Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Similar documents
FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Security Assessment Framework. Version 2.1

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Branding Guidance December 17,

Agency Guide for FedRAMP Authorizations

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

Guide to Understanding FedRAMP. Version 2.0

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

FedRAMP Training - Continuous Monitoring (ConMon) Overview

FedRAMP Digital Identity Requirements. Version 1.0

FedRAMP Security Assessment Plan (SAP) Training

American Association for Laboratory Accreditation

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

Click to edit Master title style

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Introduction to AWS GoldBase

READ ME for the Agency ATO Review Template

FISMAand the Risk Management Framework

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide. Version 1.0

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

Continuous Monitoring Strategy & Guide

Presented By Rick Link, Coalfire December 13, 2012

DISA CLOUD CLOUD SYMPOSIUM

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

About the DISA Cloud Playbook

MIS Week 9 Host Hardening

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Exhibit A1-1. Risk Management Framework

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

COMPLIANCE IN THE CLOUD

Vol. 1 Technical RFP No. QTA0015THA

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

FedRAMP Training - How to Write a Control. 1. FedRAMP_Training_HTWAC_v5_ FedRAMP HTWAC Online Training Splash Screen.

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Risk Management Framework for DoD Medical Devices

Information Systems Security Requirements for Federal GIS Initiatives

INFORMATION ASSURANCE DIRECTORATE

Making. the Most of FedRAMP. Industry Perspective INDUSTRY PERSPECTIVE

David Missouri VP- Governance ISACA

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

Certification Exam Outline Effective Date: September 2013

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Appendix 12 Risk Assessment Plan

IT-CNP, Inc. Capability Statement

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Streamlined FISMA Compliance For Hosted Information Systems

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

6/18/ ACC / TSA Security Capabilities Workshop THANK YOU TO OUR SPONSORS. Third Party Testing Program Overview.

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

NIST RISK ASSESSMENT TEMPLATE

Appendix 12 Risk Assessment Plan

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

Internal Revenue Service (IRS) Publication 1075 Compliance in AWS. February 2018

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Procuring Cloud Based Services Federal Policies

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

ROADMAP TO DFARS COMPLIANCE

FEDERALLY COMPLIANT HYBRID IT QTS GOVERNMENT SOLUTIONS

NIST Special Publication

Introduction of the Identity Assurance Framework. Defining the framework and its goals

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

INFORMATION ASSURANCE DIRECTORATE

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

RISK MANAGEMENT FRAMEWORK COURSE

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

The U.S. Government s Role in Standards and Conformity Assessment

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Ensuring System Protection throughout the Operational Lifecycle

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Critical Infrastructures and Cyber Protection Center (CICPC) Professional Development Programs. FISMA Compliance Review Program Sample Syllabus FISMA

ISACA Cincinnati Chapter March Meeting

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

7/21/2017. Privacy Impact Assessments. Privacy Impact Assessments. What is a Privacy Impact Assessment (PIA)? What is a PIA?

FedRAMP Penetration Test Guidance. Version 1.0.1

FiXs - Federated and Secure Identity Management in Operation

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Compliance with CloudCheckr

Federal & NASA IPv6 Updates

Track 4: Session 6 Cybersecurity Program Review

Executive Order 13556

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

RE: Request for Comments on the 2018 Federal Cloud Computing Strategy

Supporting the Cloud Transformation of Agencies across the Public Sector

FedRAMP Master Acronyms and Glossary

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

INFORMATION ASSURANCE DIRECTORATE

Compliance & Security in Azure. April 21, 2018

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Interagency Advisory Board Meeting Agenda, December 7, 2009

OFFICE OF INSPECTOR GENERAL

Transcription:

Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1

Today s Training Welcome! This training session is part one of the FedRAMP Training Series. 1. Introduction to the Federal Risk and Authorization Program (FedRAMP) 100A 2. FedRAMP System Security Plan (SSP) Required Documents 3. FedRAMP Review and Approve Process 4. Rev 3 to Rev 4 Transition 5. Third Party Assessment Organization (3PAO) Specific Training 6. Security Assessment Report (SAR) and Security Assessment Plan (SAP) Overview 7. Significant Change Training for CSPs The goal of the FedRAMP Training Series is to provide a deeper understanding of the FedRAMP program and the level of effort required to satisfactorily complete a FedRAMP assessment. 2

Training Objectives At the conclusion of this training session the participant should understand: FedRAMP U.S. Federal Government policy and legal framework FedRAMP Governance FedRAMP Partners Goals and benefits of FedRAMP Relationship between FedRAMP and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Options for Cloud Service Providers (CSPs) to achieve authorization Requirements for CSPs to become FedRAMP compliant 3

FedRAMP Overview FedRAMP was established via an OMB Memo in December 2012 FedRAMP is the first government-wide security authorization program for FISMA mandatory for all agencies and all cloud services FedRAMP s framework is being modeled in other government security programs and by other countries (UK, EU, China) FedRAMP s focus is to ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems (key of which is re-use) 700+ cloud systems that meet FedRAMP requirements $70M in cost avoidance through reuse of FedRAMP authorizations Before FedRAMP With FedRAMP 4

FedRAMP Federal Policy and Legal Framework FedRAMP fits within the same framework agencies are using currently to provide security authorizations of IT services FedRAMP is how agencies implement FISMA for use of cloud based IT products and services Essentially, FedRAMP is a supplemental policy to OMB A-130 for security authorizations. Agencies are still required to grant individual authorizations 5

FedRAMP Governance Joint Authorization Board (JAB): Has a team of Technical Representatives (TRs) similar to a Chief Information Security Officer (CISO) Under the TRs, there is a team of security staff that reviews security packages and recommends a Provisional Authorization to Operate (P-ATO) TRs also provide policy guidance NIST: Provides technical assistance to the Third Party Assessment Organizations (3PAO) process Maintains FISMA standards Establishes technical standards Federal CIO Council: Coordinates cross agency communications DHS: Monitors and reports on security incidents and provides monitoring Updates Federal standards for FISMA reporting 6

Success Depends on all Partners FEDRAMP PMO: AGENCIES: CSPs: 3PAOs: Provide a unified process for all agencies to follow Work with the JAB for prioritized vendors to achieve authorizations with an efficient review schedule Support CSPs and agencies through the process regardless of which path they go Conduct quality risk assessments that can be reused Integrate the FedRAMP requirements in to agency specific policies/procedures Deposit ATO documents in the FedRAMP secure repository Submit quality documentation in support of their FedRAMP application Encourage customers to reuse existing ATOs for their products Maintain independence as part of the quality assurance process Provide quality assessments Maintain secure repository of FedRAMP ATOs to enable reuse 7

FedRAMP Goals The Goals of FedRAMP are: Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations Increase consistency and confidence in the security of cloud solutions using NIST and FISMA defined standards Ensure consistent application of existing security practices Increase automation and near real-time continuous monitoring Improve real-time security visibility Enhance transparency between the Government and CSPs Provide a uniform approach to risk-based management 8

FedRAMP Benefits The Benefits to Agencies and CSPs using FedRAMP are: Improves the trustworthiness, reliability, consistency, and quality of the federal security authorization process CSPs gain one authorization that is available to multiple Agencies, further increasing their federal footprint Agencies and CSPs save significant cost, time and resources "do once, use many times" Agencies are able to re-use and share existing security assessments 9

FedRAMP Relationship to the NIST Risk Management Framework (RMF) 6. Monitor Security Controls 6. Monitor Security Controls -Continuous - Continuous Monitoring Monitoring 5. Authorize 5. Authorize Information System -Provisional Auth. ATO -Agency ATO 1. Categorize the Information System -Low Impact -Moderate Impact NIST RMF 4. Assess the Security Controls 4. Assess the Security -Use Controls of an Independent -FedRAMP Accredited Assessor (3PAO) 2. Select the 2. Select the Controls -FedRAMP Low or -FedRAMP Low or Moderate Baseline Moderate Baseline 3. Implement Security Controls -Describe in SSP 10

FedRAMP Security Assessment Framework(SAF) and NIST RMF 11

FedRAMP SAF/NIST RMF Comparison FedRAMP SAF Process Document Assess Authorize Monitor NIST SP 800-37 Step FedRAMP Standard 1. Categorize System Low and Moderate Impact Levels 2. Select Controls 3. Implement Security Controls 4. Assess the Security Controls 5. Authorize the System 6. Continuous Monitoring Use FedRAMP Control Baselines for Low and Moderate Impact Levels Use FedRAMP templates Implementation Guidance in Guide to Understanding FedRAMP FedRAMP accredits 3PAOs 3PAOs use standard process and templates ATOs with JAB P-ATO or Agency ATO Use Continuous Monitoring Strategy and Guide 12

FedRAMP Authorization Paths JAB Provisional Authorization to Operate (P-ATO) DHS, DoD, and GSA CIOs rigorously review CSP packages for an acceptable risk posture using a standard baseline approach Provides provisional authorizations to operate for use across the federal government Agency Authorization to Operate (ATO) A CSP may submit the appropriate documentation to the FedRAMP PMO and to an agency Agencies have varying levels of risk acceptance however, they may grant an ATO Packages are reviewed by at least one agency and determined to be FedRAMP compliant by the reviewing agency resulting in an Agency ATO CSP Supplied CSPs may supply a security package to the FedRAMP PMO for prospective agency use CSPs complete the FedRAMP SAF independently, instead of through the JAB or through a federal agency CSPs will not have an authorization at the completion, but will have a FedRAMP compliant package available for leveraging 13

FedRAMP Compliance Requirements A cloud system is compliant with FedRAMP if it meets the following requirements: The system security package has been created using the required FedRAMP templates The system meets the FedRAMP security control requirements A Provisional Authorization, and/or an Agency ATO, has been granted for the system An authorization letter for the system is on file with the FedRAMP Program Management Office The system has been assessed by an independent assessor The CSP maintains the continuous monitoring requirements of FedRAMP 14

Summary FedRAMP provides a standardized risk based approach for the Federal Government to leverage cloud services FedRAMP accelerates the adoption of secure cloud solutions through reuse of assessments and authorizations FedRAMP was built on the NIST RMF and compliance with FedRAMP ensures that the cloud service meets all FISMA requirements There are three paths to FedRAMP compliance: JAB P-ATO, Agency ATO, and CSP Supplied 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback