FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Similar documents
FedRAMP Training - Continuous Monitoring (ConMon) Overview

FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Security Assessment Framework. Version 2.1

Agency Guide for FedRAMP Authorizations

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Guide to Understanding FedRAMP. Version 2.0

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Continuous Monitoring Strategy & Guide

FedRAMP Security Assessment Plan (SAP) Training

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide. Version 1.0

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

FedRAMP Digital Identity Requirements. Version 1.0

American Association for Laboratory Accreditation

READ ME for the Agency ATO Review Template

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

MIS Week 9 Host Hardening

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Branding Guidance December 17,

Exhibit A1-1. Risk Management Framework

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Standard Development Timeline

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FedRAMP Training - How to Write a Control. 1. FedRAMP_Training_HTWAC_v5_ FedRAMP HTWAC Online Training Splash Screen.

Presented By Rick Link, Coalfire December 13, 2012

INFORMATION ASSURANCE DIRECTORATE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

OFFICE OF INSPECTOR GENERAL

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Standard Development Timeline

Streamlined FISMA Compliance For Hosted Information Systems

Introduction to AWS GoldBase

Cyber Security Standards Drafting Team Update

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Vol. 1 Technical RFP No. QTA0015THA

The next generation of knowledge and expertise

FISMAand the Risk Management Framework

COMPLIANCE IN THE CLOUD

Certification Exam Outline Effective Date: September 2013

Ensuring System Protection throughout the Operational Lifecycle

CYBER SECURITY POLICY REVISION: 12

Standard CIP Cyber Security Critical Cyber Asset Identification

Compliance with NIST

Standard CIP Cyber Security Critical Cyber Asset Identification

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

The Common Controls Framework BY ADOBE

CIP Cyber Security Configuration Management and Vulnerability Assessments

Critical Cyber Asset Identification Security Management Controls

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

SAC PA Security Frameworks - FISMA and NIST

Fiscal Year 2013 Federal Information Security Management Act Report

DFARS Cyber Rule Considerations For Contractors In 2018

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Physical Security Reliability Standard Implementation

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Appendix 12 Risk Assessment Plan

Information Systems Security Requirements for Federal GIS Initiatives

6/18/ ACC / TSA Security Capabilities Workshop THANK YOU TO OUR SPONSORS. Third Party Testing Program Overview.

NIST RISK ASSESSMENT TEMPLATE

Appendix 12 Risk Assessment Plan

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

CIP Cyber Security Personnel & Training

ASD CERTIFICATION REPORT

IT-CNP, Inc. Capability Statement

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

MINIMUM SECURITY CONTROLS SUMMARY

CIP Cyber Security Personnel & Training

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Executive Order 13556

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Track 4: Session 6 Cybersecurity Program Review

David Jenkins (QSA CISA) Director of PCI and Payment Services

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Data Security and Privacy Principles IBM Cloud Services

ISACA Cincinnati Chapter March Meeting

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

FedRAMP Penetration Test Guidance. Version 1.0.1

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TOP-010-1(i) Real-time Reliability Monitoring and Analysis Capabilities

DFARS Defense Industrial Base Compliance Information

Click to edit Master title style

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

primary Control Center, for the exchange of Real-time data with its Balancing

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CIP Cyber Security Systems Security Management

INFORMATION ASSURANCE DIRECTORATE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

ROADMAP TO DFARS COMPLIANCE

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration

Agenda FedRAMP Overview Planning Phase Assessment Phase Customer Controls / Responsibilities and Authorization Phase Ongoing A&A (Continuous Monitoring)

Why FedRAMP? Problem: A duplicative, inconsistent, time consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. Solution: FedRAMP Uniform risk management approach Standard set of approved, minimum security controls (FISMA Low and Moderate Impact) Consistent assessment process Provisional ATO

What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a do once, use many times framework that will save cost, time, and staff required to conduct redundant agency security assessments.

FedRAMP Timeline April 2009 Cloud Computing Program Management Office Established February 2010 FedRAMP Concept Announced July Sept. 2010 FedRAMP Concept Vetted with Industry & Government November 2010 FedRAMP Concept, Controls, & Templates Released Feb Mar 2011 Government Tiger Teams Review Comments Apr June 2011 Executive Team Solidifies Tiger Team Recommendations December 2011 FedRAMP Policy signed June 2012 FedRAMP Launches Initial Operational Capability January 2013 JAB Grants 2 nd Provisional Authorization October 2009 Security Working Group Established March 2009 Cloud Computing Program Launched Executive Steering Committee Established June 2010 FedRAMP Drafts Initial Baseline January 2011 Over 1,200 public comments received December 2010 Federal Cloud Computing Strategy Published July Sept. 2011 3PAO Concept Planned February 2012 FedRAMP CONOPS Published May 2012 3PAOs Accredited December 2012 JAB Grants 1 st Provisional Authorization

FedRAMP Policy Memo December 8, 2011 OMB Policy Memo Establishes Federal policy for the protection of Federal information in cloud services Describes the key components of FedRAMP and its operational capabilities Defines Executive department and agency responsibilities in developing, implementing, operating and maintaining FedRAMP Defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services

Complying with the FedRAMP Policy All assessments of cloud-based products and services must use the FedRAMP security requirements: baseline set of controls and all FedRAMP templates All assessments do not require a provisional ATO granted by the JAB Agencies can continue to grant their own ATOs without JAB sign-off CSPs can submit FedRAMP compliant packages to agencies requesting an ATO All assessment documentation must be submitted to FedRAMP PMO for inclusion in the secure repository Agencies must leverage existing FedRAMP ATOs in the FedRAMP repository June 2014 All Cloud Projects Must Meet FedRAMP Requirements

Exception Guidance Private cloud deployments Implemented within a Federal facility Operated solely for the use of the Executive Department or Agency Not providing cloud services from the system to any external entities Cloud systems at a FIPS 199 Impact Level of High Cloud systems exempt from FedRAMP requirements must continue to comply with FISMA requirements and appropriate NIST security standards and guidelines 8

Three Phases of Implementation Phase Planning Assessment Customer Controls & Authorization Description What path will my agency use to establish or implement a cloud service that is FedRAMP compliant? What is my agency s role in assessing the cloud service? How does my agency add additional controls and authorize the system? 9

PLANNING PHASE

Planning Phase Purpose and Key Steps Purpose Determine the agency s path for meeting FedRAMP requirements Key Steps 1. Incorporate FedRAMP requirements into contract clauses 2. Identify if FedRAMP security assessment package available to leverage 3. Gain access to the FedRAMP secure repository to review security assessment documentation 4. Determine FedRAMP implementation path 5. Alert FedRAMP PMO of implementation path 11

FedRAMP Contract Language Planning Phase FedRAMP is the implementation of FISMA and applicable NIST security standards and guidelines, commonly found in existing procurements FedRAMP contract language available at www.fedramp.gov Standard Contract Language Designed for agencies to leverage for use within cloud procurements Templates help agencies address: requirement to be FedRAMP compliant FedRAMP privacy requirements FedRAMP security assessment process requirements authorization of system requirement FedRAMP ongoing assessment and authorization requirement Control Specific Language Agencies should not: govern how the provider s administrative end user accounts are managed or authenticated specify parameters for controls in the FedRAMP baseline Some controls that may need additional clauses Data Jurisdiction Boundary Protection Audit Retention Media Transport Incident Reporting Info at Rest Personnel Screening Identification Authentication

FedRAMP Website Planning Phase Can you leverage and Authorization? Leverage www.fedramp.gov Create Website lists CSPs with security assessment documentation available in the FedRAMP secure repository CSP Name Service Name Service Description ATO Date Repository Level 3PAO FIPS 199 Level Service Model Deployment Model 13

Leverage an Authorization Planning Phase FedRAMP maintains a repository of standardized security assessment packages Agencies can leverage to make their own risk-based decisions to grant an ATO for a cloud solution for their Agency. This repository is key to the Increased Level of review Level CSP Agency JAB do once, use many times approach. Review Completed CSP Supplied, not yet reviewed Agency reviewed FedRAMP ISSO & JAB reviewed Assessed by Accredited 3PAO Optional Accredited 3PAO Accredited 3PAO Authorization Candidate for Authorization Agency ATO FedRAMP PA & Agency ATO Speed to Enter Repository

Agency Responsibilities Planning Phase Agency Responsibility CSP Agency JAB Except risks and issue authority to operate Review documentation for both completeness and accuracy Submit annual assessment to the FedRAMP PMO Provide continuous monitoring based on FedRAMP requirements

Existing ATO Migration Path Planning Phase Agency updates existing security assessment to meet FedRAMP requirements An agency must Provide own resources and bear all costs for the development of the package and ongoing use of the system Perform gap analysis of missing controls against the FedRAMP baseline Consider modifying existing contract to specifically stipulate FedRAMP Compliance Obtain commitment and compliance schedule for CSP to meet FedRAMP control requirements Migrate existing security package documents to required FedRAMP templates

Alert FedRAMP PMO Planning Phase Yes Leverage Existing Security Assessment Package Check with FedRAMP PMO (repository) for existing CSP Security Assessment Package No Follow FedRAMP Security Assessment Process, Send package to FedRAMP Alert FedRAMP PMO of Planned Compliance Path

ASSESSMENT PHASE

Assessment Phase Purpose and Key Steps Purpose: Develop or review security assessment documentation required to make a risk-based decision to authorize the cloud service for use at your agency Key Steps 1) Document security controls 2) Perform security tests 3) Finalize security assessment package

FedRAMP Baseline Security Controls Assessment Phase Document Controls Controls are based upon the NIST SP 800-53 R3 catalog of controls for low and moderate impact systems Impact level NIST Baseline Controls Additional FedRAMP Controls Total Controls Agreed to by JAB for FedRAMP Low 115 1 116 Moderate 252 46 298 Additional FedRAMP controls selected to address unique elements of cloud computing FedRAMP Security Controls Baseline Available on FedRAMP.gov

System Security Plan (SSP) Assessment Phase Document Controls Describes the purpose of the system Detailed description of Control Implementation Global view of how the system is structured Defines roles of the systems users and identifies personnel responsible for system security Delineates control responsibility between the customer or vendor The SSP is the key document to moving the FedRAMP assessment process forward

Perform Security Tests Assessment Phase Perform Security Tests 1. Assess against the SSP with NIST SP 800-53a test cases 2. Independent Assessor audits assessment and results 3. Independent Assessor generates security assessment report

Independent Assessor Conformity Assessment Phase Perform Security Tests Third Party Assessment Organization (3PAO) Accredited Independent Assessor Benefits of leveraging an accredited independent assessor (Third Party Assessment Organization 3PAO) Creates consistency in security assessments in accordance with FISMA and NIST standards Ensures assessor independence from CSP in accordance with international standards Establishes an approved list of assessors - 3PAOs for CSPs and agencies to choose from to satisfy FedRAMP requirements.

Security Assessment Plan (SAP) Assessment Phase Perform Security Tests Independent Assessor develops the SAP Defines scope of assessment - Hardware - Software - Databases - Applications - Facilities Testing Schedule Rules of Engagement (ROE) - Components included and excluded in assessment - Rules for transmission of results - ROE signed by CSP and Independent Assessor 24

Security Assessment Report (SAR) Assessment Phase Perform Security Tests Independent Assessor develops the SAR Documents findings Analysis of test results Highlights ways for CSPs to mitigate security weaknesses Primary document for making risk-based decisions 25

Plan of Action and Milestones Assessment Phase Finalize Assessment Detailed plan with a schedule of how the CSP plans to address and fix and vulnerabilities found during testing All SAR findings must map to a POA&M item False positives marked in the SAR but not identified in the POA&M as there is no remediation needed to correct false positives. CSPs applying for Provisional ATO: Remediate high severity findings before Provisional ATO is granted Remediate moderate findings within 90 days 26

Complete Assessment Package Assessment Phase Finalize Assessment A complete security authorization package includes deliverables in section 10 of the CONOPS Mandatory Templates: System Security Plan Security Assessment Plan Security Assessment Report Other Templates located on FedRAMP.gov: Control Tailoring Workbook Control Implementation Summary IT Contingency Plan 27 Plan Of Action & Milestones Supplier s Declaration of Conformity

CUSTOMER CONTROLS AND AUTHORIZATION PHASE

Customer Controls & Authorization Phase Purpose: Review security assessment documentation and grant authority to operate Key Steps 1. Review FedRAMP security authorization package 2. Implement customer controls 3. Grant authorization 4. Alert FedRAMP PMO of authorization granted and provide feedback regarding additional controls used

Review of Authorization Package Customer Controls & Authorization Phase Security Authorization Package Complete, consistent, and compliant with FedRAMP policy Hardware or software inventory included Content addresses the who, what, when, and how Delivery of supporting documentation and information adequately referenced Non-applicable controls not presented as implemented Risk review of Security Assessment Report and current Plan of Actions and Milestones

Agency Controls Customer Controls & Authorization Phase Include controls added on to FedRAMP baseline Include controls for applications & middleware Include controls with agency shared responsibility Shared Responsibility Both the CSP and the agency use two-factor authentication for authenticating to privileged and non-privileged accounts. Both CSP and agency must ensure users take security awareness training.

Authorize System Customer Controls & Authorization Phase Agencies make own risk-based determination for granting Authority to Operate Complete Authorization Package Agency Responsibilities Implemented Submit final security assessment package to FedRAMP PMO if not already in the secure repository Notify FedRAMP PMO if Agency ATO withdrawn Agency Authority to Operate

FedRAMP ONGOING ASSESSMENT AND AUTHORIZATION

34 Ongoing Assessment and Authorization Purpose: Determine whether deployed security controls remain effective in light of planned and unplanned changes that occur in the system and its environment over time. Key Steps 1. Review of control implementation 2. Review changes to the system 3. Monitor incidents and new vulnerabilities

Ongoing Assessment and Authorization (Continuous Monitoring) Overview Ongoing Assessment & Authorization Cloud Service Provider (CSP) Govt. Agency 1 Operational Visibility Annual Self-Attestation Review control reporting provided by CSP 2 Change Control Obtains Change Reports / POA&M Updates Ensure POA&M / System Changes meet ATO requirements 3 Incident Response Notifications Responds to Incidents & Coordinate with US- CERT

36 Operational Visibility Ongoing Assessment & Authorization CSPs CSP submits artifacts to the FedRAMP ISSO as defined by the FedRAMP Continuous Monitoring Strategy and Guide Artifacts include POA&Ms, Scans, and the Annual Self Attestation FedRAMP The ISSOs monitor POA&Ms and reporting artifacts (vulnerability scan reports) Artifacts are stored in the Secure Repository ISSOs provide the JAB and leveraging agencies with updated information on the system so that risk-based decisions can be made about ongoing authorization Agency Review artifacts in the Secure Repository to ensure that the risk posture of the CSP falls within agency tolerance Monitor security controls that are agency responsibilities CSP Submission Schedule Monthly 1 Quarterly 2 Semi-Annually 1 Annually 10 Every 3 Years 1 Number of Deliverables

Change Control Ongoing Assessment & Authorization CSPs CSPs must notify FedRAMP of any planned significant changes to the system before implementing the change CSPs must submit an updated SAR 30-days after implementation FedRAMP Changes are reviewed by FedRAMP ISSOs and approved by the JAB FedRAMP will notify leveraging agencies: If a significant change is planned and when it occurs If it affects security posture or adds unacceptable levels of risk Agency Upon notification of a significant change agencies should inform FedRAMP if they believe the planned changes will adversely affect the security of their information Agencies should review the change following the implementation of an approved change 37

Incident Response Ongoing Assessment & Authorization Multiple incident response notification scenarios based on first responder to incident (Refer to the FedRAMP Incident Communication Plan) Agency Responsibilities for Incident Response: Provide a primary and secondary POC to CSPs and US-CERT Notify US-CERT when a CSP reports an incident Work with CSPs to resolve incidents by providing coordination with US-CERT Notify CSPs, if the agency becomes aware of an incident that a CSP has not yet reported Notify FedRAMP ISSO of CSP incident activity Monitor security controls that are agency responsibilities. 38

Agency Responsibilities Ongoing Assessment & Authorization Review Level Description Authorization Responsibility for Continuous Monitoring CSP CSP Supplied, not yet reviewed Candidate for Authorization None Agency Reviewed by agency (*Accredited 3PAO Optional) Agency ATO Agency JAB Reviewed by FedRAMP ISSO & JAB FedRAMP PA & Agency ATO FedRAMP

THANK YOU For more information, please contact us or visit us the following website: www.fedramp.gov Email: info@fedramp.gov @ FederalCloud

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback