Joint Special Access Program (SAP) Implementation Guide (JSIG)
JSIG overview
Special Access Programs represent some of the US Department of Defense (DoD) most sensitive information that must be protected accordingly. Given the rapid increase in cybersecurity threats, DoD can no longer rely on physical isolation as a primary risk mitigation strategy. Instead, the National Institute of Standards and Technology (NIST) SP 800-37 provides a common information security framework for the US federal government and its contractors to improve information security, strengthen risk management processes, and transform the traditional certification and accreditation process into a modern Risk Management Framework (RMF). The DoDM 5205.07, Volume 1, Special Access Program (SAP) Security Manual: General Procedures, provides policy, guidance, and standards for the authorization of information systems and application of RMF within a DoD SAP.
The purpose of the Joint Special Access Program (SAP) Implementation Guide (JSIG) is to provide policy and guidance on the implementation of the RMF. JSIG serves as a technical supplement to NIST SP 800-53 and CNSSI 1253. It is used in combination with the applicable volume of DoDM 5205.07 in the application of the RMF. JSIG provides standardized policies for cybersecurity and information assurance, procedures, and implementation guidance for use in the management of systems at all classification levels under the purview of the SAP Authorizing Official (AO). These policies and procedures adhere to applicable laws, executive orders, directives, policies, regulations, standards, and guidance.
Azure and JSIG
Azure Government Secret and Azure Government Top Secret maintain JSIG Authorizations to Operate (ATO) at Protection Level 3 (PL3).
Azure Government Secret was developed using the same principles and architecture as Azure commercial cloud. It enables fast access to sensitive, mission-critical information while maintaining the security and integrity of classified workloads. It is available from three dedicated regions located over 500 miles apart. Azure Government Secret operates on secure, native connections to classified networks with options for ExpressRoute and ExpressRoute Direct for private, resilient, high-bandwidth connectivity.
Azure Government Top Secret serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to process national security workloads classified at the US Top Secret level. Azure regions for Top Secret classified data expand the ability of our national security customers to achieve greater agility, cost savings, and speed to innovation.
Applicability
- Azure Government Secret
- Azure Government Top Secret
Services in scope
For a list of Microsoft cloud services in scope for the JSIG ATO in Azure Government Secret or Azure Government Top Secret, contact your Microsoft account representative.
Attestation documents
Contact your Microsoft account representative for assistance.
Frequently asked questions
What Azure services are covered by the JSIG Authorization to Operate (ATO)?
For a list of Microsoft online services in scope for the JSIG ATO in Azure Government Secret or Azure Government Top Secret, contact your Microsoft account representative.
Resources
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Azure for US Government
- Azure Government Secret
- Azure Government Top Secret
- DoDM 5205.07 Special Access Program (SAP) Security Manual, Volumes 1 - 4
- DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
- DoD Joint Special Access Program (SAP) Implementation Guide (JSIG)
- DoD SAP Program Manager's Handbook to the JSIG and RMF
- NIST SP 800-30 Guide for Conducting Risk Assessments
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems