cloud for Federal agencies, their contractors, and non-Federal entities such as Utilities. IBM Maximo and TRIRIGA SaaS for FedRAMP is hosted by IBM at their data centers and is operated and managed by TRM. FedRAMP covers the application, database, platform, and the infrastructure needed to host Maximo and TRIRIGA.

The genesis of FedRAMP was the Cloud First policy put into place by the Office of Management and Budget (OMB). Currently, the FedRAMP environment operates at the Moderate security level, certified and accredited as meeting NIST SP 800-53 Rev4 security controls. (Is planned to move to Rev5 in March 2024) The comprehensive System Security Plan (SSP) is in place and has been validated by a 3rd party assessment organization (3PAO).

One of the main goals of FedRAMP is to standardize the way the government does security assessments, authorizations, and continuous monitoring for cloud products and services. Standardization in this context increases consistency and confidence in the security of cloud solutions. It delivers transparency, uniformity of security packages, and sharing between the US government and cloud providers, expediting authorizations. This can greatly accelerate the adoption of cloud computing by allowing organizations to reuse existing authorizations. The cloud environment itself provides automation opportunities and real-time continuous monitoring.

One can imagine that for such a secure computing environment there may be some limitations that exist that other cloud environments might not have. This is very true. If an organization is moving from an on-premises or other cloud hosted situation, there may be Maximo configurations and custom functionality in place that are not able to be implemented in FedRAMP. 3rd party add-ons and other functions are restricted to those add-ons and applications that are currently authorized. As an example, IBM Maximo Mobile is included in IBM FedRAMP authorized System Security Plan (SSP), while other mobile solutions are not. Other add-ons and applications can be added via the Significant Change Request (SCR) process, but this takes time and is costly.

Thus far we have only mentioned Maximo being hosted in the FedRAMP environment. The expectation from IBM is that Maximo Application Suite (MAS) will be available early to Q1 of 2025.

What then are high-security cloud solutions?

One example is the TRM High Security Cloud that is based upon NIST SP 800-53 Rev5. (Yes, you noticed that we are already on Rev5 where FedRAMP is still at Rev4 until 3/2024. Rev5 is more of an outcome-focused approach vs. simply compliance.) Our high-security cloud offering is suited for Federal agencies, their contractors, critical infrastructure providers and any organization functioning in a regulated industry.

Advantages of the TRM high-security cloud solution are the flexibility of continuing to use any complex or unique configurations of your current Maximo (and MAS) system, as well as the ability to use 3rd party add-ons and mobile solutions.

Beyond just NIST 800-53, our high-security cloud solution can be deployed to meet NIST 800-171/CMMC cyber security standards and regulations. No matter the requirements, the cloud environment is governed by the System Security Plan (SSP).

As an option, just as you can establish in a FedRAMP environment, you can also have provided a full access development environment where you can configure and test new configurations before migrating them into production. A further option is read-only access to the underlying Maximo/MAS database via a site-to-site VPN connection. Single Sign on and access to Maximo/MAS via PIV/CAC cards is also available if, amongst other Identity Provider requirements, supports the use of PIV/CAC.

A very typical situation is where you are migrating from a current Maximo 7.6 on-premises instance to a high-security cloud environment, and at the same time upgrading from Maximo to MAS 8.x. In essence there are two projects here: One to perform the upgrade of the data and software, and the other to perform the migration from on-premises to the cloud. These activities will require the expertise that TRM has developed after many years working with clients across industries and federal agencies.

One aspect of the high-security cloud approach is that you will need to achieve is the Authority to Operate via your governing organization as there is no 3rd party assessment organization who has already made their assessment of the environment.

Wrap Up

Our admonition is that the first step should be to clearly understand the cyber security requirements your organization deems necessary. If an environment such as FedRAMP with all its rigidity is required, then so be it. But, if FedRAMP is only a preference, then you have many other options available. Add to this the need to upgrade your Maximo software to MAS (and the new RedHat OpenShift operating environment), and you have a significant project to manage.

TRM is best in class for a High Security Cloud MAS solution and services. TRM can provide Market Research including our recommended approach and cost estimates to upgrade to MAS cloud solution – once we better understand your preferred MAS upgrade and cloud hosting strategy.