Presenter       Michael Lemire	       Director of Information Security	       michael.lemire@acquia.com
Agenda•  Drupal in the Federal government•  Current Federal compliance landscape•  Overview of FISMA Compliance process•  ...
Drupal in the Federal GovernmentGovernments are expanding use of Drupal	  •  Drupal is open source     •  Cost effective v...
Current US Government Compliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment,  ...
Federal Compliance - High Level Process                                    1. Categorize the System – FIPS 199	FISMA, DIAC...
Coming Soon - FedRAMPFedRAMP - Federal Risk and Authorization Management Program•  Establishes an authorize once, use many...
Step 1: Categorize the system –FIPS 199 Establish the high water mark - Low/Moderate or High	 http://csrc.nist.gov/publica...
Step 2: Select the controlsNIST	  800-­‐53	  Revision	  3	  Annex	  1	  –	  low	   high	  water	  mark 	  Annex	  2	  –	  ...
Step 3: Implement and document the controls  The System Security Plan (SSP) -a narrative description of the system  -defin...
Step 4: Assess The Controls (Audit)The assessment is a validation by an independent auditor that you do what    you say yo...
Step 5: Authorize the SystemFinally the FISMA C&A Package is submitted to the Authorizing OfficialThe package contains:•  ...
Step 6: Monitor and Update•    Update the SSP as things change•    Resolve issues and follow plan per POA&M•    Continuous...
Achieving FISMA Compliance in Acquia Cloud                         Acquia Managed Cloud is a Shared Responsibility        ...
Achieving FISMA Compliance in Acquia CloudAcquia	  Cloud	  Customers	  inherit	  the	  controls	  from	  Acquia	    Manage...
Designing Drupal for FISMA ComplianceDrupal Layer Relevant Controls for a FISMA Moderate Systemwhich require customization...
Designing Drupal for FISMA ComplianceHow	  to	  achieve	  these	  controls?	  Option	  1:	  	  Drupal	  7	  +	  contribute...
Designing Drupal for FISMA ComplianceHow	  to	  achieve	  these	  controls?	  Option	  2:	  	  Use	  the	  OpenPublic	  Dr...
Putting	  it	  together	  –	  Control	  Mapping	  Acquia s control mapping shows what controls agency customers inherit an...
Acquia Managed Cloud SSP  Example SSP control description:	  Control: (from 800-53)	  Control Type: Agency/Common/Hybrid	 ...
Risk	  Assessment	  FISMA	  Compliance	  also	  requires	  security	  vulnerability	  scans	       to	  be	  run	  and	  r...
Follow	  up	  with	  Acquia	  Acquia	  has	  a	  dedicated	  Federal	  Sales	  team	  Contact	  Sean	  Burns	  	  	  sean....
Achieving FISMA Compliance with Acquia Cloud
Achieving FISMA Compliance with Acquia Cloud
Upcoming SlideShare
Loading in...5
×

Achieving FISMA Compliance with Acquia Cloud

2,018

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,018
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Achieving FISMA Compliance with Acquia Cloud

  1. 1. Presenter Michael Lemire Director of Information Security michael.lemire@acquia.com
  2. 2. Agenda•  Drupal in the Federal government•  Current Federal compliance landscape•  Overview of FISMA Compliance process•  Achieving Compliance in Acquia Managed Cloud•  The Shared Responsibility Model•  Designing Drupal for Compliance•  Acquia Managed Cloud System Security Plan•  Risk Assessment•  Follow up
  3. 3. Drupal in the Federal GovernmentGovernments are expanding use of Drupal •  Drupal is open source •  Cost effective vs proprietary licensed software •  Proven secure – used by hundreds of thousands of sites •  Drupal facilitates shared development between agencies •  Intranet and Internet sites •  www.whitehouse.gov •  www.house.gov •  www.ready.gov (FEMA) •  www.investor.gov (SEC) •  www.teach.gov •  www.ed.gov •  www.energy.gov •  www.neh.gov
  4. 4. Current US Government Compliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment, authorization, and continuous monitoring for information systems utilized by the Federal government. FISMA - Federal Information Security Management Act of 2002. Applicable to non- DoD agencies. DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies. With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials. Can be time consuming, expensive FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services
  5. 5. Federal Compliance - High Level Process 1. Categorize the System – FIPS 199 FISMA, DIACAP and FedRAMP Process Confidentiality, Integrity, Availability 2. Select the controls – NIST 800-53 3. Implement the controls and document them -System Security Plan -Privacy Impact Assessment 4. Assess – Contract with Third Party Assessor -3PAO reviews SSP and creates STE & POA&M 5. Authorize – This package of documents submitted to the Authorizing Official who reviews, comments, asks for revisions. -grants IATC and/or ATO 6.Monitor – Continuous update to SSP , continuous mitigation of items identified in STE and POA&M
  6. 6. Coming Soon - FedRAMPFedRAMP - Federal Risk and Authorization Management Program•  Establishes an authorize once, use many times framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products.•  FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012.•  Based on the same NIST publications as FISMA with added controls pertinent to the cloud•  Acquia Managed Cloud Controls and Documentation are future proof as they include all the FedRAMP controls
  7. 7. Step 1: Categorize the system –FIPS 199 Establish the high water mark - Low/Moderate or High http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
  8. 8. Step 2: Select the controlsNIST  800-­‐53  Revision  3  Annex  1  –  low   high  water  mark  Annex  2  –  moderate   high  water  mark  Annex  3  –  high   high  water  mark    Note:  800-­‐53  rev  4  *coming  soon*  
  9. 9. Step 3: Implement and document the controls The System Security Plan (SSP) -a narrative description of the system -define the accreditation boundary – what is it that is being authorized -describes the system and the environment where it resides .. And the controls, divided into control families: Risk Assessment (RA) Planning (PL) System and Service Acquisition (SA) Access Control (AC) Certification and Authorization (CA) Audit and Accountability (AU) Personnel Security (PS) System and Communication Protection (SC) Physical and Environmental Security (PE) Continuity Planning (CP) Configuration Management (CM) Maintenance (MA) System and Information Integrity (SI) Media Protection (MP) Incident Response (IR) Awareness and Training (AT) Identification and Authentication (IA)
  10. 10. Step 4: Assess The Controls (Audit)The assessment is a validation by an independent auditor that you do what you say you do . Guided by NIST 800-53aThe third party assessor (3PAO) is tasked with reviewing the SSP and validating are those control in place. *May or may not be required, check with your AO*3PAO creates Security Test & Evaluation Plan (ST&E) and the System Assessment Report (SAR) which documents the evidencing activities and results. -documents what is non-compliantPlan of Action Milestone (POA&M) – Lists controls which are not in place and the plan to implement those controls
  11. 11. Step 5: Authorize the SystemFinally the FISMA C&A Package is submitted to the Authorizing OfficialThe package contains:•  The SSP•  Relevant Policies and Procedures•  The FIPS 199 categorization•  The SAR and ST&E•  The POA&MAuthorizing Official once satisfied with the controls issues Authority to Operate (ATO)
  12. 12. Step 6: Monitor and Update•  Update the SSP as things change•  Resolve issues and follow plan per POA&M•  Continuous monitoring of risks•  Re-authorize system every 3 years
  13. 13. Achieving FISMA Compliance in Acquia Cloud Acquia Managed Cloud is a Shared Responsibility Model: PaaS (AMC) built on IaaS (Amazon AWS) Three primary layers in the shared responsibility model: • Application Layer (Drupal) • OS Stack Layer (Linux, Windows, Database, etc) • Infrastructure Layer (Datacenter, network) *Each entity must document the controls for which they are responsible for.*
  14. 14. Achieving FISMA Compliance in Acquia CloudAcquia  Cloud  Customers  inherit  the  controls  from  Acquia   Managed  Cloud  and  Amazon  AWS      
  15. 15. Designing Drupal for FISMA ComplianceDrupal Layer Relevant Controls for a FISMA Moderate Systemwhich require customization of Drupal Access Control Controls AC-7 •  Automatically lock user accounts after 3 consecutive failed login attempts within 24 hour period •  Provide ability for help desk to unlock accounts •  Automatically lock user accounts after 5 consecutive failed login attempts AC-8 Provide ability to add a warning banner at login page if applicable AC-9 Login notice – show date and time of last login and number of unsuccessful login attempts sincelast login AC-10 Limit the number of concurrent sessions AC-11 Session inactivity – automatically log user out after 20 minutes of inactivity Information Assurance Controls IA-4 Disable account after 90 days of inactivity (FISMA low) or 45 days (FISMA moderate/high) IA-5 •  Password complexity requirements: min 8 characters, require upper/low case, numbers and specialcharacters •  Prevent re-use of previous 6 passwords System Integrity Controls SI-3 Scan files before storing in system
  16. 16. Designing Drupal for FISMA ComplianceHow  to  achieve  these  controls?  Option  1:    Drupal  7  +  contributed  modules   Password  Policy  http://drupal.org/project/password_policy   •  Specify  password  complexity  requirements     Session  expire    http://drupal.org/project/session_expire     •  Expire  sessions  after  X  amount  of  time   Antivirus    http://drupal.org/project/antivirus   ClamAV  http://drupal.org/project/clamav   •  Scan  files  for  malware  as  they  are  uploaded  
  17. 17. Designing Drupal for FISMA ComplianceHow  to  achieve  these  controls?  Option  2:    Use  the  OpenPublic  Drupal  Distribution     •  OpenPublic  is  an  open-­‐source,  content  management  system  (CMS)   built  with  Drupal  and  tailored  to  the  needs  of  government.  •  Acquia  has  worked  with  Phase2  Technologies  to  ensure  the  Phase2   distribution  has  controls  necessitated  by  FISMA  (moderate)    http://openpublicapp.com/    
  18. 18. Putting  it  together  –  Control  Mapping  Acquia s control mapping shows what controls agency customers inherit and whatthey are responsible for. Customer configured – Acquia or Drupal provides means to accomplish;customer configuration required. Customer provided – Agency policies and procedures
  19. 19. Acquia Managed Cloud SSP Example SSP control description: Control: (from 800-53) Control Type: Agency/Common/Hybrid Control Status: Implemented/Planned/Not Applicable Application Layer: Responsibility: Customer (Agency) Implementation Detail: Describe how the control is the responsibility of the agency. LAMP Stack Layer: Responsibility: Acquia Implementation Detail: Describe how the control is implemented Infrastructure: Responsibility: Amazon Implementation Detail: Refer to hosting provider s SSP Acquia documents its control responsibilities in its SSP Amazon documents its control responsibilities in its SSP
  20. 20. Risk  Assessment  FISMA  Compliance  also  requires  security  vulnerability  scans   to  be  run  and  reports  included  with  the  C&A  package  as   part  of  the   Risk  Assessment .    Agencies  may  use  their  own  tools  or  Acquia  can  do  these  on   your  behalf.      Acquia  utilizes  Qualys,  a  leading  vulnerability   assessment  platform.    Scans  are  conducted  from  Qualys   SaaS  platform  via  the  internet.  
  21. 21. Follow  up  with  Acquia  Acquia  has  a  dedicated  Federal  Sales  team  Contact  Sean  Burns      sean.burns@acquia.com          Acquia  can  provide  agencies  existing  FISMA  System  Security   Plans  (Acquia  and  Amazon).    Both  require  signed  NDA  with  respective  organizations.  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×