FedRAMP CSP SSP Training


Published on

1 Comment
1 Like
  • Hi there! is there a way i can get a copy of your presentation? i am trying to educate folks and this is a good starting point.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FedRAMP CSP SSP Training

  1. 1. Federal Risk and AuthorizationManagement Program(FedRAMP)FedRAMP Security Authorization PackageSeptember 2012
  2. 2. Agenda• Objectives• FedRAMP Process• Document Overview• Package Review Process• Control Examples 2
  3. 3. Federal CIO Memorandum: FedRAMP Goals• Cost-effective, risk-based approach to cloud adoption• Standardize security requirements• Consistent, independent, third-party assessment• Leverage security experts from DHS, DOD, and GSA to conduct a joint authorization• Standardize contract language• Repository of authorization packagesSource: VanRoekel, Steven. Federal CIO memorandum titled “Security Authorizationof Information Systems in Cloud Computing Environments” (Dec 8, 2011). 3
  4. 4. Objectives• Understand federal security assessment documentation• Clarify what makes a bad, good, or great description of a security control implementation• Provide lessons learned in applying a risk-based approach to security control selection• Ensure Cloud Service Providers (CSPs) have the knowledge to successfully implement FedRAMP 4
  5. 5. FedRAMP Process (CSP Perspective) • Initiation – Request FedRAMP Authorization – Define and agree on scope • Security Assessment – Document security controls – 3PAO assess security controls • Continuous Monitoring – Weakness Remediation – On-going control monitoring – Incident management – Data Feed ReportingSource: Guide to Understanding FedRAMP,Figure 2.1: FedRAMP Process 5
  6. 6. Initiation: Starting the Processhttp://www.fedramp.gov 6
  7. 7. Initiation: Defining the ScopeFIPS 199 Categorization Control Tailoring Workbook Control Implementation Summary• Define information types • Define the security control • Control implementation status• Established security baseline • In place categorization baseline • Document unique control • Planned • Confidentiality settings • Somewhere in between • Integrity • Discuss exceptions and • Clarify control implementation • Availability compensating controls roles and responsibilities• Risk-based adjustments • Cloud service provider • Customer • Hybrid • Inherited Alternative Implementations: Enable innovation and flexibility in addressing security controls. 7
  8. 8. FIPS 199 NIST SP 800-60 Volume 1• How do you intend for the cloud solution to be utilized? Risk-based Justification for NIST SP 800-60 Volume 2 deviating from recommendations CSP Selection Availability Recommendation Integrity Recommendation Confidentiality Recommendation Information Type(s) 8
  9. 9. Control Tailoring Workbook (CTW) NIST SP 800-53 Revision 3• Based on FIPS 199 Security Categorization (Low or Moderate)• CSP intention in meeting or exceeding FedRAMP parameter settings• CSP intention to deviate from control baseline • Unique and/or innovative control tailoring FedRAMP Control Reference (Tri-Fold) • Exceptions and associated compensating control decisions Encouraging innovation by meeting the intent of a control if not the specific language. 9
  10. 10. Control Implementation Summary (CIS) Control Origination Definition Example• Who is doing what? Service Provider Corporate A control that originates from the CSP corporate network. DNS from the corporate network provides address resolution • CSP services for the information system and the service offering. • Customer Service Provider A control specific to a particular A unique host based intrusion • Hybrid System Specific system at the CSP and the control is not part of the service provider detection system (HIDs) is available on the service offering corporate controls. platform but is not available on the corporate network.• CSP responsibilities Service Provider Hybrid A control that makes use of both Scans of the corporate network should be clearly corporate controls and additional infrastructure; scans of databases controls specific to a particular and web based application are described in the System system at the CSP. system specific. Security Plan (SSP) and Configured by A control where the customer needs User profiles, policy/audit Customer to apply a configuration in order to configurations, enabling/disabling supporting plans and meet the control requirement. key switches (e.g., enable/disable http or https, etc.), entering an IP procedures range specific to their organization are configurable by the customer. Provided by Customer A control where the customer needs The customer provides a SAML• Customer to provide additional hardware or SSO solution to implement two- software in order to meet the control factor authentication. responsibilities should requirement. be clearly described in Shared A control that is managed and Security awareness training must implemented partially by the CSP and be conducted by both the CSP and the User Guide (SSP, partially by the customer. the customer. Appendix 2) Inherited from pre- A control that is inherited from A PaaS or SaaS provider inherits PE existing Provisional another CSP system that has already controls from an IaaS provider. Authorization received a Security Authorization. 10
  11. 11. Control Implementation Summary (CIS)• Current implementation status Implementation Status Definition Example• Elaborated on in the Implemented Control is implemented and The control clearly states who, SSP operating as intended. what, when and how a control is implemented. Partially Some elements of the control are Not all elements of a control Implemented implemented and operating as are met however compensating intended. controls are in place and a plan of action and milestone is in place to address the gap. Planned Control is scheduled for A new operating system will be implementation. available in 6 months which may provide additional functionality. Alternative Control may not be implemented The CSP describes a solution implementation as stated by NIST and FedRAMP, which they believes meets or however, the CSP believes the exceeds the control intent of the control is meant. requirement. Not applicable The control is not implemented Wireless controls may not be based on the cloud design. applicable for a system that does not use wireless technology. 11
  12. 12. Kick-off Meeting • Establish points of contact/roles • Clarify Communication • Readiness Discussion • Process and Template Overview • Target Timeline Define the Boundary/Scope of the Solution 12
  13. 13. Kick-off Meeting: Boundary Definition System Boundary Internet Protection Boundary Outside System Boundary Protection BoundaryLegend The boundary visual is important for putting System your security controls in context Not System 13
  14. 14. Document MarkingGuide to Understanding FedRAMP, Section 5.2Ensure that all documents have sensitivity markings on at least the coverpage and the footer of each document. You may change the existingsensitivity marking on any template to match your official companysensitivity nomenclature if it is different than what is on the template.Optionally, you may also put your sensitivity markings on the headers orfooters of any documents and on any other places in the documents whereyou feel sensitivity markings should be placed. 14
  15. 15. Initiation: Deliverable SummaryDeliverable DescriptionFedRAMP Initiation Request The FedRAMP request form is used by Federal agencies and CSPs to(online link) request initiation of the FedRAMP security assessment process.FIPS 199 Categorization The FIPS 199 Security categorization is used to determine the(template available) impact level to be supported by the cloud information system/service. The provider categorizes their system based on the data types currently stored and not leveraging agency data.Control Tailoring Workbook This document is used by CSP to document their control(template available) implementation and define their implementation settings for FedRAMP defined parameters and any compensating controls.Control Implementation This document summarizes the control ownership and indicatesSummary which controls are owned and managed by the CSP and which(template available) controls are owned and managed by the leveraging agency.Source: FedRAMP Concept of Operations (CONOPS), Table 6-1. 15
  16. 16. Security Assessment: OverviewFedRAMP System Security Plan Security Assessment Plan Security Assessment Report• Document what you are doing • Test plan and procedures • Test Results• Optional: Document what you • Tailored to cloud solution • Statement of outstanding intend to do • Developed by 3PAO in vulnerabilities and risk• Completed by the CSP collaboration CSP Third-party Assessment Organization (3PAO) Deliverables Not Covered in this training 16
  17. 17. System Security Plan (SSP) • Provides the big picture view • Links the security implementation into a cohesive solution • Clearly and consistently documents security control implementation • Resource for the “boots on the ground” • Provides continuity for staff in management of security controls 17
  18. 18. Why 352 Page SSP Template?• Eliminate variability in responses • Easier to document • Easier to read • Faster to evaluate• Encourage federal-wide adoption • Leverage NIST standards • Existing federal education • Maximize re-use• Eliminate common mistakes • Structure responses • Allow for detailed responses Document what you are already doing. Identify gaps in what you may have overlooked. 18
  19. 19. SSP Overview Grouped into three (3) main areas Scope Controls Appendices • System • 18 Control • Policies Description Families • Supporting plans • Points of Contact • Risk-based and procedures • Boundary control selection • Rules of Definition • Control tailoring Behavior • InterconnectionsNote: Based on NIST Special Publication SP) 800-18 Rev. 1, Guide for DevelopingSecurity Plans for Federal Information Systems 19
  20. 20. SSP ScopeInitiation Deliverables Policies• FIPS 199 • Supporting Policies• Control Implementation Summary (CIS) Leveraging existing vendor• Control Tailoring Workbook policies and procedures (CTW) whenever possible. System Security Plan (SSP)New Deliverables Supporting Plans and Procedures• e-Authentication Worksheet (e-Auth) • Continuous Monitoring Plan and• Draft Privacy Threshold Analysis Strategy (PTA) • Configuration Management Plan• Draft Privacy Impact Assessment • Contingency Plan (PIA) • Incident Response Plan• Rules of Behavior (RoB) • User Guide 20
  21. 21. E-Authentication Worksheet NIST SP 800-63• Determine if e-Authentication requirements apply• Determine applicable level of e- AuthenticationLevel 1: Little or no confidence in the asserted identity’s validityLevel 2: Some confidence in the asserted identity’s validityLevel 3: High confidence in the asserted identity’s validityLevel 4: Very high confidence in asserted identity’s validity OMB M-04-04 21
  22. 22. E-Authentication WorksheetOMB M-04-04, Table 1: Maximum Potential Impacts for Each Assurance Level Assurance Level Impact ProfilePotential Impact Categories for Authentication 1 2 3 4ErrorsInconvenience, distress or damage to standing or Low Low Mod HighreputationFinancial loss or agency liability Low Mod Mod HighHarm to agency programs or public interests N/A Low Mod HighUnauthorized release of sensitive information N/A Low Mod HighPersonal Safety N/A N/A Low Mod, HighCivil or criminal violations N/A Low Mod High Where does it affect the SSP? • Section 2.3 • Section 17 • IA-2 • IA-5 • IA-8 NIST SP 800-63 22
  23. 23. SSP Points of Contact• Information System Owner (ISO)• Information System Security Officer (ISSO)• Authorizing Official (AO)• Others (depending on CSP approach) • Architect • Engineer • Manager • Technical 23
  24. 24. SSP Descriptors• Type of Cloud Implementation• Leveraging any other Security Authorization Packages (inheriting controls)• System Function/Purpose • Ensure alignment with the information types previously defined• Types of Users • Be consistent with the roles defined in Section 9.3 and used throughout the SSP and supporting documents• Boundary Discussion • Be consistent and complete in describing to ensure alignment throughout the SSP • If you can’t describe it, why should anyone believe you can protect it. • Should align to any diagrams presented previously 24
  25. 25. Describing the Boundary System Boundary Internet Network Inventory Ports, Protocols and Services Network Architecture Outside System Boundary Hardware Software Inventory Inventory System Interconnections• Understand where users fit within the boundary – e.g., end users, administrators, security operations, and remote maintenance. 25
  26. 26. Review Standards• Each document is verified for compliance with FedRAMP policy and consistency with other package documents• Review expects responses to be: • Unambiguous • Specific • Complete • Comprehensible• The SSP Template is designed to help achieve expected results 26
  27. 27. Grading Standard (Notional)• Pass (P): – All applicable document criteria are satisfied• Fail (F): – Only some (or zero) applicable document criteria are satisfied• Pass with Comments (PC): – Document criteria are satisfied in principle, but additional detail would yield a more complete response – Reviewer will specify the additional information to be included• Not Applicable (N/A) – Requirement does not apply based on system characteristics and accreditation boundary (e.g., some requirements of AC-18 are N/A for non-wireless systems) 27
  28. 28. Structure of a Good ResponseReviewer assesses submission content in the context of four (4) criteria : 1. What is the documented solution? 2. Who is the responsible party for solution management? 3. When is the solution reviewed or monitored for effectiveness? 4. How does the solution meet applicable security requirements?Reference applicable documentation• Policy, SOPs, Rules of Behavior, common control catalogs, waivers, exceptions, etc.• Any referenced documentation should be appended to the SSP, with a rationale for their inclusion also clearly stated in the control implementation paragraph, ensure that the control language aligns with any referenced internal policies, procedures, and/or standards. 28
  29. 29. ReferencesInternal References to another part of the same document are acceptable provided that each reference: • Includes section number • Is relevant to the referring section of the documentExternal References to other documents are acceptable provided that each reference: • Includes the full title, current version number, and release date of the referenced document • Briefly explains the rationale for the reference Note: If the reference does not pertain to the referring section, the corresponding checklist item will be graded “Fail” 29
  30. 30. CONTROL EXAMPLES Please do not copy these examples into your system security plans verbatim. Copying these examples aswritten is an early indicator that the proper due diligencewasn’t applied in the analyzing and documenting security controls. 30
  31. 31. AC-1: Access Control Policy and ProceduresThe organization develops, disseminates, and reviews/updates [Assignment:org-defined frequency]:a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andb. Formal, documented procedures to facilitate the implementation of the access control policy and associated controls. 31
  32. 32. AC-1: Poor ResponseImplementation:System XX has an access control policy that is consistent with applicable federal laws,directives, policies, regulations, standards, and guidance. It is updated annually.The System Administrators and <CSP> management team personnel post notes and sende-mail notifications to System XX users. System XX User and Administrator Guides areperiodically updated as new versions are released. 32
  33. 33. AC-1 : Good ResponseImplementation:(a) System XX’s Access Control Policy is listed in <CSP> Document ABC and includesdefinitions of the purpose, scope, roles, responsibilities, and compliance requirementsfor all <CSP> employees. Section 5.2 of Document ABC presents the <CSP> accesscontrol policy. Section 5.2 of <CSP> handbook addresses roles and responsibilities.Section 5.2 of Document ABC addresses the management commitment, coordinationamong customer entities, and compliance related to access control.The access control policy is consistent with the organization’s mission and functionsand with applicable laws, directives, policies, regulations, standards, and guidance.The access control policy is reviewed and updated, when necessary, by the XX ISSO atleast annually. 33
  34. 34. AC-1: Good Response (continued)(b) The access control procedures for System X are documented in organizationDocument ABC, organization Document XYZ, and User Guide B; and are consistent withapplicable laws, Executive Orders, directives, policies, regulations, standards, andguidance.The access control procedures address all areas identified in the access control policy andaddress achieving policy-compliance implementations of all associated controls. Theaccess control procedures are reviewed and updated, when necessary, by the XX ISSO atleast annually.Access control policy and procedure documents are maintained on the <CSP> internalSharePoint site, and are available for review up on request. 34
  35. 35. AC-7: Unsuccessful Login AttemptsThe information system:a. Enforces a limit of [Assignment: organization-defined number] consecutiveinvalid login attempts by a user during a [Assignment: organization-defined timeperiod]; andb. Automatically [Selection: locks the account/node for an [Assignment:organization-defined time period]; locks the account/node until released by anadministrator; delays next login prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attemptsis exceeded. The control applies regardless of whether the login occurs via alocal or network connection. 35
  36. 36. AC-7: Poor ResponseImplementation:(a)(b) This control is partially inherited from the Data Center. Please see AppendixA: Data Center Declaration of Controls for implementation detail.(a)(b) The XXX System Owner and ISSO ensures XXX system allows no more thanthree (3) consecutive invalid access attempts by a user within a 24 hour timeperiod; and that the system automatically locks the account/node for 20 minuteswhen the maximum number of unsuccessful attempts is exceeded.The XXX ISSO is responsible for ensuring that the XXX system servers willbe configured in accordance with the Hardening Guidelines and lockout policy. 36
  37. 37. AC-7: Good ResponseData Center Implementation:(a)(b) The <CSP> Data Center Application Team works with the <CSP> YYY SystemOwner and YYY ISSO to determine acceptable configuration settings for theimplementation of this control on system servers/operating systems. The YYYSystem Owner and YYY ISSO must provide the Data Center Application Team withthe following configuration setting requirements so they can be incorporated intothe final configuration for system servers: number of consecutive unsuccessfullogin attempts before lockout, unsuccessful login count windows duration, andunsuccessful login attempt lockout action type (with associated parameters).Systems must provide required configuration settings in the form of a Group PolicyObject (GPO). 37
  38. 38. AC-7: Good Response (continued)System Implementation:(a)(b) The YYY default group policy limits unsuccessful login attempts to 3unsuccessful login attempts in 120 minutes. When this limit is reached theuser is locked out for 20 minutes. The YYY System Owner is responsible forprovided these configuration requirements to the datacenter. The YYYAdministrators (YYY Software Services Team) are responsible for verifyingimplementation. The GPO is implemented by the <CSP> Data CenterApplication Team though Active Directory, and the GPO is applied to allVMs within the domain. Group policy is maintained under configurationcontrol and any changes to this control are reviewed by the YYY ISSO. TheYYY ISSO reviews this control at least annually to ensure that it isoperating as intended by performing GPO review and testing. 38
  39. 39. CM-7: Least FunctionalityThe organization configures the information system to provide only essentialcapabilities and specifically prohibits or restricts the use of the followingfunctions, ports, protocols, and/or services: [Assignment: org-defined list ofprohibited or restricted functions, ports, protocols, and/or services](1) The organization reviews the information system [Assignment: org-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services. 39
  40. 40. CM-7: Poor ResponseThe ISSO ensures annually that only those ports, protocols, and servicesnecessary for system mission are enabled. 40
  41. 41. CM-7: Good ResponseCM-7: Only the features and port traffic required by System W are configured andenabled. Unnecessary features, services, protocols, or capabilities are disabled orremoved. The list of prohibited protocols and services can be found in the securebaseline configurations followed by System W, most notably the <CSP> Windows Server2003/Vista/XP Secure Baseline Configuration Guide.The ISSO is responsible for ensuring that the configuration settings for System W are incompliance with <CSP> hardening guidance; the ISSO verifies configuration settingsweekly. Please refer to table 10-4 of this SSP for permitted ports and protocols. The list ofpermitted ports and protocols is reviewed annually by the ISSO.CM-7(1): Organization M IA Division conducts monthly Nessus scans of Organization Msystems for compliance with Agency hardening guidelines. These scans identify allunnecessary functions, ports, protocols, and services. The IT Security Audit Teamconducts monthly audits where the prohibited ports and services are identified to ensureno future use. Monthly Audits Reports are archived and are available upon request. 41
  42. 42. MA-3: Maintenance ToolsThe organization approves, controls, monitors the use of, and maintains on anongoing basis, information system maintenance toolsEnhancement 1: The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modificationsEnhancement 2: The organization checks all media containing diagnostic and testprograms for malicious code before the media are used in the information systemEnhancement 3: The organization prevents the unauthorized removal ofmaintenance equipment by one of the following: (i) verifying that there is noorganizational information contained on the equipment; (ii) sanitizing or destroyingthe equipment; (iii) retaining the equipment within the facility; or (iv) obtaining anexemption from a designated organization official explicitly authorizing removal ofthe equipment from the facility. 42
  43. 43. MA-3: Poor ResponseThe System Administrator and the ISSO check all media containing diagnosticand test programs for malicious code before the media are used within thesystem. The SysAdmin checks all maintenance equipment with the capability ofretaining information so that no organizational information is written on theequipment or the equipment is appropriately sanitized before release. If theequipment cannot be sanitized, the equipment remains within the facility.All tools approved for use on System Y are approved software according to theTechnical Reference Manual. Only individuals authorized to use these tools aregranted the necessary permissions. In the event an outside vendor is requiredto perform maintenance activities, he or she is escorted at all times and allequipment inspected. 43
  44. 44. MA-3: Good ResponseThe System Administrator has ultimate responsibility for all maintenance tools used within SystemXX. Tools are selected from a predetermined tool set as documented in the Technical ReferenceManual. This list is updated and released annually by the XX system administrator. All systemmaintenance activities follow standardized procedures, and all activities are pre-approved by thesystem administrator. Tools must be signed out for a specified period of time prior to use andsigned back in upon completion. More detailed procedures may be found in Appendix D of thisdocument, “System XX Maintenance Procedures.”(1) The facility housing System XX is guarded 24/7 by armed security guards. All visitors, includingmaintenance personnel, are subjected to x-ray screening prior to being granted access. Oncethrough the initial entrance, maintenance personnel are sent to a separate room where allmaterials are inspected by Person Y.(2) System XX maintenance procedures include provisions for testing all media containingdiagnostic and test programs in a virtual environment prior to system use. This testing is performedby the System Administrator.(3) All maintenance equipment is contained within the facility at all times, and individuals aresubjected to bag search before leaving the premises. Property passes are required to removeequipment from the building and security checks serial numbers on property passes each timesomeone leaves the building. 44
  45. 45. SA-12: Supply Chain ProtectionThe organization protects against supply chain threats by employing[FedRAMP Parameter: List of measures to be approved by JAB butdetermined by CSP] as part of a comprehensive, defense-in-breadthinformation security strategy. 45
  46. 46. SA-12: Poor ResponseSystem XX uses due diligence to ensure supply chain protection byemploying the following measures by making sure all users are awareof the rules. The System Owner verifies this control implementation atleast annually. 46
  47. 47. SA-12: Good ResponseSystem XX uses due diligence to ensure supply chain protection by employing thefollowing measures:• Ensuring that all vendors have a positive performance record• Ensuring that all vendors are in a secure financial position• Reviewing suppliers and vendors to verify they are organizationally stable and have contingency plans in place• Maintaining spares of critical information system components at two back-up sites• Ensuring that all acquisitions are made through a federally approved contract process<CSP> checks to ensure that all suppliers are financially secure by performing a creditcheck through Dun & Bradstreet. <CSP> puts the following contract clause in all suppliercontracts to ensure that suppliers and vendors have a stable operating environment“Supplier must have an IT Contingency Plan in place that is available to <CSP> uponrequest.” The System Owner, no less than annually, performs a review of all vendorperformance records, vendor financials, and vendor stability in accordance with theorganization’s vendor review policy. The System Owner also reviews the acquisitionprocess to ensure compliance with federal requirements. Additionally, the System Ownerperforms inventory of critical information system components at back-up sites to ensureall redundancy requirements are met. 47
  48. 48. SC-9: Transmission ConfidentialityThe information system protects the confidentiality of transmitted information.Enhancement 1: The organization employs cryptographic mechanisms to preventunauthorized disclosure of information during transmission unless otherwiseprotected by [FedRAMP Parameter: a hardened or alarmed carrier ProtectiveDistribution System (PDS)] 48
  49. 49. SC-9: Poor ResponseThe organization employs cryptographic mechanisms to preventunauthorized disclosure of information during transmission byemploying FIPS 140-2 compliant cryptographic modules. 49
  50. 50. SC-9: Good ResponseSystem A’s transmission/session confidentiality is provided during remoteadministration of the system via SSH with [third-party vendor] two-factorauthentication. System transmission/session confidentiality for portal access tothe system is accomplished via SSL with [third-party vendor] two-factorauthentication. All internal communication is on the private network and is notaccessible from outside the boundary. Please refer to control IA-2 for a detaileddescription of access to all System A devices and protections in place to protectsystem integrity and confidentiality. 50
  51. 51. SC-9: Good Response(continued)SC-9 (1) All communications with System A occur over two-factor authenticatedencrypted SSL or SSH channel. System A uses [third-party vendor] two-factorauthentication to authenticate to the FIPS 140-2 certified SSH and SSL cryptographicmodules deployed within the system. All system servers run a [custom] operatingsystem and use the [third-party vendor’s product] for OpenSSH and OpenSSL (OpenSSL0.9.8e-fips-rhel5 and OpenSSH 5.2p1). The OpenSSL module is a software only, securitylevel 1 cryptographic module, running on a multi-chip standalone platform. The modulesupplies cryptographic support for the SSH protocol or the [vendor] Linux user space.The [vendor product] version for the validated module is 5.2p1. All cryptographicoperations and the module integrity check are performed by the [third-party vendor]Linux OpenSSL Cryptographic Module for the OpenSSH module. [Third-party vendor]authentication uses a time-synchronous solution that automatically changes the user’spassword every 60 seconds. All portals are built on these [third-party vendor] and<CSP> systems; thus, they utilize the same FIPS 140-2 certified cryptographic modules. 51
  52. 52. SC-13: Use of CryptographyThe information system implements required cryptographic protections usingcryptographic modules that comply with applicable federal laws, ExecutiveOrders, directives, policies, regulations, standards, and guidance.Enhancement 1: The organization employs, at a minimum, FIPS-validatedcryptography to protect unclassified information. 52
  53. 53. SC-13: Poor ResponseSystem 15 currently uses [vendor] Java Cryptography Extension, which isnot FIPS-compliant. This is currently being rectified. 53
  54. 54. SC-13: Good ResponseThe <CSP> system is protected by various cryptographic modules that are embedded intonetwork devices that are part of the <CSP> network infrastructure. Since the <CSP> systemresides on the <CSP> infrastructure, the <CSP> system indirectly makes use of thesecryptographic modules. The <CSP> network devices that use cryptography are:• F5 load balancers• Cisco PIX firewalls• Cisco VPN concentratorThe F5 load balancers use the Nitrox II security processor made by Cavium Networks. TheNitrox II security processor is embedded in the F5 box and comes bundled with as part of theF5 product. The FIPS 140-2 validation certificates are in the name of Cavium Networks areshown below: 54
  55. 55. SC-13: Good Response (continued)Cisco PIX firewalls are installed on the WAI network perimeter and protect the <CSP> systemby providing separation between the Web, application, and database layers. A FIPS 140-2validation certificate for the PIX firewalls is shown below:(1) All encryption within the <CSP> system is implemented using AES-256, which is FIPS 140-2compliant. All certificates are issued by the Agency Certificate Authority and reviewed by theISSO on an annual basis. 55
  56. 56. IR-4: Incident HandlingThe organization:a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinates incident handling activities with contingency planning activities; andc. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.Enhancement 1: The organization employs automated mechanisms to support the incident handling process.Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system. 56
  57. 57. IR-4: Poor ResponseThe organization:a. System Y incident response handling is based on the System Y Incident Response Plan developed for reporting incidents. System security engineers facilitate access to the system’s infrastructure logs and devices and agency security incident investigators in the event of an incident. The system’s Incident Response Plan is adjusted annually based on operational experience and includes incident detection, team invocation, analysis, containment, forensic capture, eradication, and recovery phases.b. The Incident Response Plan was created in tandem with the system Contingency Plan. Both documents can be found appended to this SSP.c. System documentation is currently not updated, due to personnel restrictions.(1) The ABC tool monitors System Y and detects any anomalous activities. The Help Desk monitors the system 24/7 to immediately respond to any suspected incidents. The ABC tool is administered by the System Administrator. 57
  58. 58. IR-4: Good ResponseMore detailed procedures may be found in the Incident Response Plan attached to thisdocument. All members of the Incident Response Team maintain clearancescommensurate with the sensitivity and criticality level of information they arepermitted to handle. Records of these cleared individuals are maintained by theSecurity Office.a. System Y incident response handling is based on the System Y Incident ResponsePlan developed for reporting incidents. System security engineers facilitate access tothe system’s infrastructure logs and devices and agency security incident investigators inthe event of an incident. The system’s Incident Response Plan is adjusted annuallybased on operational experience and includes incident detection, team invocation,analysis, containment, forensic capture, eradication, and recovery phases. The systemISSO is responsible for incident response plan maintenance. 58
  59. 59. IR-4: Good Response (continued)b. Incident handling activities are coordinated with contingency planning activities. Bothplans are developed, tested, and updated in tandem every year. The ISSO, in conjunctionwith <CSP> incident response and contingency planning teams, coordinates specificactivities for the information system.c. Incident response activities, policies, and procedures are revised annually by the IncidentResponse Team to incorporate lessons learned, testing and training results, and systemalterations. As new procedures are developed or existing plan procedures edited, theincident response team lead updates the incident response plan, distributes to teammembers, and upcoming training is tailored to include exercises designed to test theupdated or new material. Incident response support documentation is stored on the <CSP>internal SharePoint site and is available for review upon request. 59
  60. 60. IR-4: Good Response(continued)(1) The ABC tool monitors System Y and detects any anomalous activities. The Help Desk monitors the system 24/7 to immediately respond to any suspected incidents. The ABC tool is administered by the System Administrator. 60
  61. 61. CA-7: Continuous MonitoringThe organization establishes a continuous monitoring strategy and implements acontinuous monitoring program that includes:a. A configuration management process for the information system and its constituentcomponents;b. A determination of the security impact of changes to the information system andenvironment of operation;c. Ongoing security control assessments in accordance with the organizationalcontinuous monitoring strategy; andd. Reporting the security state of the information system to appropriate organizationalofficials [FedRAMP Parameter: monthly]. 61
  62. 62. CA-7: Poor ResponseSecurity controls protecting the ABC system are reviewed and monitored on anongoing basis. These activities include configuration management and control ofinformation system components, security impact analyses of changes to the system,ongoing assessment of security controls, and status reporting on a weekly basis.Selection criteria have been established for control monitoring and subsequently, asubset of the security controls employed within ABC have been selected for thepurpose of continuous monitoring. 62
  63. 63. CA-7: Good ResponseUnder the guidance of the CISO, <CSP> has developed a Continuous Monitoring Program that applies to System W. A copy of <CSP>’s Continuous Monitoring Strategy may be requested from the <CSP> CISO.a. More information about the configuration management process for System W may be found in the CM-3 control response, found in section 7.5.2 of this document.b. Any change requests dealing with System W must be approved by the Change Control Board, with a recommendation by the system ISSO, prior to implementation.c. A specific subset of controls, determined by the ISSO at the end of the previous fiscal year, is assessed each year by the technical team. By the end of the three-year ATO cycle, each control has been assessed at least once.d. The status of relevant POA&Ms are reported by the ISSO to the System Owner on a monthly basis, and the ISSO provides the System Owner with a verbal daily system summary report as well as a written weekly report. If necessary, the System Owner chooses to escalate any report to his or her manager. 63
  64. 64. CM-6: Configuration SettingsThe organization:a. Establishes and documents mandatory configuration settings for information technology products employed within the information system using [FedRAMP Parameter: USGCB or CIS Level 1 or personal configuration settings if USGCB unavailable] that reflect the most restrictive mode consistent with operational requirements;b. Implements the configuration settings;c. Identifies, documents, and approves exceptions from the mandatory configuration settings forindividual components within the information system based on explicit operational requirements;andd. Monitors and controls changes to the configuration settings in accordance with organizationalpolicies and procedures.Enhancement 1: The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.Enhancement 3: The organization incorporates detection of unauthorized, security-relevantconfiguration changes into the organization’s incident response capability to ensure that suchdetected events are tracked monitored, corrected, and available for historical purposes. 64
  65. 65. CM-6: Poor ResponseSecurity settings of information technology products used with the XXsystem are set to the most restrictive mode consistent with informationsystem operational requirements. From NIST Special Publication 800-70,guidance was received on necessary configuration settings for informationtechnology products. 65
  66. 66. CM-6: Good ResponseA. All servers, databases, and workstations are configured according to the Center for Internet Security (Level 1) guidelines. <CSP> maintains a internal repository of standard configurations settings for all products deployed. These baselines include required minimum settings as well as recommended settings.B. Configuration settings are implemented and verified/updated weekly by the System Administrator.C. No system component is exempt from mandatory minimum settings established in <CSP> baselines. Specific exemptions to recommended settigns may be submitted through the configuration exceptions process documented in <CSP>’s configuration management SOP. Exceptions are tracked and approved using <CSP>’s proprietary configuration tracking tool.D. Team X monitors and controls changes to configuration settings by using ZZZ monitoring system. Any and all changes must go through the official change request process.More information may be found in the Configuration Management Standard Operating Procedures(SOP) appended to this document.(1) In addition to controlling changes, ZZZ monitoring system is enabled to detect unauthorizedsystem changes.(3) Upon detection of an unauthorized change or setting, a notice is automatically sent to theOrganization Y SOC to report and track the incident. 66
  67. 67. POA&Ms• All information security weaknesses which you intend to resolve must be documented in Plan of Action and Milestones (POA&Ms) and referenced in the appropriate sections. The POA&M indicates: • CSP is aware of the associated risk • CSP has a plan for mitigating • CSP is managing the weakness to closure• Security controls identified as “planned” • As part of minimum security baseline require a POA&M • Enhancement above the baseline do not require a POA&M• Security weaknesses which you do not intend to resolve reflect accepted risk. • CSP is only making a recommendation of accepted risk, the Joint Authorization Board (JAB) will determine if the level of risk is acceptable for issuing a Provisional Authorization. 67
  68. 68. Compensating Controls• When a security control cannot be achieved as written, a compensating control may be sufficient for achieving the intent of the requirement.• A compensating control may include additional management, technical or operational controls. For example, • Additional manual inspections may assist when a technical solution would be prohibitively expensive or not practical. • Additional technical monitoring may be an option if existing standard operating procedures an not being implemented properly.• Apply professional judgment. You must understand the security control in the context of your solution. Remember to address the intent of the control if you cannot meet the specifics of the control. 68
  69. 69. System Changes• CA-6(c) define “Significant Change”• List the types of changes which will requirenotification versus updated documentation and/orreauthorization. Change examples, • Points of Contact • Risk posture • Boundary• Managed change is fine. Unmanaged change is not. 69
  70. 70. SSP DocumentsDeliverable DescriptionSystem Security Plan This document describes how the controls are implemented within(template available) the cloud information system and its environment of operation. The SSP is also used to describe the system boundaries.Information Security Policies This document describes the CSP’s Information Security Policy that governs the system described in the SSP.User Guide This document describes how leveraging agencies use the systemRules of Behavior This document is used to define the rules that describe the system(sample available) users responsibilities and expected behavior with regard to information and information system usage and access.IT Contingency Plan This document is used to define and test interim measures to(template available) recover information system services after a disruption. The ability to prove that system data can be routinely backed up and restored within agency specified parameters is necessary to limit the effects of any disaster and the subsequent recovery efforts.Configuration Management Plan This plan describes how changes to the system are managed and(template available) tracked. The Configuration Management Plan should be consistent with NIST SP 800-128. Source: FedRAMP Concept of Operations (CONOPS), Table 6-2. 70
  71. 71. SSP Documents (continued)Deliverable DescriptionIncident Response Plan This plan documents how incidents are detected, reported, and escalated and should include timeframes, points of contact, and how incidents are handled and remediated. The Incident Response Plan should be consistent with NIST Special Publication 800-61.E-Authentication Workbook This template will be used to indicate if E-Authentication will be(template available) used in the cloud system and defines the required authentication level (1-4) in terms of the consequences of the authentication errors and misuse of credentials. Authentication technology is selected based on the required assurance level.Privacy Threshold Analysis This questionnaire is used to help determine if a Privacy Impact(template available) Assessment is required.Privacy Impact Assessment This document assesses what Personally Identifiable Information(template available) (PII) is captured and if it is being properly safeguarded. This deliverable is not always necessary. Source: FedRAMP Concept of Operations (CONOPS), Table 6-2. 71
  72. 72. TipsAvoid easy mistakes: • Incorrect document references • Non-applicable controls described as though implemented • Restating the control as the control implementation language • Lazily copied-and-pasted text • Misaligned expiration dates • Muddled POA&M numbering • Ensure all 4 questions are answered in a way that is clear to the reader which question you are answering.Follow the structure of the control statement to ensure a complete response • A NIST base control typically enumerates several specific requirements, as well as one or more enhancements • Individually address each requirement and enhancement in the implementation response 72
  73. 73. Common Mistakes• Maintenance (MA-2, MA-4): – Onsite – Offsite – Non-Local• Flaw Remediation (SI-2): – Application/Database Level – Operating System Level – Network Infrastructure Level 73
  74. 74. Common Mistakes• Information Flow (AC-4, SC-7): – Internal Boundary vs. Perimeter – Mechanisms (VLAN, DMZ, RBAC)• Encryption (SC-8, SC-9, SC-13, SC-28): – FIPS 140-2 / 197 Compliance – At-Rest vs. In-Motion – Transmission Confidentiality vs. Transmission Integrity• Remote Access (AC-17): – Remote vs. Local – Virtual Private Network (VPN) Tunneling 74
  75. 75. For more information, please contact us orvisit us at any of the following websites:http://FedRAMP.govhttp://gsa.gov/FedRAMP @FederalCloud