FedRAMP Digital Identity Requirements. Version 1.0

Similar documents
Agency Guide for FedRAMP Authorizations

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide. Version 1.0

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

FedRAMP Security Assessment Framework. Version 2.1

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Training - Continuous Monitoring (ConMon) Overview

READ ME for the Agency ATO Review Template

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

Guide to Understanding FedRAMP. Version 2.0

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Dissecting NIST Digital Identity Guidelines

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

COMPLIANCE IN THE CLOUD

American Association for Laboratory Accreditation

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Continuous Monitoring Strategy & Guide

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Interagency Advisory Board Meeting Agenda, December 7, 2009

NIST RISK ASSESSMENT TEMPLATE

Branding Guidance December 17,

Introduction to AWS GoldBase

DISA CLOUD CLOUD SYMPOSIUM

FedRAMP Security Assessment Plan (SAP) Training

INFORMATION ASSURANCE DIRECTORATE

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

MIS Week 9 Host Hardening

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Measuring Authentication: NIST and Vectors of Trust

About the DISA Cloud Playbook

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

FISMAand the Risk Management Framework

Introduction of the Identity Assurance Framework. Defining the framework and its goals

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

Risk Management Framework for DoD Medical Devices

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Secure Government Computing Initiatives & SecureZIP

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

FedRAMP Penetration Test Guidance. Version 1.0.1

RISK MANAGEMENT FRAMEWORK COURSE

Compliance with NIST

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Ohio Supercomputer Center

FedRAMP Training - How to Write a Control. 1. FedRAMP_Training_HTWAC_v5_ FedRAMP HTWAC Online Training Splash Screen.

PKI and FICAM Overview and Outlook

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Executive Order 13556

INFORMATION ASSURANCE DIRECTORATE

fips185 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology

FiXs - Federated and Secure Identity Management in Operation

Session 6A: Export Controls and Cloud Computing. Key Regulatory Issues

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

IT-CNP, Inc. Capability Statement

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Password Standard Version 2.0 October 2006

Exhibit A1-1. Risk Management Framework

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Internal Revenue Service (IRS) Publication 1075 Compliance in AWS. February 2018

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

SAC PA Security Frameworks - FISMA and NIST

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

Trust Services for Electronic Transactions

Chapter 9 Section 3. Digital Imaging (Scanned) And Electronic (Born-Digital) Records Process And Formats

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Who s Protecting Your Keys? August 2018

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Fiscal Year 2013 Federal Information Security Management Act Report

Guidelines for Choosing an Advanced Authentication Solution for Accessing Criminal Justice Information System (CJIS) Services

Cybersecurity Challenges

Compliance with CloudCheckr

Procuring Cloud Based Services Federal Policies

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Stakeholder and community feedback. Trusted Digital Identity Framework

INFORMATION ASSURANCE DIRECTORATE

DFARS Cyber Rule Considerations For Contractors In 2018

IMPLEMENTING AN HSPD-12 SOLUTION

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Rev.1 Solution Brief

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Internet Engineering Task Force (IETF) Request for Comments: 6403 Category: Informational ISSN: M. Peck November 2011

Click to edit Master title style

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

COMPLIANCE SCOPING GUIDE

Streamlined FISMA Compliance For Hosted Information Systems

SWAMID Person-Proofed Multi-Factor Profile

Transcription:

FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018

DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i

ABOUT THIS DOCUMENT This document provides revised guidance and requirements on digital identity capabilities in support of achieving and maintaining a Federal Risk and Authorization Management Program (FedRAMP) security authorization. FedRAMP-authorized systems must be fully compliant by July 1, 2018. This document is not a FedRAMP template there is nothing to fill out in this document. This document uses the term authorizing official (AO). For systems with a Joint Authorization Board (JAB) provisional authorization to operate (P-ATO), AO refers primarily to the JAB unless this document explicitly says Agency AO. For systems with a FedRAMP Agency authorization to operate (ATO), AO refers to each leveraging Agency s AO. WHO SHOULD USE THIS DOCUMENT? This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP authorizations. HOW TO CONTACT US Questions about FedRAMP or this document should be directed to info@fedramp.gov. For more information about FedRAMP, visit the website at http://www.fedramp.gov. ii

TABLE OF CONTENTS DOCUMENT REVISION HISTORY... I ABOUT THIS DOCUMENT... II WHO SHOULD USE THIS DOCUMENT?... II HOW TO CONTACT US... II 1. PURPOSE...1 2. BACKGROUND...1 3. DIGITAL IDENTITY REQUIREMENTS...2 4. TRANSITION PLAN...4 APPENDIX A: FedRAMP ACRONYMS...5 LIST OF TABLES Table 1. Mapping FedRAMP Levels to NIST SP 800-63 R3 Assurance Levels...2 iii

1. PURPOSE On June 22, 2017, the National Institute of Standards and Technology (NIST) published Revision 3 of Special Publication (SP) 800-63, Digital Identity Guidelines (formerly titled Electronic Authentication Guidelines). The differences in the new revision that most impact FedRAMP authorizations include emphasis on federation, new password guidance, and options for easing restrictions on in-person identity validation for even High assurance authorizations. This document establishes revised guidance and requirements on digital identity capabilities, which CSPs must implement by July 1, 2018 for FedRAMP-authorized systems. 2. BACKGROUND Since NIST last revised these guidelines, security measures and threats have evolved. Further, the marketplace and business model for providing identity management has changed. Revision 3 focuses on how identity management can be comprised of multiple independent capabilities, each of which relies on diverse digital identity measures across identification, authentication, and possibly federation. Thus, NIST decided to depart from the static one-volume structure and instead to release Revision 3 as a flexible four-volume format that allows entities to componentize their security in a way that reflects their own business structure. NIST s requirements for digital identification, authentication, and federation are critical to FedRAMP authorizations; therefore, CSP compliance will be enforced by FedRAMP. 1

3. DIGITAL IDENTITY REQUIREMENTS The FedRAMP Program Management Office (PMO) is adopting a static alignment between Federal Information Processing Standards (FIPS) 199 system categorization levels and the new NIST 800-63 assurance levels, as depicted in Table 1 below. Table 1. Mapping FedRAMP Levels to NIST SP 800-63 R3 Assurance Levels FEDRAMP SYSTEM CATEGORIZATION IDENTITY ASSURANCE LEVEL (IAL) AUTHENTICATOR ASSURANCE LEVEL (AAL) FEDERATION ASSURANCE LEVEL (FAL) High IAL3: In-person, or supervised remote identity proofing AAL3: Multi-factor required based on hardware-based cryptographic authenticator and approved cryptographic techniques FAL3: The subscriber (user) must provide proof of possession of a cryptographic key, which is referenced by the assertion. The assertion is signed and encrypted by the identity provider, such that only the relying party can decrypt it Moderate IAL2: In-person or remote, potentially involving a trusted referee AAL2: Multi-factor required, using approved cryptographic techniques FAL2: Assertion is signed and encrypted by the identity provider, such that only the relying party can decrypt it Low IAL1: Self-asserted AAL1: Single-factor or multi-factor FAL1: Assertion is digitally signed by the identity provider FedRAMP Tailored LI-SaaS IAL1: Self-asserted AAL1: Single-factor or multi-factor FAL1: Assertion is digitally signed by the identity provider FedRAMP continues to interpret approved cryptographic techniques as FIPS 140-2 Validated cryptographic modules, which aligns with prior FedRAMP guidance. CSPs must review SP 800-63-3, use its decision trees to obtain an overview of all digital identity requirements, and read the applicable 800-63 volumes to determine specific requirements that apply to their cloud offerings. The FedRAMP PMO is requiring or recommending the following in alignment with the 800-63, Revision 3 changes for all FedRAMP-authorized systems: 2

1. Systems with a federated identity management solution must comply with NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions. This does not apply to systems with no federated identity management. 2. Agencies and CSPs may adopt the supervised remote identity proofing requirements up to FedRAMP High (IAL level 3), as described in NIST 800-63A, Digital Identity Guidelines: Enrollment & Identity Proofing. This change can reduce travel time and money spent in order to authorize individuals for work on Moderate and High sensitivity systems. 3. Agencies and CSPs may adopt the trusted referee requirements to operate on a person s behalf to provide identity proofing at the Moderate level IAL2, as described in NIST 800-63A, Digital Identity Guidelines: Enrollment & Identity Proofing. Like supervised remote identity proofing, this is added to ease burdens on agencies and CSPs. 4. Agencies and CSPs are permitted and encouraged to lower password requirements as allowed by NIST 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. This sets lower complexity requirements for memorized secrets so that CSPs have more flexibility in enforcement; however, this does not prevent agencies and CSPs from imposing further limitations, if desired. NOTE: At the time of this document s publication, FedRAMP Moderate and High controls IA-5 (g) and IA-5 (1) (a,d) are known to be more restrictive than the new password requirements in 800-63B, AAL2 and AAL3 respectively. FedRAMP recommends Agency AOs accept compliance with NIST s guidance that is most up-to-date and consistent with current cyber security threats. This may be done using an implementation status of Alternative Implementation. 3

4. TRANSITION PLAN The requirements described in this document are effective immediately, and each FedRAMP system must be fully compliant with NIST SP 800-63-3 by July 1, 2018. This FedRAMP compliance deadline matches the NIST enforcement requirement date of one year after publication release and maintains FedRAMP compliance with the Federal Information Security Management Act (FISMA) requirements. By March 31, 2018, each CSP must provide written notification to their AO identifying when their cloud service offering will be fully compliant with NIST SP 800-63-3 requirements. If the CSP anticipates being unable to meet the July 1, 2018 deadline, the written communication must also include a justification and a plan of action detailing how and when the CSP will fully comply with NIST SP 800-63-3 requirements. Where full implementation is not possible, the CSP must work with their AO on a mitigation plan. The AO must review and approve the CSP s implementation or mitigation plan. For systems with a JAB P-ATO, the CSP should post the plan to OMB MAX and send an email notification to info@fedramp.gov, or discuss an alternative arrangement with their FedRAMP POC. For systems with an Agency AO, please coordinate with the AO s office for an appropriate delivery mechanism. For systems with a JAB P-ATO, FedRAMP will track the SP 800-63-3 compliance transition status as part of monthly continuous monitoring activities and include this status in the monthly ConMon Report. For systems with a FedRAMP Agency ATO, the CSP must consult with their Agency AOs regarding implementation status tracking. Agency AOs will likely require the CSP to track implementation via an entry to the system s Plan of Actions and Milestones (POA&M). Compliance with SP 800-63-3 will be a FedRAMP requirement moving forward; therefore, any CSP not yet authorized should plan to address these requirements as part of their authorization activities. 4

APPENDIX A: FedRAMP ACRONYMS The FedRAMP Master Acronyms & Glossary contains definitions for all FedRAMP publications, and is available on the FedRAMP website Documents page under Program Overview Documents. (https://www.fedramp.gov/resources/documents-2016/) Please send suggestions about corrections, additions, or deletions to info@fedramp.gov. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback