Click to edit Master title style

Similar documents
Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP Security Assessment Framework. Version 2.0

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

FedRAMP Security Assessment Framework. Version 2.1

10 Considerations for a Cloud Procurement. March 2017

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FISMAand the Risk Management Framework

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Cloud First Policy General Directorate of Governance and Operations Version April 2017

United States Government Cloud Standards Perspectives

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Guide to Understanding FedRAMP. Version 2.0

ISOO CUI Overview for ACSAC

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

National Policy and Guiding Principles

National Science and Technology Council. Interagency Working Group on Digital Data

DHS Cloud Strategy and Trade Nexus. May 2011

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

Dr. Eng. Antonio Mauro, PhD October 20th 2011

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Copyright 2011 EMC Corporation. All rights reserved.

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Introduction to AWS GoldBase

Accelerate Your Enterprise Private Cloud Initiative

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan

ISAO SO Product Outline

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Government IT Modernization and the Adoption of Hybrid Cloud

The Office of Infrastructure Protection

MIS Week 9 Host Hardening

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

David Missouri VP- Governance ISACA

About the DISA Cloud Playbook

Agency Guide for FedRAMP Authorizations

AB1-3 Keeping People Safe and Secure in Federal Facilities

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Cloud Computing and Service-Oriented Architectures

The U.S. National Spatial Data Infrastructure

DISA CLOUD CLOUD SYMPOSIUM

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

Supporting the Cloud Transformation of Agencies across the Public Sector

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Office of Acquisition Program Management (OAPM)

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

TEL2813/IS2621 Security Management

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

IT-CNP, Inc. Capability Statement

COMPLIANCE IN THE CLOUD

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Practical Guide to Cloud Computing Version 2. Read whitepaper at

Federal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan

Solutions Technology, Inc. (STI) Corporate Capability Brief

Implementing Executive Order and Presidential Policy Directive 21

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

FedRAMP Digital Identity Requirements. Version 1.0

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Communications Management Plan Template

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Privacy hacking & Data Theft

The US National Near-Earth Object Preparedness Strategy and Action Plan

Cloud Computing and Service-Oriented Architectures

Guidance for Exchange and Medicaid Information Technology (IT) Systems

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

MN.IT Services and MNsure

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Chapter 4. Fundamental Concepts and Models

Biometric Standards for DoD Operational Requirements

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

September 2010 Version 0.9

Cybersecurity & Privacy Enhancements

Innovating with Less Across the Federal IT Portfolio: The Role of Shared Services and Enterprise Architecture

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Section One of the Order: The Cybersecurity of Federal Networks.

Branding Guidance December 17,

Streamlined FISMA Compliance For Hosted Information Systems

Driving Cloud Governance and Avoiding Cloud Chaos

Actions to Improve Chemical Facility Safety and Security A Shared Commitment Report of the Federal Working Group on Executive Order 13650

USGv6: US Government. IPv6 Transition Activities 11/04/2010 DISCOVER THE TRUE VALUE OF TECHNOLOGY

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

National Science and Technology Council Committee on Science Subcommittee on Forensic Science. Initial Overview Briefing

Capgemini Dynamic Services

FISMA Cybersecurity Performance Metrics and Scoring

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

The next generation of knowledge and expertise

1/10/2011. Topics. What is the Cloud? Cloud Computing

GAO CYBERSECURITY. Key Challenges Need to Be Addressed to Improve Research and Development. Report to Congressional Requesters

The Business of Security in the Cloud

October 30, 2015 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Analytics in the Cloud Mandate or Option?

Transcription:

Federal Risk and Authorization Management Program Presenter Name: Peter Mell, Initial FedRAMP Program Manager FedRAMP Interagency Effort Started: October 2009 Created under the Federal Cloud Initiative 1

The Problem Statement Problem: How do we best perform security authorization and continuous monitoring for large outsourced and multi-agency systems? Government is increasing its use of large shared and outsourced systems Technical drivers: the move to cloud computing, virtualization, service orientation, and web 2.0 Cost savings: through datacenter and application consolidation Independent agency risk management of shared systems causes problems and inefficiencies 2

Click The Problem: to edit Master Independent title style Agency Risk Management of Shared Systems Federal Agencies : Duplicative risk management efforts : Incompatible agency policies : Acquisition slowed by lengthy compliance processes Outsourced Systems : Potential for inconsistent application of Federal security requirements 3

The Solution: FedRAMP Federal Risk and Authorization Management Program A government-wide initiative to provide joint authorizations and continuous security monitoring services Unified government-wide risk management Agencies would leverage FedRAMP authorizations (when applicable) This does not supplant existing agency authority to use systems that meet their security needs Initial focus on cloud computing 4

Click The Solution: to edit Master Government-wide title style Risk Management of Shared Systems Federal Agencies FedRAMP Risk Management -Authorization -Continuous Monitoring -Federal Security Requirements Outsourced Systems : Risk management cost savings and increased effectiveness : Interagency vetted approach : Rapid acquisition through consolidated risk management : Consistent application of Federal security requirements FedRAMP: Federal Risk and Authorization Management Program 5

Vendor Perspective Coverage of the Federal market Vendor Vendor Acquiring Agencies FedRAMP Products publicly listed as FedRAMP authorized 6

Agency Perspective Independent Agency Effort Leveraged Authorization Security Control Selection Security Implementation Security Assessment Authorization Plan of Action and Milestones Monitoring : Large costs : Slower acquisition : Significant effort Review security details Leverage the existing authorization Secure agency usage of system Assurance strengthened through a centralized focused effort : Greatly reduced costs : Enables rapid acquisition : Reduced effort Ability to shift compliance workload to central entity 7

Agency Responsibilities Agencies should review FedRAMP authorization packages prior to leveraging them Determine suitability to agencies mission/risk posture Determine if additional security work is needed Agencies should perform agency specific security activities FedRAMP will publish a list of security controls that are the responsibility of the agency (can t be done government-wide) Agencies should maintain their security controls as a separate system 8

Vendor Responsibilities Implementation of government-wide baseline security requirements Create and vet system security plan with FedRAMP Arrange for an independent assessment Prepare proposed authorization package Iteratively work with FedRAMP to prepare package for authorization Perform continuous monitoring and periodically provide FedRAMP evidences and artifacts 9

Conceptual FedRAMP Case Study Agency X acquires the ZipCloud service from ZipCorp X offloads risk management work to FedRAMP FedRAMP accepts the work, reducing duplicative efforts by the many agencies using ZipCloud ZipCorp performs risk management work once with FedRAMP for ZipCloud Agencies save money and time by leveraging the FedRAMP authorization when acquiring ZipCloud ZipCorp saves money and time by not having to perform independent security efforts with each agency Agencies perform agency specific security work 10

Click FedRAMP to edit Components Master title style Security Requirement Authorities Security Requirements Create government-wide baseline for specific domains Interagency developed and approved FedRAMP Office Program Management Authorization package coordination Management of authorized system list Security Reviews and Continuous Monitoring Technical analysis of authorization packages Security measurement Continuous monitoring oversight Joint Authorization Board Risk Acceptance and Authorization Performs authorizations to be leveraged governmentwide Ongoing determination of risk Note: each of the three major components collaborate but maintain independence 11

FedRAMP Relationships Joint Authorization Board Security Requirement Authorities FedRAMP Office Government Information System Owners Private Sector Providers 12

FedRAMP Interagency Roles FedRAMP Office Managed by GSA OMB liaison: policy coordination NIST liaison: technical advisor role Joint Authorization Board DOD, GSA, DHS + sponsoring agency (of authorized system) Security Requirement Authorities Initially: Federal Cloud Initiative Technical work by the Cloud Computing Security Working Group (CCSWG) Ultimately: ISIMC Working Groups 13

System Submission and Selection Process Agencies submit proposed target systems Only services that the agency is using or plans to use Agency sends a memo to FedRAMP with the request FedRAMP will prioritize submissions 1. Systems in use by the government and deemed as high priority by the CIO council or Federal CIO 2. Systems with multiple sponsoring agencies 3. Systems with one sponsoring agency 4. Government developed systems sponsored by the developing agency Within a priority level, the more active or projected users the higher the priority. 14

Overview of FedRAMP Responsibilities Activity Responsible Parties Additional Notes Security Requirements System Submission and Selection Authorization Package Creation Security Requirement Authorities Sponsoring agency Service provider Initially CCSWG migrating to ISIMC With FedRAMP prioritization of work With FedRAMP Office guidance System Assessment Independent third party Paid for by service provider Authorization Package Review FedRAMP Office Sponsoring agency assistance Security Authorization Joint Authorization Board Includes DOD, DHS, and GSA plus the sponsoring agency Continuous Monitoring Service provider with FedRAMP oversight Possible agency participation FISMA Reporting Sponsoring agency With FedRAMP input 15

Summary of FedRAMP Goals Create a unified risk management process that increases security through focus assessments, eliminates duplication of effort and associated cost savings enables rapid acquisition by leveraging preauthorized solutions, provides agency vetted transparent security requirements and authorization packages, facilitates multi-agency use of shared systems, ensures integration with government-wide security efforts 16

Summary of Agency Usage of FedRAMP Agencies retain their authority to use information systems that meet their security needs FedRAMP provides a service where agencies leverage FedRAMP joint authorizations Continuous monitoring services are provided Agencies typically need to perform agency-specific security assessment and authorization activities (only a small fraction of the total authorization work) 17

Questions? Presenter Name: Peter Mell Initial FedRAMP Program Manager mell@nist.gov 301-975-5572 18

Supplemental Material FedRAMP processes for assessment, authorization, and continuous monitoring FedRAMP initial focus on cloud computing NIST cloud computing definition NIST cloud framework 19

Click Overview to edit of FedRAMP Master title Government-Wide style Risk Management Process Risk Management Framework Steps 1-4 Government Wide Cloud Provider/Independent 3 rd party Activity 1: Categorize Information and Information System Activity 2 : Create Security Specifications (including security control selection) Executed Once per Type Activity 3: Implement Security Controls Activity 4: Assess Security Controls Activity 5: Create Authorization Package Executed Once per System Risk Management Framework Step 5 Government Wide Activity 6: Authorize System Agencies Activity 7: Agency Review and Acceptance of Government Wide Authorization Executed Once per System Executed Once per Agency Risk Management Framework Step 6 See Risk Management Framework (NIST 800-37 revision 1) for step details Provider Activity 8: Perform Continuous Monitoring Executed Continuously per System Government Wide Activity 9: Monitor and Accept Ongoing Level of Risk Executed Continuously per System

The NIST Cloud Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The full extended definition is available at: http://csrc.nist.gov/groups/sns/cloud-computing

The NIST Cloud Definition Framework Deployment Models Service Models Essential Characteristics Hybrid Clouds Private Cloud Community Cloud Public Cloud Infrastructure Software as a Platform as a as a Service Service (SaaS) Service (PaaS) (IaaS) On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security

Click Interagency to edit Effort Master Conducted title style within the Cloud Computing Security Working Group Department of Commerce (DOC) National Institute of Standards and Technology (NIST), Chair Department of Defense (DOD) Defense Information Systems Agency (DISA) National Security Agency (NSA) Department of Education (ED) Department of Energy (DOE) Department of Health and Human Services (HHS) Department of Homeland Security (DHS) Department of Housing and Urban Development (HUD) Department of Justice (DOJ) Department of Labor (DOL) General Services Administration (GSA) Office of Management and Budget (OMB) Social Security Administration (SSA) United States Postal Service (USPS) 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback