Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Transcription

1 White Paper FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud FedRAMP Federal Risk Authorization Management Program

2 FedRAMP 2 Table of Contents Introduction 3 fedramp overview 3 AKAMAI AND FEDRAMP 4 FEDRAMP-CERTIFIED AKAMAI COMPONENTS AND BOUNDARIES 5 NEXT STEPS FOR GOVERNMENT AGENCIES 7

3 FedRAMP 3 Introduction In December 2010, the U.S. Chief Information Officer (CIO) released A 25-Point Implementation Plan to Reform Federal IT Management, as part of a comprehensive effort to increase the operational efficiency of federal technology assets. One element of the 25-Point Plan is for agencies to shift to a Cloud First policy, which is being implemented through the Federal Cloud Computing Strategy. Today, Government agencies are making inroads in shifting to the Cloud First policy, which requires federal agencies to (1) implement cloud-based solutions whenever a secure, reliable, and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual IT budget strategies to include cloud computing. Still, there are challenges facing agencies as they make this shift. For example, some agency CIOs have said that in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers, which they manage and control, to outsourced cloud services. This trust gap needs to be addressed and the FedRAMP program provides a key pillar to help address that gap. FedRAMP, which has the goal of providing the best in government validation of cloud solution security controls, enables agencies to more swiftly move to leverage cloud based vendor solutions that comply with and participate in the FedRAMP process. FedRAMP facilitates the award of agencyspecific Approvals to Operate (ATO s), at a fraction of the time and cost normally required, for U.S. Government Agencies and compliant Cloud Service Providers. As one of the initial Cloud service providers to receive a Provisional Authority to Operate (P-ATO) from FedRAMP, encourages government agencies to learn how leveraging FedRAMP can help agencies save time and money, improve security and efficiency, and more quickly take advantage of the power of the Cloud. FedRAMP Overview FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a do once, use many times framework designed to save costs, time, and the personnel required to conduct agency security assessments. The objective of FedRAMP is threefold: 1. Ensure that information systems/services used government-wide have adequate information security; 2. Eliminate duplication of effort and reduce risk management costs; 3. Enable rapid and cost-effective procurement of information systems/services for federal agencies. These objectives are designed to accomplish the following FedRAMP goals: Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations; Increase confidence in the security of cloud solutions; Achieve consistent security authorizations using a baseline set of agreed upon standards for cloud solution approval in or outside of FedRAMP; Ensure consistent application of existing security practices; Increase confidence in security assessments; Increase automation and near real-time data for continuous monitoring.

4 FedRAMP 4 Some of the major benefits of FedRAMP include: Increased re-use of existing security assessments across agencies; Significant savings in terms of cost, time and resources do once, use many times; Improved real-time security visibility; Increased uniformity in regards to risk-based security management; Enhanced transparency between government and cloud service providers (CSPs); Better trust, reliability, consistency, and quality in the Federal security authorization process. FedRAMP is the result of close collaboration with cyber security and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry. Agencies or cloud service providers (CSPs) can initiate the FedRAMP assessment process. This process begins a security assessment using FedRAMP requirements (which are FISMA compliant and based on the NIST rev3) and initiates a vendor/government collaboration coordinated via the FedRAMP PMO. CSPs must implement the FedRAMP security requirements within their environments, and hire a FedRAMP approved third party assessment organization (3PAO) to perform an independent assessment and audit of the vendor s cloud system. This results in the delivery of a security assessment package for review by appropriate stakeholders. The FedRAMP Joint Authorization Board (JAB) reviews security assessment packages based on a prioritized approach and may grant a provisional authorization. Federal agencies can leverage CSP authorization packages for review when granting an agency specific Authority to Operate (ATO). and FedRAMP received a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) of the Federal Risk and Authorization Management Program (FedRAMP) on August 22, This is the first JAB P-ATO granted to a globally-distributed, publicly-shared cloud services platform. Agencies can leverage cloud services directly or use them to front-end other FedRAMP-compliant data center solutions. Often referred to as FedRAMP to the power of two, this model offers a unique end-to-end FedRAMP-compliant solution that is designed to make it easier for U.S. government agencies to use shared cloud services in support of their computing initiatives. By taking this approach, Government agencies will dramatically increase their security posture, improve availability and provide unprecedented visibility and application access to the end user. Because our solution often serves as the first touch for government agency constituents, takes our commitment to FedRAMP very seriously. From customer facing services, content delivery solutions, and internal mechanisms used to manage and maintain the Delivery Network (CDN), everything our government customers use and need has been certified. The boundary is the broadest set of offerings that FedRAMP has provisioned to date. We felt this commitment was crucial to ensure our government customers can leverage solutions with confidence. s FedRAMP solutions have been certified and are part of the FedRAMP program of continuous monitoring. Government organizations can trust the Intelligent Platform as the foundation for their cloud computing projects. enables agencies to move forward confidently with a Cloud First strategy that improve the security, performance, and scale of their cloud based solutions. has remained committed to serving public sector cloud solution needs, such as DNSSEC, IPv6 and HIPAA compliance, and we continue to demonstrate that commitment with the award of our FedRAMP P-ATO. As one of the initial Cloud service providers to receive a Provisional Authority to Operate (P-ATO) from FedRAMP, encourages government agencies to learn how leveraging FedRAMP can help agencies save time and money, improve security and efficiency, and more quickly take advantage of the power of the Cloud.

5 FedRAMP 5 FedRAMP-certified Components and Boundaries Throughout the FedRAMP System Security Plan (SSP) documentation and control responses, the use of the system name, Delivery Network (CDN), is inclusive of the system components and boundaries used to provide customerfacing services as well as internal mechanisms used to manage and maintain the CDN. Both customerfacing services and internal mechanisms that constitute the accreditation boundary are described in CDN SSP Section 9.2 located in the FedRAMP repository. Services provided by that meet the FedRAMP security requirements and have been granted an Authority to Operate by the Joint Authorization Board (JAB) include: Content Delivery: The Intelligent Platform resolves end user requests for content using a massive server infrastructure with more than 140,000 servers deployed in more than 1,000 ISP networks in over 90 countries worldwide. Secure Content Delivery: Information protected by SSL/TLS is delivered from a dedicated, highly secure portion of the CDN over HTTPS. The Secure CDN was designed by s security experts to meet robust levels of physical, network, software and procedural security. NetStorage: s globally-distributed NetStorage service is an alternative upload repository for customers that require on-demand scalability for their asset uploads. NetStorage provides multiple petabytes of storage capacity and replicates files for effective scaling and high availability. Files uploaded to NetStorage are available for immediate HTTP(S) download by Internet users. On-Demand and Live Streaming HD Network: The HD Network leverages the tested and proven Intelligent Platform. With this highly decentralized network deployed deep into regional and local ISP networks, video [is physically as close to consumers as possible] to enable fast video start-up times, high availability, and superior performance. Global Traffic Management Service: Global traffic management (GTM) can be combined easily with other services to provide powerful and highly-available web delivery solutions. GTM offers different modules for traffic control in a variety of situations. All modules are built on a common fault-tolerant, globally-distributed name server infrastructure. Enhanced Domain Name System: s Enhanced Domain Name System (DNS) service provides enterprise websites with a robust, reliable, and scalable outsourced DNS solution designed to dependably direct end users to enterprise website applications. Using a secondary DNS approach, Enhanced DNS makes it possible for enterprises to leverage a distributed network of DNS servers, while retaining their existing management and update processes for DNS zone administration. s using Enhanced DNS can enable DNSSEC. Luna Control Center: As the customer portal interface, the Luna Control Center offers flexible organization, interactive reporting and diagnostic tools to proactively research, troubleshoot, and resolve anomalies. Accessed via HTTPS, customers can monitor activity, configure and administer solutions, deploy and manage content, analyze business-critical information, resolve issues, plan events, and collaborate with the team.

6 FedRAMP 6 The following internal mechanisms are also included in the CDN accreditation boundary: Key Management Infrastructure: The Key Management Infrastructure (KMI) is s standardized system for generation escrow, distribution, and access control for private information. Authgate: s authorization gateway, Authgate, verifies that users are connected to the corporate Application Origin network. It also verifies that they are connected to a computer with an certificate, have an SSH key thator Hosting Provider matches their identity, and can connect to the machine they wish to access. Alert Management System: The Alert Management System (AMS) oversees s deployed networks in realtime and sends alerts to s Network Operations Control Center (NOCC), which runs continuously. Logs are Application Origin or Hosting Provider stored for forensic purposes and are accessible via a reporting tool. Luna Luna Control Center Deliver Delivery Network s Domain Name : operates a dynamic DNS that returns answers computed on the fly. Luna Control Center Lunaconditions Control Center on the Internet. A typical use is to return the IP address of a server that is assigned dynamically, given current Application Origin Domai Content Domain Name Application Origin or Hosting Provider Network Operations Command Center: The NOCC is distributed across three locations: Bangalore, Cambridge NameDelivery Edge or Hosting Provider NOTE: Accreditation and San Mateo. The NOCC enables proactive monitoring and troubleshooting of all servers in the global Aka Boundary does NOT include ISPs, Aka Manag Globa network. non- owned datacenters, Enhanced Domain Cont Management (GT Delivery Network Accreditation Boundary Luna Control Center Application Origin or Hosting Provider Delivery Edge ISPs, Telecom Datacenters, Networks (Non ) EdgeComputing EdgeComputing NOTE: Accreditation Domain NOTE: Accreditation Boundary does NOT include ISPs, Name Boundary does NOT include ISPs, non- owned datacenters, non- datacenters, or owned the Internet Content Delivery Network Accreditation Boundary ISPs, Telecom Datacenters, Internet or the Internet Public User Delivery Network Accreditation Boundary Global Traffic Networks (Non ) Management (GTM) Enhanced Domain Name Streaming Edge ISPs, Telecom Datacenters, Internet ISPs, Telecom Datacenters, Networks (Non ) Internet Net Storage Networks (Non ) Content Delivery Edge NOTE: Accreditation Boundary does NOT include ISPs, non- owned datacenters, or the Internet Internet EdgeComputing Delivery Network Accreditation Boundary Public User or the Internet Edg Akama EnhancedName Domain Name Delivery Edge Delivery Edge NOTE: Accreditation A Boundary does NOT include ISPs,Delivery Secure Content Net non- owned datacenters, Delivery Edge ISPs, Telecom Datacenters, or the Internet Edge InternetDelivery Net Networks (Non ) Public User s Local Name Server Also included with FedRAMP accreditation boundary: - Internal Systems: KMI, Authgate, and AMS - NOCC Public User Public User Public User s Public User s Local Name Server Local Name Server

7 FedRAMP 7 Next Steps for Government Agencies Now that FedRAMP and cloud service providers are doing the heavy lifting in standardizing security assessments, authorization, and continuous monitoring for cloud products and services, government agencies can use the FedRAMP repository, review extensive documentation, and leverage the P-ATO designation to streamline their process for issuing agency specific ATOs. FedRAMP serves as the baseline for initiating, reviewing, granting, and revoking security authorizations for cloud services in an efficient and robust manner. Federal agencies must use the baseline controls and accompanying FedRAMP requirements (templates, test cases, guidance) when leveraging assessments and authorizations or initiating assessments for cloud services. Prior to procuring a new cloud service or conducting an assessment and authorization of an existing cloud service, check the FedRAMP repository to see if it already contains an assessment package for a cloud system an agency is using or might procure. If a cloud service is in the FedRAMP repository, Federal agencies can then leverage the security assessment package to make their own risk-based decision regarding whether or not to use that cloud system. If an Agency selects a cloud service not listed in the FedRAMP repository, the agency must follow the FedRAMP approved security assessment process to grant an Authority to Operate (ATO). Federal agencies may do this through initiating the process with the FedRAMP PMO and JAB or by completing the FedRAMP process within their respective agency. Once an agency has completed the assessment of the cloud service and granted an ATO, the Agency must submit the completed security assessment package to the FedRAMP PMO for inclusion in the FedRAMP repository. The repository provides a central location of security assessment packages for cloud solutions meeting FedRAMP requirements that can be leveraged by other Federal agencies. Complete FedRAMP templates can be accessed at

8 FedRAMP 8 is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how is accelerating the pace of innovation in a hyperconnected world, please visit or blogs.akamai.com, and on Twitter. is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. and the wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 01/15.