Federal Risk and Authorization Management Program Presenter Name: Peter Mell, Initial FedRAMP Program Manager FedRAMP Interagency Effort Started: October 2009 Created under the Federal Cloud Initiative 1
The Problem Statement Problem: How do we best perform security authorization and continuous monitoring for large outsourced and multi-agency systems? Government is increasing its use of large shared and outsourced systems Technical drivers: the move to cloud computing, virtualization, service orientation, and web 2.0 Cost savings: through datacenter and application consolidation Independent agency risk management of shared systems causes problems and inefficiencies 2
Click The Problem: to edit Master Independent title style Agency Risk Management of Shared Systems Federal Agencies : Duplicative risk management efforts : Incompatible agency policies : Acquisition slowed by lengthy compliance processes Outsourced Systems : Potential for inconsistent application of Federal security requirements 3
The Solution: FedRAMP Federal Risk and Authorization Management Program A government-wide initiative to provide joint authorizations and continuous security monitoring services Unified government-wide risk management Agencies would leverage FedRAMP authorizations (when applicable) This does not supplant existing agency authority to use systems that meet their security needs Initial focus on cloud computing 4
Click The Solution: to edit Master Government-wide title style Risk Management of Shared Systems Federal Agencies FedRAMP Risk Management -Authorization -Continuous Monitoring -Federal Security Requirements Outsourced Systems : Risk management cost savings and increased effectiveness : Interagency vetted approach : Rapid acquisition through consolidated risk management : Consistent application of Federal security requirements FedRAMP: Federal Risk and Authorization Management Program 5
Vendor Perspective Coverage of the Federal market Vendor Vendor Acquiring Agencies FedRAMP Products publicly listed as FedRAMP authorized 6
Agency Perspective Independent Agency Effort Leveraged Authorization Security Control Selection Security Implementation Security Assessment Authorization Plan of Action and Milestones Monitoring : Large costs : Slower acquisition : Significant effort Review security details Leverage the existing authorization Secure agency usage of system Assurance strengthened through a centralized focused effort : Greatly reduced costs : Enables rapid acquisition : Reduced effort Ability to shift compliance workload to central entity 7
Agency Responsibilities Agencies should review FedRAMP authorization packages prior to leveraging them Determine suitability to agencies mission/risk posture Determine if additional security work is needed Agencies should perform agency specific security activities FedRAMP will publish a list of security controls that are the responsibility of the agency (can t be done government-wide) Agencies should maintain their security controls as a separate system 8
Vendor Responsibilities Implementation of government-wide baseline security requirements Create and vet system security plan with FedRAMP Arrange for an independent assessment Prepare proposed authorization package Iteratively work with FedRAMP to prepare package for authorization Perform continuous monitoring and periodically provide FedRAMP evidences and artifacts 9
Conceptual FedRAMP Case Study Agency X acquires the ZipCloud service from ZipCorp X offloads risk management work to FedRAMP FedRAMP accepts the work, reducing duplicative efforts by the many agencies using ZipCloud ZipCorp performs risk management work once with FedRAMP for ZipCloud Agencies save money and time by leveraging the FedRAMP authorization when acquiring ZipCloud ZipCorp saves money and time by not having to perform independent security efforts with each agency Agencies perform agency specific security work 10
Click FedRAMP to edit Components Master title style Security Requirement Authorities Security Requirements Create government-wide baseline for specific domains Interagency developed and approved FedRAMP Office Program Management Authorization package coordination Management of authorized system list Security Reviews and Continuous Monitoring Technical analysis of authorization packages Security measurement Continuous monitoring oversight Joint Authorization Board Risk Acceptance and Authorization Performs authorizations to be leveraged governmentwide Ongoing determination of risk Note: each of the three major components collaborate but maintain independence 11
FedRAMP Relationships Joint Authorization Board Security Requirement Authorities FedRAMP Office Government Information System Owners Private Sector Providers 12
FedRAMP Interagency Roles FedRAMP Office Managed by GSA OMB liaison: policy coordination NIST liaison: technical advisor role Joint Authorization Board DOD, GSA, DHS + sponsoring agency (of authorized system) Security Requirement Authorities Initially: Federal Cloud Initiative Technical work by the Cloud Computing Security Working Group (CCSWG) Ultimately: ISIMC Working Groups 13
System Submission and Selection Process Agencies submit proposed target systems Only services that the agency is using or plans to use Agency sends a memo to FedRAMP with the request FedRAMP will prioritize submissions 1. Systems in use by the government and deemed as high priority by the CIO council or Federal CIO 2. Systems with multiple sponsoring agencies 3. Systems with one sponsoring agency 4. Government developed systems sponsored by the developing agency Within a priority level, the more active or projected users the higher the priority. 14
Overview of FedRAMP Responsibilities Activity Responsible Parties Additional Notes Security Requirements System Submission and Selection Authorization Package Creation Security Requirement Authorities Sponsoring agency Service provider Initially CCSWG migrating to ISIMC With FedRAMP prioritization of work With FedRAMP Office guidance System Assessment Independent third party Paid for by service provider Authorization Package Review FedRAMP Office Sponsoring agency assistance Security Authorization Joint Authorization Board Includes DOD, DHS, and GSA plus the sponsoring agency Continuous Monitoring Service provider with FedRAMP oversight Possible agency participation FISMA Reporting Sponsoring agency With FedRAMP input 15
Summary of FedRAMP Goals Create a unified risk management process that increases security through focus assessments, eliminates duplication of effort and associated cost savings enables rapid acquisition by leveraging preauthorized solutions, provides agency vetted transparent security requirements and authorization packages, facilitates multi-agency use of shared systems, ensures integration with government-wide security efforts 16
Summary of Agency Usage of FedRAMP Agencies retain their authority to use information systems that meet their security needs FedRAMP provides a service where agencies leverage FedRAMP joint authorizations Continuous monitoring services are provided Agencies typically need to perform agency-specific security assessment and authorization activities (only a small fraction of the total authorization work) 17
Questions? Presenter Name: Peter Mell Initial FedRAMP Program Manager mell@nist.gov 301-975-5572 18
Supplemental Material FedRAMP processes for assessment, authorization, and continuous monitoring FedRAMP initial focus on cloud computing NIST cloud computing definition NIST cloud framework 19
Click Overview to edit of FedRAMP Master title Government-Wide style Risk Management Process Risk Management Framework Steps 1-4 Government Wide Cloud Provider/Independent 3 rd party Activity 1: Categorize Information and Information System Activity 2 : Create Security Specifications (including security control selection) Executed Once per Type Activity 3: Implement Security Controls Activity 4: Assess Security Controls Activity 5: Create Authorization Package Executed Once per System Risk Management Framework Step 5 Government Wide Activity 6: Authorize System Agencies Activity 7: Agency Review and Acceptance of Government Wide Authorization Executed Once per System Executed Once per Agency Risk Management Framework Step 6 See Risk Management Framework (NIST 800-37 revision 1) for step details Provider Activity 8: Perform Continuous Monitoring Executed Continuously per System Government Wide Activity 9: Monitor and Accept Ongoing Level of Risk Executed Continuously per System
The NIST Cloud Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The full extended definition is available at: http://csrc.nist.gov/groups/sns/cloud-computing
The NIST Cloud Definition Framework Deployment Models Service Models Essential Characteristics Hybrid Clouds Private Cloud Community Cloud Public Cloud Infrastructure Software as a Platform as a as a Service Service (SaaS) Service (PaaS) (IaaS) On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security
Click Interagency to edit Effort Master Conducted title style within the Cloud Computing Security Working Group Department of Commerce (DOC) National Institute of Standards and Technology (NIST), Chair Department of Defense (DOD) Defense Information Systems Agency (DISA) National Security Agency (NSA) Department of Education (ED) Department of Energy (DOE) Department of Health and Human Services (HHS) Department of Homeland Security (DHS) Department of Housing and Urban Development (HUD) Department of Justice (DOJ) Department of Labor (DOL) General Services Administration (GSA) Office of Management and Budget (OMB) Social Security Administration (SSA) United States Postal Service (USPS) 26