• Share
  • Email
  • Embed
  • Like
  • Private Content
Federal Risk and Authorization Management Program (FedRAMP)
 

Federal Risk and Authorization Management Program (FedRAMP)

on

  • 2,417 views

Description of FedRAMP program

Description of FedRAMP program

Statistics

Views

Total Views
2,417
Views on SlideShare
2,409
Embed Views
8

Actions

Likes
1
Downloads
32
Comments
1

1 Embed 8

http://www.slideshare.net 8

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Very Comprehensive
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Federal Risk and Authorization Management Program (FedRAMP) Federal Risk and Authorization Management Program (FedRAMP) Presentation Transcript

    • Click to edit Master title style Federal Risk and Authorization Management Program An Interagency Program Pete Tseronis Cloud Computing Advisory Council, Chair Katie Lewin GSA Cloud Computing PMO, Director Kurt Garbars GSA Senior Agency Information Security Officer Peter Mell NIST FedRAMP Technical Advisor Cloud Computing Advisory Council, Vice Chair 1
    • Click to edit in FedRAMP NIST’s Role Master title style •  FedRAMP is a multiagency initiative –  Conducted under the Federal CIO, the Cloud Computing Advisory Council’s security working group, and the Federal Cloud Initiative •  NIST provides technical advice •  NIST led the definition of the FedRAMP process: –  Risk management processes –  Foundational guidance –  Technical frameworks 2
    • Click to edit Master title style The Problem Statement Problem: How do we best perform security authorization for large outsourced and multi- agency systems? •  Government is increasing its use of large shared and outsourced systems –  Technical drivers: the move to cloud computing, virtualization, service orientation, and web 2.0 –  Cost savings: through datacenter and application consolidation •  Independent agency risk management of shared systems can create inefficiencies 3
    • The Problem: Independent Agency Risk Click to edit Master title style Management of Shared Systems : Duplicative risk Federal Agencies management efforts … : Incompatible requirements : Acquisition slowed by lengthy compliance processes … : Potential for inconsistent Outsourced Systems application of Federal security requirements 4
    • Click to edit Master title style The Solution Concept: FedRAMP •  A government-wide initiative to provide joint authorization services –  Unified government-wide risk management –  Agencies would leverage FedRAMP authorizations (when applicable) •  Agencies retain their responsibility and authority to ensure use of systems that meet their security needs •  FedRAMP would provide an optional service to agencies 5
    • The Solution: Government-wide Risk Click to edit Master title style Management of Shared Systems : Risk management cost Federal Agencies savings and increased … effectiveness Risk Management - Authorization : Interagency vetted - Federal Security FedRAMP Requirements approach : Rapid acquisition through consolidated risk management : Consistent … application of Federal Outsourced Systems security requirements FedRAMP: Federal Risk and Authorization Management Program 6
    • Click to edit Master title style Agency Perspective Independent Agency Effort Leveraged Authorization Security Control Selection Review security details Security Implementation Leverage the existing authorization Security Assessment Secure agency usage of system Authorization Assurance strengthened through Plan of Action and Milestones focused effort Monitoring : Slower acquisition : Enables rapid acquisition : Significant effort : Reduced effort 7
    • Click to edit Master title style Agency Responsibilities •  Review FedRAMP authorization packages prior to making a decision to accept the risk –  Determine suitability to agencies mission/risk posture –  Determine if additional security work is needed •  Perform agency specific security activities –  FedRAMP will publish a list of security controls that are the responsibility of the agency (can’t be done government-wide) –  Need for agency system security plans 8
    • Click to Perspective title style Vendor edit Master Coverage of the Federal market Vendor Vendor … Acquiring Agencies FedRAMP •  Products publicly listed as FedRAMP authorized 9
    • Overview of Master title style Click to edit FedRAMP Government-Wide Risk Management Process Risk Management Framework Steps 1-4 Government Cloud Provider/Independent 3rd party Activity 1: Categorize Information and Information System Activity 3: Implement Security Controls Activity 2 : Create Security Activity 4: Assess Security Controls Specifications (including security Activity 5: Create Authorization Package control selection) Executed Once per System Executed Once per Type Risk Management Framework Step 5 Government Agencies Activity 6: Authorize System Activity 7: Agency Review and Acceptance of Authorization Executed Once per System Executed Once per Agency Risk Management Framework Step 6 Provider Government See Risk Management Activity 8: Perform Continuous Monitoring Activity 9: Monitor and Accept Ongoing Level of Risk Framework (NIST 800-37 revision 1) Executed Continuously per System Executed Continuously per System for step details
    • Expected FedRAMPtitle style Security and Click to edit Master Benefits: Privacy Perspective •  increases security through focused risk management •  reduces duplication of effort •  ensures security oversight of outsourced systems •  provides independent accountability for government-developed systems used by multiple agencies •  ensures integration with government-wide security efforts 11
    • Click to edit Master title style CIO Perspective Expected FedRAMP Benefits: •  reduces costs by eliminating duplication of effort •  enables rapid acquisition by leveraging pre- authorized solutions •  provides transparency through agency vetted security requirements and authorization packages •  ameliorate technical hurdles with multi-agency assessment and authorization of shared systems 12
    • Click to edit Master title style Questions? Presenter Name: Peter Mell NIST FedRAMP Technical Representative Cloud Computing Advisory Council, Vice Chair 13
    • Click to edit Master title style The NIST Cloud Definition •  Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. •  The full extended definition is available at: http://csrc.nist.gov/groups/SNS/cloud-computing
    • Click to edit Master title style The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Infrastructure Service Software as a Platform as a as a Service Models Service (SaaS) Service (PaaS) (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security