Presented By Rick Link, Coalfire December 13, 2012

Transcription

1 FedRAMP Federal Risk and Authorization Management Program Sponsored by Presented By Rick Link, Coalfire December 13, 2012

2 Learning Objectives Attendees will be able to understand: New Terminology and Definitions Federal Agencies and the Cloud What is the FedRAMP Program How the Cloud Relates FedRAMP Assessments Continuous Monitoring Requirements Where to Get Supplemental Information Q&A FedRAMP A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. 2

3 New Terminology and Definitions SDOC Supplier s Declaration of Conformity FCCI Federal Cloud Computing Initiative POA&M Plan of Action and Milestones 3PAO Third Party Assessor Organizations GSA General Services Administration ERB (Government) Expert Review Board FISMA Federal Information Security Management Act (2002) CSP Cloud Service Provider FedRAMP Federal Risk and Authorization Management Program SAR Security Assessment Report JAB Joint Authorization Board ATO Authority to Operator TR Technical Requirements SSP System Security Plan CONOPS Concept of Operations ISSO Information System Security Officer 3

4 Federal Agencies and the Cloud 4

5 Vivek s Kundra s 25 Point Implementation Plan 1. Complete detailed implementation plans to consolidate at least 800 data centers by Create a government-wide marketplace for data center availability 3. Shift to a Cloud First policy 4. Stand-up contract vehicles for secure IaaS solutions 5. Stand-up contract vehicles for commodity services 6. Develop a strategy for shared services 7. Design a formal IT program management career path 8. Scale IT program management career path government-wide 9. Require integrated program teams 10. Launch a best practices collaboration platform 11. Launch technology fellows program 12. Enable IT program manager mobility across government and industry 13. Design and develop a cadre of specialized IT acquisition professionals 5

6 Vivek s Kundra s 25 Point Implementation Plan 14. Identify IT acquisition best practices and adopt government-wide 15. Issue contracting guidance & templates to support modular development 16. Reduce barriers to entry for small innovative technology companies 17. Work with Congress to develop IT budget models that align with modular development 18. Develop supporting materials & guidance for flexible IT budget models 19. Work with Congress to scale flexible IT budget models more broadly 20. Work with Congress to consolidate commodity IT spending under Agency CIO 21. Reform and strengthen Investment Review Boards 22. Redefine role of Agency CIOs & Federal CIO Council 23. Rollout TechStat model at bureau-level 24. Launch myth-busters education campaign 25. Launch interactive platform for pre-rfp agency-industry collaboration 6

7 US Federal Govt IT Security Spend FY2011 7

8 IT Security Spend as % of Total IT Spend FY2011 8

9 Malware Threats to the Federal Govt FY2011 A computer security incident, as defined by NIST Special Publication , is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. Malicious code continues to be the most widely reported incident type across the Federal Govt. As indicated in the above table, which includes a breakout of incidents reported to the US CERT by Federal agencies in FY2011, malicious code accounted for 27% of the total incidents reported. 9

10 What is FedRAMP? Federal Risk and Authorization Management Program As Is To Be "FedRAMP establishes a standardized approach to security assessment, authorization and continuous monitoring. It will save cost, time, money and staff associated with doing this work." Steven Van Roekel, Federal Chief Information Officer Goals: Ensure common CSP security and compliance standards by awarding an Authority to Operate (ATO) which is accepted by all Federal Agencies Reduce tax use of government infrastructure Do once, use many framework 10

11 The FedRAMP Framework Initiating Agencies or CSPs are the initiators for the FedRAMP program by pursuing a security authorization. The FedRAMP requirements are based on NIST SP Rev. 3 (same applies to FISMA). Assessing Based on the NIST SP Rev. 3 requirements, CSPs must hire a 3PAO to perform an independent assessment. Authorizing Upon completion, the security assessment package will then be forwarded to the FedRAMP Joint Authorization Board for review. Leveraging The CSP will then continue to work with the executive departments and agencies for the Authority to Operate (ATO) permissions. 11

12 Major Players Federal Agencies JAB (DOD, DHS, GSA) PMO- GSA Technical Advisor NIST Continuous Monitoring - DHS FedRAMP PMO Cloud Service Provider Provides Cloud IT Services with a provisional authorization granted by FedRAMP JAB 3 rd Party Assessment Organization Performs initial and periodic assessment of security and privacy controls deployed in Cloud information systems 12 12

13 FedRAMP Stakeholder Roles and Interaction 13 13

14 FedRAMP and the Security Assessment and Authorization Process FedRAMP Consistency and Quality Trustworthy & Re-useable Near Real-Time Assurance Independent Assessment CSP must retain an independent assessor from FedRAMP accredited list of 3PAOs 14 Provisional Authorization Joint Authorization Board reviews assessment packages and grants provisional authorizations Agencies issue ATOs using a risk-based framework 14 Ongoing A&A (Continuous Monitoring) DHS CyberScope Data Feeds DHS US CERT Incident Response and Threat Notifications FedRAMP PMO POA&Ms

15 FedRAMP Phases and Timeline FY12 FY12 FY13 Q2 FY14 Pre-Launch Activities Initial Operational Capabilities (IOC) Full Operations Sustaining Operations Finalize Requirements and Documentation in Preparation of Launch FY12 Launch IOC with Limited Scope and Cloud Service Provider (CSP)s Execute Full Operational Capabilities with Manual Processes Move to Full Implementation with On-Demand Scalability Key Activities Publish FedRAMP Requirements (Security Controls, Templates, Guidance) Publish Agency Compliance Guidance Accredit 3PAOs Establish Priority Queue Authorize CSPs Update CONOPS, Continuous Monitoring Requirements and CSP Guidance Conduct Assessments & Authorizations Scale Operations to Authorize More CSPs Implement Electronic Authorization Repository Scale to Steady State Operations Outcomes Initial List of Accredited 3PAOs Launch FedRAMP into Initial Operating Capabilities Initial CSP Authorizations Established Performance Benchmark Gather Feedback and Incorporate Lessons Learned Multiple CSP Authorizations Defined Business Model Measure Benchmarks Authorizations Scale by Demand Implement Business Model Self-Sustaining Funding Model Covering Operations Privatized Accreditation Board 15 15

16 Authorized Cloud Service Providers No CSPs have formally met FedRAMP requirements or have been granted a FedRAMP Provisional Authorization. 16

17 16 Accredited 3PAOs Organization POC Name POC BrightLine Doug Barbin COACT, Inc. Brian Pleffner Coalfire Systems Tom McAndrew DOT Enterprise Service Center (ESC) Douglas Holland Dynamics Research Corporation (DRC) Prenston Gale Earthling Security, Inc. Yusuf Ahmed Electrosoft Services, Inc. Sarbari Gupta EmeSec Incorporated Rod Volz Homeland Security Consultants Sean Cope J.D. Biggs and Associates, Inc. James Biggs Knowledge Consulting Group, Inc. Paul Nguyen Logyx LLC Robert Dumais Lunarline, Inc. Waylon Krush Secure Info Yong-Gon Chon SRA International, Inc. William Bell Veris Group, LLC Michael Carter Note: 3PAOs as of December 12,

18 3PAO Conformity Assessment Process Conformity assessment process to accredit 3PAOs based on NIST program Conformity assessment process accredits 3PAOs based on: (1) Independence and quality management in accordance with ISO standards; and (2) Technical competence through FISMA knowledge testing. Benefits of leveraging a formal 3PAO approval process: Consistency in performing security assessments Ensures 3PAO independence from Cloud Service Providers Establishes an approved list of 3PAOs for CSPs and Agencies to use 18 18

19 3PAO Acceptance Process Review Application 3PAO candidate reviews application at business decision to apply. Gather Materials 3PAO candidate gathers artifacts and completes application Security Assessment Report System Security Plan Submit Application 3PAO candidate submits application Applicant Assessment Test Procedures Review by ERB Expert Review Board with members from GSA and ISO independent cybersecurity experts review the application. Applicant Decision FedRAMP PMO reviews ERB recommendation and provides 3PAO an acceptance decision. 19 List of Accredited 3PAO for Use by Agency and CSPs 19

20 FedRAMP and the Cloud 20

21 Service Models Deployment Models Essential Characteristics Defining the Cloud (5-4-3) Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, four deployment models, and three service models. NIST SP The NIST Definition of Cloud Computing Emerging Trend Security as a Service?? 21

22 Agency Likelihood to Adopt Cloud Services Source: InformationWeek Analytics/Information Week Government Federal Cloud Computing Survey 22

23 Different Industries Have Similar Challenges Industry Regulations Evaluation Technology DoD 8500, STIGS C&A BANKING FFIEC EXAMS AUDITS PCI FEDRAMP PCI DSS NIST QSA 3PAO NEED FOR CLOUD, SIMILAR CLOUD TECHNOLOGIES, SIMILAR CONTROLS UTILITIES NERC CIP EMERGING HEALTHCARE HIPAA HITECH EMERGING 23

24 FedRAMP Assessments 24

25 Governance within FedRAMP 25

26 FedRAMP Assessment Source: FedRAMP PMO 26

27 Establishing Baseline FedRAMP Security Controls Source of controls - NIST SP R3 for low and moderate impact systems Cloud Computing Security Working Group Creates Security Requirements Baseline JAB Technical Representative s (TRs) Identify Additional Controls and Enhancements Public Vetting of Security Control Baseline with Agency and Industry JAB TRs Evaluate and Incorporate Public Feedback JAB Establishes Security Controls Baseline with Recommend ations from TRs, Industry, & Agencies Agencies can add controls to address the unique elements of cloud computing in their environment 27 27

28 Common Challenges for CSPs Lessons Learned from early adopters # Control Description 1 2 SSP SC-7 System Security Plan (SSP) lacks sufficient detail (statements are generic and do not have enough technical breadth or depth. Accreditation Boundary is not defined CM-8 RA-5 CM-2 IA-2 Asset list is not defined. Technical Testing not being performed (Vulnerability Scanning, Application Scanning, Database Scanning). Baseline Configurations not established for all assets. Two-Factor Authenication not fully implemented. 7 IA-7/SC-13 FIPS Validated crypto modules not in place PS-3 AI-2 AU-2 Background Checks not performed on all staff. Flaws are not remeidated in a timely fashion (30 days). Logging is not enabled or sending to a centralized log server. 28

29 Continuous Monitoring 29

30 Continuous Monitoring CyberScope only had 4 federal agencies for FY2010 to submit automated data feeds and in FY out of 24 agencies have successfully submitted automated data feeds which is a 63% increase. CyberScope focuses on data feeds for IT asset inventory, system configuration, and vulnerability management and provided insight into the systems being managed. Success stories include the Department of Veterans Affairs and the Environmental Protection Agency which averages of 100% and 95% respectively of systems managed in all three components of continuous monitoring. The goal of asset inventory management capability is to be able to account for 100% of agency s IT assets using an automated asset management system and to identify and remove unmanaged assets before they are exploited and used to attack other assets. Source: FY 2011 Report to Congress on the Implementation of FISMA Act of

31 CyberScope % of Continuous Monitoring Capabilities Reported by Agencies Source: Same as previous slide

32 What s Next With the FedRAMP Program Activity 3PAO Applications End for Initial Batch* Date January 20, 2012 at 5pm EST FedRAMP CONOPS Release February 5, 2012 Release of Initial List of 3PAOs March April 2012 Launch FedRAMP Initial Operating Capabilities June 2012 Initial CSP Authorizations Q4 2012, Q *After initial batch, applications for 3PAOs processed on an ongoing basis

33 Supplemental Information 33

34 Helpful Background Resources 1. GSA Guide to Understanding FedRAMP nding_fedramp_061312_508.pdf 2. U.S. Federal CIO Federal Cloud Computing Strategy content/uploads/downloads/2012/09/federal-cloud- Computing-Strategy.pdf 3. U.S. Federal CIO Federal Cloud Computing Strategy (slide deck) content/uploads/downloads/2012/09/vivek-kundra-federal- Cloud-Computing-Strategy pdf 34

35 Guidelines for 3PAO Responsibilities The 3PAOs are responsible for the security testing of the CSPs FedRAMP package. The 3PAOs are required to fill out three (3) primary templates: Security Test Procedure Workbooks Security Assessment Plan (SAP) Security Assessment Report (SAR) 35

36 FedRAMP Templates FIPS 199 Template: Assists in the security categorization for CSPs. CSPs should use NIST SP Rev. 1, Vol. 2 as a furthering guidance tool. The FIPS 199 analysis should be performed with respect to service provider system data only. E-Authentication Template: CSPs select the appropriate e-authentication level for the system in order to more easily select the right technology solution to implement the designated level. CSPs should use NIST SP , Rev 1 as a furthering guidance tool. Privacy Threshold Analysis and Privacy Impact Assessment: CSPs fill out a Privacy Threshold Analysis (PTA), which consists of 4 short questions. The questions determine if the system qualifies as a Privacy Sensitivity System. If the system qualifies, then a Privacy Impact Assessment is required. 36

37 FedRAMP Templates CTW Template (Control Tailoring Workbook): Provides CSPs with a list of the FedRAMP security controls applicable to the cloud environment. Also identifies the exception scenarios for the candidate service offering. CIS Template (Control Implementation Summary): This template should be filled out to indicate the implementation status for controls. However, CSPs must indicate in the CIS the entity that owns the responsibility to implement and manage the control. This could include joint ownership between the CSP and customer agency. 37

38 Questions Rick Link, Coalfire Managing Director, Southwest Region O: C: Visit the Coalfire blog: 38