Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Similar documents
Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Branding Guidance December 17,

Agency Guide for FedRAMP Authorizations

Streamlined FISMA Compliance For Hosted Information Systems

Click to edit Master title style

FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Security Assessment Framework. Version 2.1

Introduction to AWS GoldBase

IT-CNP, Inc. Capability Statement

American Association for Laboratory Accreditation

TechValidate Survey Report: SaaS Application Trends and Challenges

Overview of Akamai s Personal Data Processing Activities and Role

Survey: Global Efficiency Held Back by Infrastructure Spend in Pharmaceutical Industry

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Supporting the Cloud Transformation of Agencies across the Public Sector

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Q&A TAKING ENTERPRISE SECURITY TO THE NEXT LEVEL. An interview with John Summers, Enterprise VP and GM, Akamai

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide. Version 1.0

Guide to Understanding FedRAMP. Version 2.0

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Accelerate Your Enterprise Private Cloud Initiative

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Information Systems Security Requirements for Federal GIS Initiatives

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FedRAMP Security Assessment Plan (SAP) Training

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

COMPLIANCE IN THE CLOUD

10 Considerations for a Cloud Procurement. March 2017

Enterprise SM VOLUME 1, SECTION 5.4: ANTI-VIRUS MANAGEMENT SERVICE

Governance for the Public Sector Cloud

VMware vcloud Air Accelerator Service

About the DISA Cloud Playbook

Service Provider Consulting

FEDERALLY COMPLIANT HYBRID IT QTS GOVERNMENT SOLUTIONS

New Zealand Government IBM Infrastructure as a Service

Symantec Data Center Transformation

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Overview. Business value

FedRAMP Digital Identity Requirements. Version 1.0

Total Protection for Compliance: Unified IT Policy Auditing

AKAMAI CLOUD SECURITY SOLUTIONS

FISMAand the Risk Management Framework

INFORMATION ASSURANCE DIRECTORATE

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Federal & NASA IPv6 Updates

ROADMAP TO DFARS COMPLIANCE

Optimizing Infrastructure Management with Predictive Analytics: The Red Hat Insights Approach

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

SOC 3 for Security and Availability

DISA CLOUD CLOUD SYMPOSIUM

Getting Started with AWS Security

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Symantec Enterprise Support Services Manage IT Risk. Maximize IT Performance.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

eplus Managed Services eplus. Where Technology Means More.

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Memorandum of Agreement

Continuous Monitoring Strategy & Guide

IT Consulting and Implementation Services

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Help Your Security Team Sleep at Night

DHS Cloud Strategy and Trade Nexus. May 2011

CIO INSIGHTS Boosting Agility and Performance on the Evolving Internet

Security as a Service (Implementation Guides) Research Sponsorship

WHITE PAPER. Title. Managed Services for SAS Technology

ProDeploy Suite. Accelerate enterprise technology adoption with expert deployment designed for you

PERFORM FOR HPE CONTENT MANAGER

CA Security Management

Drive digital transformation with an enterprise-grade Managed Private Cloud

Get more out of technology starting day one. ProDeploy Enterprise Suite

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

IP Application Accelerator

Business Architecture Implementation Workshop

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

October 24, Via to: Re.: Comments on Draft Cloud Smart Strategy. Dear Ms. Kent,

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

FiXs - Federated and Secure Identity Management in Operation

VMware vsphere 4 and Cisco Nexus 1000V Series: Accelerate Data Center Virtualization

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

ConCert FAQ s Last revised December 2017

SoftLayer Security and Compliance:

I D C T E C H N O L O G Y S P O T L I G H T

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Transcription:

White Paper FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud FedRAMP Federal Risk Authorization Management Program

FedRAMP 2 Table of Contents Introduction 3 fedramp overview 3 AKAMAI AND FEDRAMP 4 FEDRAMP-CERTIFIED AKAMAI COMPONENTS AND BOUNDARIES 5 NEXT STEPS FOR GOVERNMENT AGENCIES 7

FedRAMP 3 Introduction In December 2010, the U.S. Chief Information Officer (CIO) released A 25-Point Implementation Plan to Reform Federal IT Management, as part of a comprehensive effort to increase the operational efficiency of federal technology assets. One element of the 25-Point Plan is for agencies to shift to a Cloud First policy, which is being implemented through the Federal Cloud Computing Strategy. Today, Government agencies are making inroads in shifting to the Cloud First policy, which requires federal agencies to (1) implement cloud-based solutions whenever a secure, reliable, and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual IT budget strategies to include cloud computing. Still, there are challenges facing agencies as they make this shift. For example, some agency CIOs have said that in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers, which they manage and control, to outsourced cloud services. This trust gap needs to be addressed and the FedRAMP program provides a key pillar to help address that gap. FedRAMP, which has the goal of providing the best in government validation of cloud solution security controls, enables agencies to more swiftly move to leverage cloud based vendor solutions that comply with and participate in the FedRAMP process. FedRAMP facilitates the award of agencyspecific Approvals to Operate (ATO s), at a fraction of the time and cost normally required, for U.S. Government Agencies and compliant Cloud Service Providers. As one of the initial Cloud service providers to receive a Provisional Authority to Operate (P-ATO) from FedRAMP, encourages government agencies to learn how leveraging FedRAMP can help agencies save time and money, improve security and efficiency, and more quickly take advantage of the power of the Cloud. FedRAMP Overview FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a do once, use many times framework designed to save costs, time, and the personnel required to conduct agency security assessments. The objective of FedRAMP is threefold: 1. Ensure that information systems/services used government-wide have adequate information security; 2. Eliminate duplication of effort and reduce risk management costs; 3. Enable rapid and cost-effective procurement of information systems/services for federal agencies. These objectives are designed to accomplish the following FedRAMP goals: Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations; Increase confidence in the security of cloud solutions; Achieve consistent security authorizations using a baseline set of agreed upon standards for cloud solution approval in or outside of FedRAMP; Ensure consistent application of existing security practices; Increase confidence in security assessments; Increase automation and near real-time data for continuous monitoring.

FedRAMP 4 Some of the major benefits of FedRAMP include: Increased re-use of existing security assessments across agencies; Significant savings in terms of cost, time and resources do once, use many times; Improved real-time security visibility; Increased uniformity in regards to risk-based security management; Enhanced transparency between government and cloud service providers (CSPs); Better trust, reliability, consistency, and quality in the Federal security authorization process. FedRAMP is the result of close collaboration with cyber security and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry. Agencies or cloud service providers (CSPs) can initiate the FedRAMP assessment process. This process begins a security assessment using FedRAMP requirements (which are FISMA compliant and based on the NIST 800-53 rev3) and initiates a vendor/government collaboration coordinated via the FedRAMP PMO. CSPs must implement the FedRAMP security requirements within their environments, and hire a FedRAMP approved third party assessment organization (3PAO) to perform an independent assessment and audit of the vendor s cloud system. This results in the delivery of a security assessment package for review by appropriate stakeholders. The FedRAMP Joint Authorization Board (JAB) reviews security assessment packages based on a prioritized approach and may grant a provisional authorization. Federal agencies can leverage CSP authorization packages for review when granting an agency specific Authority to Operate (ATO). and FedRAMP received a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) of the Federal Risk and Authorization Management Program (FedRAMP) on August 22, 2013. This is the first JAB P-ATO granted to a globally-distributed, publicly-shared cloud services platform. Agencies can leverage cloud services directly or use them to front-end other FedRAMP-compliant data center solutions. Often referred to as FedRAMP to the power of two, this model offers a unique end-to-end FedRAMP-compliant solution that is designed to make it easier for U.S. government agencies to use shared cloud services in support of their computing initiatives. By taking this approach, Government agencies will dramatically increase their security posture, improve availability and provide unprecedented visibility and application access to the end user. Because our solution often serves as the first touch for government agency constituents, takes our commitment to FedRAMP very seriously. From customer facing services, content delivery solutions, and internal mechanisms used to manage and maintain the Delivery Network (CDN), everything our government customers use and need has been certified. The boundary is the broadest set of offerings that FedRAMP has provisioned to date. We felt this commitment was crucial to ensure our government customers can leverage solutions with confidence. s FedRAMP solutions have been certified and are part of the FedRAMP program of continuous monitoring. Government organizations can trust the Intelligent Platform as the foundation for their cloud computing projects. enables agencies to move forward confidently with a Cloud First strategy that improve the security, performance, and scale of their cloud based solutions. has remained committed to serving public sector cloud solution needs, such as DNSSEC, IPv6 and HIPAA compliance, and we continue to demonstrate that commitment with the award of our FedRAMP P-ATO. As one of the initial Cloud service providers to receive a Provisional Authority to Operate (P-ATO) from FedRAMP, encourages government agencies to learn how leveraging FedRAMP can help agencies save time and money, improve security and efficiency, and more quickly take advantage of the power of the Cloud.

FedRAMP 5 FedRAMP-certified Components and Boundaries Throughout the FedRAMP System Security Plan (SSP) documentation and control responses, the use of the system name, Delivery Network (CDN), is inclusive of the system components and boundaries used to provide customerfacing services as well as internal mechanisms used to manage and maintain the CDN. Both customerfacing services and internal mechanisms that constitute the accreditation boundary are described in CDN SSP Section 9.2 located in the FedRAMP repository. Services provided by that meet the FedRAMP security requirements and have been granted an Authority to Operate by the Joint Authorization Board (JAB) include: Content Delivery: The Intelligent Platform resolves end user requests for content using a massive server infrastructure with more than 140,000 servers deployed in more than 1,000 ISP networks in over 90 countries worldwide. Secure Content Delivery: Information protected by SSL/TLS is delivered from a dedicated, highly secure portion of the CDN over HTTPS. The Secure CDN was designed by s security experts to meet robust levels of physical, network, software and procedural security. NetStorage: s globally-distributed NetStorage service is an alternative upload repository for customers that require on-demand scalability for their asset uploads. NetStorage provides multiple petabytes of storage capacity and replicates files for effective scaling and high availability. Files uploaded to NetStorage are available for immediate HTTP(S) download by Internet users. On-Demand and Live Streaming HD Network: The HD Network leverages the tested and proven Intelligent Platform. With this highly decentralized network deployed deep into regional and local ISP networks, video [is physically as close to consumers as possible] to enable fast video start-up times, high availability, and superior performance. Global Traffic Management Service: Global traffic management (GTM) can be combined easily with other services to provide powerful and highly-available web delivery solutions. GTM offers different modules for traffic control in a variety of situations. All modules are built on a common fault-tolerant, globally-distributed name server infrastructure. Enhanced Domain Name System: s Enhanced Domain Name System (DNS) service provides enterprise websites with a robust, reliable, and scalable outsourced DNS solution designed to dependably direct end users to enterprise website applications. Using a secondary DNS approach, Enhanced DNS makes it possible for enterprises to leverage a distributed network of DNS servers, while retaining their existing management and update processes for DNS zone administration. s using Enhanced DNS can enable DNSSEC. Luna Control Center: As the customer portal interface, the Luna Control Center offers flexible organization, interactive reporting and diagnostic tools to proactively research, troubleshoot, and resolve anomalies. Accessed via HTTPS, customers can monitor activity, configure and administer solutions, deploy and manage content, analyze business-critical information, resolve issues, plan events, and collaborate with the team.

FedRAMP 6 The following internal mechanisms are also included in the CDN accreditation boundary: Key Management Infrastructure: The Key Management Infrastructure (KMI) is s standardized system for generation escrow, distribution, and access control for private information. Authgate: s authorization gateway, Authgate, verifies that users are connected to the corporate Application Origin network. It also verifies that they are connected to a computer with an certificate, have an SSH key thator Hosting Provider matches their identity, and can connect to the machine they wish to access. Alert Management System: The Alert Management System (AMS) oversees s deployed networks in realtime and sends alerts to s Network Operations Control Center (NOCC), which runs continuously. Logs are Application Origin or Hosting Provider stored for forensic purposes and are accessible via a reporting tool. Luna https://contr Luna Control Center https://control.akamai.com Deliver Delivery Network s Domain Name : operates a dynamic DNS that returns answers computed on the fly. Luna Control Center Lunaconditions Control Center on the Internet. A typical use is to return the IP address of a server that is assigned dynamically, given current https://control.akamai.com Application Origin https://control.akamai.com Domai Content Domain Name Application Origin or Hosting Provider Network Operations Command Center: The NOCC is distributed across three locations: Bangalore, Cambridge NameDelivery Edge or Hosting Provider NOTE: Accreditation and San Mateo. The NOCC enables proactive monitoring and troubleshooting of all servers in the global Aka Boundary does NOT include ISPs, Aka Manag Globa network. non- owned datacenters, Enhanced Domain Cont Management (GT Delivery Network Accreditation Boundary Luna Control Center https://control.akamai.com Application Origin or Hosting Provider Delivery Edge ISPs, Telecom Datacenters, Networks (Non ) EdgeComputing EdgeComputing NOTE: Accreditation Domain NOTE: Accreditation Boundary does NOT include ISPs, Name Boundary does NOT include ISPs, non- owned datacenters, non- datacenters, or owned the Internet Content Delivery Network Accreditation Boundary ISPs, Telecom Datacenters, Internet or the Internet Public User Delivery Network Accreditation Boundary Global Traffic Networks (Non ) Management (GTM) Enhanced Domain Name Streaming Edge ISPs, Telecom Datacenters, Internet ISPs, Telecom Datacenters, Networks (Non ) Internet Net Storage Networks (Non ) Content Delivery Edge NOTE: Accreditation Boundary does NOT include ISPs, non- owned datacenters, or the Internet Internet EdgeComputing Delivery Network Accreditation Boundary Public User or the Internet Edg Akama EnhancedName Domain Name Delivery Edge Delivery Edge NOTE: Accreditation A Boundary does NOT include ISPs,Delivery Secure Content Net non- owned datacenters, Delivery Edge ISPs, Telecom Datacenters, or the Internet Edge InternetDelivery Net Networks (Non ) Public User s Local Name Server Also included with FedRAMP accreditation boundary: - Internal Systems: KMI, Authgate, and AMS - NOCC Public User Public User Public User s Public User s Local Name Server Local Name Server

FedRAMP 7 Next Steps for Government Agencies Now that FedRAMP and cloud service providers are doing the heavy lifting in standardizing security assessments, authorization, and continuous monitoring for cloud products and services, government agencies can use the FedRAMP repository, review extensive documentation, and leverage the P-ATO designation to streamline their process for issuing agency specific ATOs. FedRAMP serves as the baseline for initiating, reviewing, granting, and revoking security authorizations for cloud services in an efficient and robust manner. Federal agencies must use the baseline controls and accompanying FedRAMP requirements (templates, test cases, guidance) when leveraging assessments and authorizations or initiating assessments for cloud services. Prior to procuring a new cloud service or conducting an assessment and authorization of an existing cloud service, check the FedRAMP repository to see if it already contains an assessment package for a cloud system an agency is using or might procure. If a cloud service is in the FedRAMP repository, Federal agencies can then leverage the security assessment package to make their own risk-based decision regarding whether or not to use that cloud system. If an Agency selects a cloud service not listed in the FedRAMP repository, the agency must follow the FedRAMP approved security assessment process to grant an Authority to Operate (ATO). Federal agencies may do this through initiating the process with the FedRAMP PMO and JAB or by completing the FedRAMP process within their respective agency. Once an agency has completed the assessment of the cloud service and granted an ATO, the Agency must submit the completed security assessment package to the FedRAMP PMO for inclusion in the FedRAMP repository. The repository provides a central location of security assessment packages for cloud solutions meeting FedRAMP requirements that can be leveraged by other Federal agencies. Complete FedRAMP templates can be accessed at www.fedramp.gov

FedRAMP 8 is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @ on Twitter. is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. 2015 Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. and the wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 01/15.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback