SlideShare a Scribd company logo

Completing fedramp-security-authorization-process

Download as PPTX, PDF
Tuan Phan
Tuan Phan
Technology
1 of 21
Federal Risk and Authorization Management Program (FedRAMP) FedRAMP Security Testing and Completing the Package January 8, 2013
Today’s Webinar FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This webinar will cover the completion of the FedRAMP process from prepping for testing, completing testing, and documenting the results to submitting a complete package to the FedRAMP secure repository. 2
PAST EVENTS – Check Out Webinars 1 - 3 3
Overview: Perform Security Testing 1.0 Security Assessment 1.1 Initiate Request 1.3.1 Develop Testing Plan 2.0 Leverage ATO 1.2 Document Security Controls 3.0 Ongoing A&A 1.3 Perform Security Testing Audit Control 1.3.2 Implementations 1.4 Finalize Security Assessment 1.3.3 Perform Vulnerability / Penetration Testing Test SSP – Begin work with 3PAO • Assess against the SSP with NIST SP Develop Plan of Action 1.3.4 800-53a test cases & Milestones (POAM) • 3PAO audits assessment and results • 3PAO generates security assessment report 4
Overview: Finalize Security Assessment 1.1 Initiate Request Compile all Updated 1.0 Security Assessment 1.4.1 and Final 1.2 Document Security Controls Documentation 2.0 Leverage ATO 1.3 Perform Security Testing Answer Questions Risk 3.0 Ongoing A&A 1.4.2 Assessment** 1.4 Finalize Security Assessment Accept Findings & Make 1.4.3 Updates to POA&M** Compile Completed Authorization Package Accept Provisional • Review all documentation 1.4.4 Authorization**/ Upload to Secure Repository • Review risk posture of CSP system • Grant / deny Provisional Authorization** • Upload to the Secure Repository ** Steps only apply to packages submitted for JAB Provisional Authorization 5
Authorization Level and Testing Category Description Authorization 1 CSP Supplied, not yet reviewed Candidate for Authorization 2 Reviewed by agency Agency ATO 3 Reviewed by FedRAMP ISSO & JAB FedRAMP PA & Agency ATO 6
Overview of Independent Assessors • Develops Security Assessment Plan (SAP) • Performs Initial and Periodic Assessments of CSP Security Controls • Conducts Security Testing – Use Test Case Workbooks – Manual Tests – Automated Tests • Develops Security Assessment Report (SAR) • Assessor must be independent – Cannot test and help CSP prepare documents – Cannot test and assist CSP in implementing controls
FedRAMP Third Party Assessment Organization (3PAO) Conformity Assessment Process FedRAMP requires CSPs to use Third Party Assessment Organizations (3PAOs) to independently validate and verify that they meet FedRAMP security requirements. FedRAMP worked with NIST to develop a conformity assessment process to qualify 3PAOs. This conformity assessment process will qualify 3PAOs according to two requirements: (1) Independence and quality management in accordance with ISO standards; and (2) Technical competence through FISMA knowledge testing. Creates consistency in performing security assessments among 3PAOs in Benefits of accordance with FISMA and NIST standards leveraging a formal • Ensures 3PAO independence from Cloud Service Providers in accordance with 3PAO approval international standards • Establishes an approved list of 3PAOs for process: CSPs and agencies to choose from to satisfy FedRAMP requirements.
Accredited Third Party Assessment Organizations 9
Relationship of 3PAOs and CSPs • CSPs must manage their own relationship with 3PAOs • FedRAMP does not make introductions • CSPs may interview multiple 3PAOs – Information on past performance – The number of FTEs required – Ensure the 3PAO has the right scanner licenses – Ask for a estimate for the time required to complete the assessment – Find out what services are included in the pricing • CSPs applying for Provisional ATO must: – Formally notify FedRAMP of their 3PAO selection – Receive permission before starting to test
Developing the SAP • 3PAO develops the SAP • Defines scope of assessment - Hardware - Software - Databases - Applications - Facilities • Testing Schedule • Rules of Engagement (ROE) - Components included and excluded in assessment - Rules for transmission of results - ROE signed by CSP and 3PAO
Getting Ready for Testing – What to Expect • Prep to make sure testing goes smoothly • Provide three testing contacts to 3PAO – At least one contact available 24x7 • Set up a meeting to discuss testing schedule • Obtain list of originating IP addresses for scans • Prepare list of facilities with addresses and directions • Have legal counsel review Rules of Engagement 12
Developing the SAR • 3PAO develops the SAR • Documents Findings • Analysis of Test Results • Highlights ways for CSPs to Mitigate Security Weaknesses • Primary Document for Making Risk Based Decisions
Developing the POA&M • SAR findings map to POA&M items IDs the POA&M • CSP develops • Detailed the POA&M • False positives are not identified in Schedule of Actions to Address and Fix Vulnerabilities • CSPs applying for Provisional ATO: Template Contains Excel • POA&M – Remediate high severity findings before Provisional ATO is granted Spreadsheet for Tracking POA&M – Remediate moderate findings within 90 days Items
Preparing Package for Submission • A complete security authorization package includes deliverables in section 10 of the FedRAMP CONOPS • Mandatory Templates: • System Security Plan • Security Assessment Plan • Security Assessment Report • Other Templates located on fedramp.gov: • Control Tailoring Workbook • Control Implementation Summary • IT Contingency Plan • Plan Of Action & Milestones • Supplier’s Declaration of Conformity 15
Preparing Package for Submission (Continued) • Review and update documents • FedRAMP will provide instructions on uploading documents to the secure repository (Max.gov) • Add sensitivity markings to package documents – Change to match company designation – Place markings in other sections as needed
Declaration of Conformity • CSP attests and verifies that the system conforms to FedRAMP requirements. • Certifies that all controls are working properly • Both JAB and leveraging agencies use the Self-Attestation Declaration of Conformity when considering issuing an ATO 17
How does an agency use a package in the repository? • •Complete and Submit a FedRAMP Agencies must implement customer Agency Authority to Operate (ATO) Leveraging Agencies Package Access Request Form an responsibility controls and grant search the repository • Supervisor Must information Agency ATO for the Sign Off on and find: Form system residing on the cloud service • FedRAMP will Provide Notification of Provider Acceptance or Rejection of Request • Must Demonstrate a Need to View Date Listed the Package Category Agency ATO (if applicable) • Agency can Request Access to Any Package • Vendors Limited to Area for Storing Their Documentation 18
Webinar Summary • Use a 3PAO to develop the test plan (SAP), perform testing, and document results (SAR) • FedRAMP requires the use of 3PAOs to provide an independent assessment of the system • CSP leverages SAR to develop POA&M • CSP updates documents then submits to secure repository • CSPs must implement a continuous monitoring program and keep package current 19
Question and Answer Session For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud
For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud

Recommended

TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
Tuan Phan
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
Valdez Ladd MBA, CISSP, CISA,
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
1ECG
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
Tuan Phan
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training
1ECG
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)
GovCloud Network
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
Ray Potter
 

Recommended

TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
Tuan Phan
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
Valdez Ladd MBA, CISSP, CISA,
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
1ECG
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
Tuan Phan
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training
1ECG
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)
GovCloud Network
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
Ray Potter
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP Drupal
Mike Lemire
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
James W. De Rienzo
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
GovCloud Network
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
ecarrow
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
AFCEA International
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
edwardstudyemai
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
VISTA InfoSec
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
pramod_kmr73
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
prevalentnetworks
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems Catalogue
Claudiu Sandor
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?
continohq
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample Report
Randy James
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
timmcguinness
 
Chapter 4 - Quality Characteristics for Technical Testing
Chapter 4 - Quality Characteristics for Technical TestingChapter 4 - Quality Characteristics for Technical Testing
Chapter 4 - Quality Characteristics for Technical Testing
Neeraj Kumar Singh
 

More Related Content

What's hot

Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 

What's hot (20)

Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP Drupal
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems Catalogue
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample Report
 

Similar to Completing fedramp-security-authorization-process

Software Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
Software Testing Life Cycle (STLC) | Software Testing Tutorial | EdurekaSoftware Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
Software Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
Edureka!
 
Testing in agile is it easier said than done
Testing in agile is it easier said than done Testing in agile is it easier said than done
Testing in agile is it easier said than done
Archana Joshi
 
Archana Joshi Testing in agile is it easier said than done
Archana Joshi Testing in agile is it easier said than doneArchana Joshi Testing in agile is it easier said than done
Archana Joshi Testing in agile is it easier said than done
Archana Joshi
 
Testing documents
Testing documentsTesting documents
Testing documents
Hari Tiru
 
Software-Testing-Chapgdgdgsghshshshshshshs
Software-Testing-ChapgdgdgsghshshshshshshsSoftware-Testing-Chapgdgdgsghshshshshshshs
Software-Testing-Chapgdgdgsghshshshshshshs
shaikbab
 
Introduction to CMMI-DEV v1.3 - Day 3
Introduction to CMMI-DEV v1.3 - Day 3Introduction to CMMI-DEV v1.3 - Day 3
Introduction to CMMI-DEV v1.3 - Day 3
Sherif Salah, MBA, ITIL, CMMI, MCSA, TQM
 

Similar to Completing fedramp-security-authorization-process (20)

NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
Chapter 4 - Quality Characteristics for Technical Testing
Chapter 4 - Quality Characteristics for Technical TestingChapter 4 - Quality Characteristics for Technical Testing
Chapter 4 - Quality Characteristics for Technical Testing
 
Sslc
SslcSslc
Sslc
 
Software Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
Software Testing Life Cycle (STLC) | Software Testing Tutorial | EdurekaSoftware Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
Software Testing Life Cycle (STLC) | Software Testing Tutorial | Edureka
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
 
Testing in agile is it easier said than done
Testing in agile is it easier said than done Testing in agile is it easier said than done
Testing in agile is it easier said than done
 
Archana Joshi Testing in agile is it easier said than done
Archana Joshi Testing in agile is it easier said than doneArchana Joshi Testing in agile is it easier said than done
Archana Joshi Testing in agile is it easier said than done
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
 
Qa documentation pp
Qa documentation ppQa documentation pp
Qa documentation pp
 
Testing documents
Testing documentsTesting documents
Testing documents
 
Verification and Validation
Verification and ValidationVerification and Validation
Verification and Validation
 
Software-Testing-Chapgdgdgsghshshshshshshs
Software-Testing-ChapgdgdgsghshshshshshshsSoftware-Testing-Chapgdgdgsghshshshshshshs
Software-Testing-Chapgdgdgsghshshshshshshs
 
Qa interview questions and answers
Qa interview questions and answersQa interview questions and answers
Qa interview questions and answers
 
IT8076 – Software Testing Intro
IT8076 – Software Testing IntroIT8076 – Software Testing Intro
IT8076 – Software Testing Intro
 
Introduction to CMMI-DEV v1.3 - Day 3
Introduction to CMMI-DEV v1.3 - Day 3Introduction to CMMI-DEV v1.3 - Day 3
Introduction to CMMI-DEV v1.3 - Day 3
 
STLC (Software Testing Life Cycle)
STLC (Software Testing Life Cycle)STLC (Software Testing Life Cycle)
STLC (Software Testing Life Cycle)
 
Performance testing reference model
Performance testing reference modelPerformance testing reference model
Performance testing reference model
 
Interview questions and answers for quality assurance
Interview questions and answers for quality assuranceInterview questions and answers for quality assurance
Interview questions and answers for quality assurance
 
38475471 qa-and-software-testing-interview-questions-and-answers
38475471 qa-and-software-testing-interview-questions-and-answers38475471 qa-and-software-testing-interview-questions-and-answers
38475471 qa-and-software-testing-interview-questions-and-answers
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 

More from Tuan Phan

Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
Tuan Phan
 
Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712
Tuan Phan
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508
Tuan Phan
 

More from Tuan Phan (13)

TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinar
 
Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRC
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513
 
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Completing fedramp-security-authorization-process

  • 1. Federal Risk and Authorization Management Program (FedRAMP) FedRAMP Security Testing and Completing the Package January 8, 2013
  • 2. Today’s Webinar FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This webinar will cover the completion of the FedRAMP process from prepping for testing, completing testing, and documenting the results to submitting a complete package to the FedRAMP secure repository. 2
  • 3. PAST EVENTS – Check Out Webinars 1 - 3 3
  • 4. Overview: Perform Security Testing 1.0 Security Assessment 1.1 Initiate Request 1.3.1 Develop Testing Plan 2.0 Leverage ATO 1.2 Document Security Controls 3.0 Ongoing A&A 1.3 Perform Security Testing Audit Control 1.3.2 Implementations 1.4 Finalize Security Assessment 1.3.3 Perform Vulnerability / Penetration Testing Test SSP – Begin work with 3PAO • Assess against the SSP with NIST SP Develop Plan of Action 1.3.4 800-53a test cases & Milestones (POAM) • 3PAO audits assessment and results • 3PAO generates security assessment report 4
  • 5. Overview: Finalize Security Assessment 1.1 Initiate Request Compile all Updated 1.0 Security Assessment 1.4.1 and Final 1.2 Document Security Controls Documentation 2.0 Leverage ATO 1.3 Perform Security Testing Answer Questions Risk 3.0 Ongoing A&A 1.4.2 Assessment** 1.4 Finalize Security Assessment Accept Findings & Make 1.4.3 Updates to POA&M** Compile Completed Authorization Package Accept Provisional • Review all documentation 1.4.4 Authorization**/ Upload to Secure Repository • Review risk posture of CSP system • Grant / deny Provisional Authorization** • Upload to the Secure Repository ** Steps only apply to packages submitted for JAB Provisional Authorization 5
  • 6. Authorization Level and Testing Category Description Authorization 1 CSP Supplied, not yet reviewed Candidate for Authorization 2 Reviewed by agency Agency ATO 3 Reviewed by FedRAMP ISSO & JAB FedRAMP PA & Agency ATO 6
  • 7. Overview of Independent Assessors • Develops Security Assessment Plan (SAP) • Performs Initial and Periodic Assessments of CSP Security Controls • Conducts Security Testing – Use Test Case Workbooks – Manual Tests – Automated Tests • Develops Security Assessment Report (SAR) • Assessor must be independent – Cannot test and help CSP prepare documents – Cannot test and assist CSP in implementing controls
  • 8. FedRAMP Third Party Assessment Organization (3PAO) Conformity Assessment Process FedRAMP requires CSPs to use Third Party Assessment Organizations (3PAOs) to independently validate and verify that they meet FedRAMP security requirements. FedRAMP worked with NIST to develop a conformity assessment process to qualify 3PAOs. This conformity assessment process will qualify 3PAOs according to two requirements: (1) Independence and quality management in accordance with ISO standards; and (2) Technical competence through FISMA knowledge testing. Creates consistency in performing security assessments among 3PAOs in Benefits of accordance with FISMA and NIST standards leveraging a formal • Ensures 3PAO independence from Cloud Service Providers in accordance with 3PAO approval international standards • Establishes an approved list of 3PAOs for process: CSPs and agencies to choose from to satisfy FedRAMP requirements.
  • 9. Accredited Third Party Assessment Organizations 9
  • 10. Relationship of 3PAOs and CSPs • CSPs must manage their own relationship with 3PAOs • FedRAMP does not make introductions • CSPs may interview multiple 3PAOs – Information on past performance – The number of FTEs required – Ensure the 3PAO has the right scanner licenses – Ask for a estimate for the time required to complete the assessment – Find out what services are included in the pricing • CSPs applying for Provisional ATO must: – Formally notify FedRAMP of their 3PAO selection – Receive permission before starting to test
  • 11. Developing the SAP • 3PAO develops the SAP • Defines scope of assessment - Hardware - Software - Databases - Applications - Facilities • Testing Schedule • Rules of Engagement (ROE) - Components included and excluded in assessment - Rules for transmission of results - ROE signed by CSP and 3PAO
  • 12. Getting Ready for Testing – What to Expect • Prep to make sure testing goes smoothly • Provide three testing contacts to 3PAO – At least one contact available 24x7 • Set up a meeting to discuss testing schedule • Obtain list of originating IP addresses for scans • Prepare list of facilities with addresses and directions • Have legal counsel review Rules of Engagement 12
  • 13. Developing the SAR • 3PAO develops the SAR • Documents Findings • Analysis of Test Results • Highlights ways for CSPs to Mitigate Security Weaknesses • Primary Document for Making Risk Based Decisions
  • 14. Developing the POA&M • SAR findings map to POA&M items IDs the POA&M • CSP develops • Detailed the POA&M • False positives are not identified in Schedule of Actions to Address and Fix Vulnerabilities • CSPs applying for Provisional ATO: Template Contains Excel • POA&M – Remediate high severity findings before Provisional ATO is granted Spreadsheet for Tracking POA&M – Remediate moderate findings within 90 days Items
  • 15. Preparing Package for Submission • A complete security authorization package includes deliverables in section 10 of the FedRAMP CONOPS • Mandatory Templates: • System Security Plan • Security Assessment Plan • Security Assessment Report • Other Templates located on fedramp.gov: • Control Tailoring Workbook • Control Implementation Summary • IT Contingency Plan • Plan Of Action & Milestones • Supplier’s Declaration of Conformity 15
  • 16. Preparing Package for Submission (Continued) • Review and update documents • FedRAMP will provide instructions on uploading documents to the secure repository (Max.gov) • Add sensitivity markings to package documents – Change to match company designation – Place markings in other sections as needed
  • 17. Declaration of Conformity • CSP attests and verifies that the system conforms to FedRAMP requirements. • Certifies that all controls are working properly • Both JAB and leveraging agencies use the Self-Attestation Declaration of Conformity when considering issuing an ATO 17
  • 18. How does an agency use a package in the repository? • •Complete and Submit a FedRAMP Agencies must implement customer Agency Authority to Operate (ATO) Leveraging Agencies Package Access Request Form an responsibility controls and grant search the repository • Supervisor Must information Agency ATO for the Sign Off on and find: Form system residing on the cloud service • FedRAMP will Provide Notification of Provider Acceptance or Rejection of Request • Must Demonstrate a Need to View Date Listed the Package Category Agency ATO (if applicable) • Agency can Request Access to Any Package • Vendors Limited to Area for Storing Their Documentation 18
  • 19. Webinar Summary • Use a 3PAO to develop the test plan (SAP), perform testing, and document results (SAR) • FedRAMP requires the use of 3PAOs to provide an independent assessment of the system • CSP leverages SAR to develop POA&M • CSP updates documents then submits to secure repository • CSPs must implement a continuous monitoring program and keep package current 19
  • 20. Question and Answer Session For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud
  • 21. For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud

Editor's Notes

  1. Thank you <Introducer>. Good afternoon everyone. Thank you for taking the time to join us for FedRAMP’s webinar on completing the FedRAMP process and submitting your finalized package. [Katie] I am Katie Lewin, Director of the Federal Cloud Computing Program and [Matt] my name is Matt Goodrich and I’m the Project Manager for the FedRAMP Program Management Office. This webinar is the fourth in our series and will cover the completion of the FedRAMP process from security testing and documenting the results to submitting a complete package to the FedRAMP secure repository. During this webinar we will explain the importance of conformity assessment in the FedRAMP process and the role of Third Party Assessment Organizations (3PAO) in completing the security assessment and testing. We will also provide a high level look at planning for testing, documenting the results, and the process for remediating vulnerabilities found during testing. Additionally, were going to talk about how to finalize your security authorization package for submission to the FedRAMP secure repository and how to provide an overview of the lifecycle for that package. Before we begin the webinar, please submit questions as they arise – using the chat function. Members of the PMO will be taking a look at the incoming questions and answering them during the course of the webinar. We will respond to as many as possible while the webinar is in progress. If there are any questions that we are not able to get to, we will answer them later in the FAQ section on fedramp.gov.[Click to next slide]
  2. Last webinar - reviewed the System Security Plan (SSP) and provide the information and guidelines that you need to accurately document the FedRAMP controls and assemble a strong SSP that will meet FedRAMP review requirements.If this is your first FedRAMP webinar or if you missed any of the previous ones, I’d highly encourage you to go to FedRAMP.gov and view our past webinars which covered:-Developing your System Security Plan.-FedRAMP Security Authorization Process.-Four Ways to Get Listed in the FedRAMP Repository.Links to each of these webinars are available on FedRAMP.gov by clicking on News and Events in the left hand navigation and selecting “Materials from Past Events”[Click to next slide]
  3. Before we move into the details, I would like to provide a high level look at the closing steps in the FedRAMP process, which include testing and submitting your package to the FedRAMP secure repository. The Perform Security Testing step requires the CSP to select a 3PAO to perform the assessment. The 3PAO is responsible for developing the Security Assessment Plan performing the testing, and documenting the results in the Security Assessment Report.Vulnerabilities found during the assessment, and the plan to fix these vulnerabilities are documented in the Plan of Action and Milestones by the CSP. FedRAMP provides templates for the Security Assessment Plan, the Security Assessment Report, and the POA&M – they are available on FedRAMP.gov. [Click to next slide]
  4. Following the conclusion of testing, any documents that need to be updated as a result of the testing are updated. The security package documents are then consolidated into a single package for submission to the secure repository. Unless the package is a CSP Self-Supplied package, all packages in the repository with have either an agency ATO or a FedRAMP Provisional Authorization. The FedRAMP PMO provides the CSP with access to the secure repository and provides a secure, access controlled section of the website for posting the security assessment package. Finally, the listing of packages available in the secure repository is updated to include the newly submitted package. The list is provided to allow agencies to view the packages available for leveraging. Access to the actual security assessment package is limited to Federal Agencies and requires permission from the FedRAMP PMO. CSPs with packages in the repository are required to implement a continuous monitoring program and submit periodic updates.[Click to next slide]
  5. As you head toward testing, who performs the assessment depends on the category of your package. Package submitted by a CSP without an ATO and packages submitted for FedRAMP JAB Provisional Authorization require an accredited 3PAO. Federal Agencies have flexibility in whether or not the 3PAO they use is accredited when issuing an ATO. If an agency ATO was issued without the use of an accredited 3PAO, the Federal Agency must submit an attestation describing the independence and technical qualifications of the non-accredited 3PAO utilized to assess that CSP package. This diagram also illustrates that there is a higher level of government review at the JAB Provisional Authorization level. CSP’s that want to submit a package to the FedRAMP repository must use an accredited 3PAO whether they intend to obtain a JAB review and a Provisional Authorization, or simply want to list their not yet reviewed package in the repository. If the CSP intends to apply for a Provisional Authorization, as part of this process the CSP meets with a FedRAMP (Information System Security Officer) ISSO to discuss the testing process and must have their testing plans approved by the JAB and receive approvals to move forward with testing. At levels below Provisional Authorization, the FedRAMP PMO is not involved with providing approvals for testing. [Click to next slide]
  6. 3PAOs have a very distinct role in the FedRAMP process. The 3PAO carries most of the responsibilities for the assessment, by developing the assessment plan (SAP) based on the FedRAMP Test Cases and the types of servers, applications and databases that make up the system. The 3PAO should develop the test plan to ensure that results represent in the Security Assessment Report represent an unbiased and accurate picture of the security implementation within the system. 3PAOs are required to demonstrate independence; this means that the same 3PAO cannot develop a system or prepare the security documentation for a system and also assess the same system. It is possible for a CSP to hire a 3PAO to assist in preparing the security documentation; however that 3PAO’s role cannot extend to planning, performing or documenting the results of an assessment. The CSP would need to hire a second, separate 3PAO to do the assessment work. Something to keep in mind is that if a CSP wants to hire an outside consultant to assist in the preparation of the security package, this outside consultant does not have to be a 3PAO. [Click to next slide]
  7. In the previous slide you will notice that the most of the testing related activity is handled by the 3PAO. FedRAMP implements a conformity assessment process and requires the use of a 3PAO to ensure the assessors are independent and possess the technical knowledge to assess cloud systems. Conformity assessment also ensures that the process and level of rigor present are consistent across all assessments. FedRAMP worked closely with National Institute of Standards and Technology (NIST) to select the requirements for accredited 3PAOs. 3PAOs undergoing accreditation must meet the ISO/IEC 17020:1998 standard for bodies performing inspections in terms of independence and a quality management system. We also worked with NIST to develop requirements that demonstrate that the 3PAO has the technical knowledge to assess cloud systems based on FISMA requirements.[Click to next slide]
  8. A listing of all accredited 3PAOs is available on FedRAMP.gov. There are currently 16 accredited 3PAOs available. The list is updated as new 3PAOs are accredited.[Click to next slide]
  9. FedRAMP does not manage the relationship between 3PAOs and CSPs and cannot make a recommendation regarding which 3PAO a CSP should use. CSPs are responsible for choosing their own assessor. CSPs may consider interviewing multiple 3PAOs to find the assessor that’s the right fit. In selecting a third-party assessor, CSPs may want to ask the assessor for information on past performance, the anticipated number of FTEs required to assess the system, whether or not the CSP has the right scanner licenses, and how long the assessor believes it will take to complete the testing. CSPs should make sure that they understand what services are included in the pricing. CSPs applying for FedRAMP Provisional Authorization are required to formally notify FedRAMP after selecting a 3PAO in order to receive permission to proceed with testing. CSPs that plan to submit packages at other review levels do not need permission to test from FedRAMP.[Click to next slide]
  10. We’ve talked about who can do the assessments and how to choose your assessor, now let’s put that to actions. How do you begin the testing phase to demonstrate your compliance with the FedRAMP security controls? The 3PAO you select will develop the Security Assessment Plan which we refer to as the SAP. The SAP defines the scope of the assessment and identifies the components that will be included in the assessment, such as hardware, software, databases, applications and physical facilities. It also identifies the testing methodology and provides the test cases used for the assessment. The SAP contains a schedule outlining the timeline for testing and defines the Rules of Engagement for the tests. The Rules of Engagement (ROE) describes the notifications and disclosures between the CSP and 3PAO. It includes a listing of components to be included and excluded from testing and provides instructions on how the results of the assessment are to be encrypted and transmitted to the CSP. The ROE is signed by both the CSP and 3PAO to signify agreement on the terms.[Click to next slide]
  11. Even though 3PAOs manage and complete the testing, CSPs should prepare ahead of time to ensure that testing goes as smoothly as possible. CSPs should give their 3PAO distinct points of contacts – actual people, not a general office number or support number. The CSP should provide at least three contacts and at least one of those contacts should be at an operations center such as a SOC or a NOC that is staffed 24x7. The schedule for performing scans or penetration testing shouldn’t be a surprise to the CSP. 3PAO’s and CSPs should discuss the testing schedule so the CSP can ensure their 3PAO will have appropriate access to a CSPs environment and personnel as needed to complete the testing. As a part of this, 3PAOs should provide the CSP with a list of the IP addresses where the scans will originate from so testing isn’t mistaken as a malicious attack. Additionally, 3PAOs will need to access facilities to assess physical and environmental controls. CSPs should provide a list of facilities along with their addresses to the 3PAO. CSPs should ensure the staff at these facilities when they can expect the 3PAO to be on site to perform testing. Additionally, if there is information needed to grant 3PAO personnel with access to the facilities, the CSP should inform the 3PAO of these requirements ahead of time. Finally, CSPs and 3PAOs need to review and sign off on a Rules of Engagement.These rules govern how the test will be conducted, and by completing this before beginning testing, both parties can prevent any interruption of a CSPs services. The ROE is negotiable and should be reviewed by the general counsel of both the CSP and 3PAO.
  12. After the 3PAO has followed the SAP and tested a CSP’s system, the 3PAO must develops a Security Assessment Report, referred to as the SAR. The SAR documents the test findings. In these findings, the 3PAO will provide an analysis of the test results to determine the risk exposure of the system. The SAR also highlights ways for a CSP to mitigate the security weaknesses found during testing. Since the SAR is a report on the overall risk the CSPs system poses, the SAR serves as the primary document that the JAB or leveraging Federal Agencies will review to make their decision in granting an authorization.While the 3PAO has the sole responsibility for writing the SAR, we do recommend that the CSP and 3PAO schedule time to review the initial draft to ensure its accuracy before the SAR is finalized.[Click to next slide]
  13. After finalizing the SAR, the CSP uses the vulnerabilities and recommendations in the SAR to create a Plan of Action and Milestones, simply referred to as POAMs. The POA&M provides a detailed plan with a schedule of how the CSP plans to address and fix and vulnerabilities found during testing. [Click] The POA&M template on FedRAMP.gov contains an embedded Excel spreadsheet that CSPs should use to track and manage their POA&M items. In this spreadsheet, a CSP will have unique IDs for each POAM, a description of weakness found during testing, and details about when and how the POAM will be closed. POAMs will be updated on a continual basis during the course of a security authorization, and at no less frequency than every quarter, but may be updated at any time to reflect the addition of a new vulnerabilities or the closing of a POA&M item.Subsequent workbooks in the POA&M are used to track overdue items during POA&M updates.[Click]A few things to remember when developing your POA&Ms are:-All SAR findings must map to a POA&M item. This is accomplished by giving each POA&M item with a unique identifier which pairs with the respective SAR finding.-False positives should be clearly marked in the SAR, but do not need to be identified in the POA&M – as there is no remediation needed to correct these false positives.-CSPs that apply for FedRAMP Provisional Authorization are required to remediate all high severity risk findings before the JAB will grant a Provisional ATO. CSPs must also remediate moderate findings within 90 days after receiving a Provisional Authorization.[Click to next slide]
  14. After finalizing the SAR and POA&M, it’s time to compile and submit your complete security authorization package. Your final Package should include:Control Tailoring Workbook – identifies controls that have been adapted by the cloud service providerControl Implementation Summary – identifies who is responsible for each security control These two documents are extremely helpful for agencies leveraging an authorization because they detail in a summary fashion what a customer’s responsibility is in securely using a CSPs services as well as what a CSP does differently in meeting the FedRAMP security controls.System Security Plan – this is the “rosetta stone” and foundational document for your security authorization - describes the system and the security controls used to protect the system.There are also supporting documents to the SSP, and they include:IT Contingency Plan - details how the recovery of the system occurs in the case of a disruption of service.Configuration Management Plan – identifies how the CSP makes routine changes to their operating environment.Incident Response Plan – explains provider actions in response to a security incident.And the focus of this webinar has been on the final documents needed to complete your security authorization package:Security Assessment Plan - describes the assessment methodology followed by the 3PAO to test the controlsSecurity Assessment Report - contains the 3PAO’s completed test case results, collected evidence, analysis and report on the implementation of controls.Plan Of Action & Milestones - documents planned actions by the provider to change or implement security controls based on their independent assessment.Self-Attestation Declaration of Conformity states that the package represents a true and accurate depiction of the system. [Click to next slide]
  15. Before submitting all documentation, CSPs should review their documents, with a special focus on the System Security Plan, and ensure that they are up to date and reflect any changes made in either remediating vulnerabilities or in response to findings. Updates to all documents should include adding sensitivity markings on the cover page and the footer of each document. You may change the existing sensitivity marking on any template to match your official company sensitivity nomenclature if it is different than what is on the template. Sensitivity markings may also be placed in the headers of any documents and on any other places in the documents that you feel requires sensitivity labeling. Depending on the assessment level of your package, either the PMO or a FedRAMP ISSO will work with the CSP and provide instructions on accessing and uploading the package into the FedRAMP secure repository. CSPs should be aware that Federal Agencies interested in acquiring their services will be able to request access to the secure repository to view the CSP’s package. [Click to next slide]
  16. Once a CSP has finalized all documents and double checked for accuracy, the last step in submitting a final package is for the CSP to include a self-attestation declaration of conformity letter. This letter attests and verifies that the system conforms to the FedRAMP requirements based on the assessment results and also certifies that all implemented controls are working. FedRAMP provides a declaration of conformity letter template on page 6 and 7 of the self attestation template on FedRAMP.gov. CSPs should edit the declaration by putting in their company name and address, fill in the system name and then have an authorized company official sign and date it. The declaration of conformity is the document that the CSP system owner signs off saying that all of the information being presented to FedRAMP is complete and accurate. [Click to next slide]
  17. Agencies interested in leveraging a package will be able to search the repository for services that meet their requirements. Only Federal Agencies will be able to request access to a security package in the repository. A vendor’s access to the secure repository is limited to the areas for storing their own respective documentation.[Click] To access a package listed in the repository, the user at the agency must complete a FedRAMP Package Access Request form, have their CISO sign the form, and submit the form to the FedRAMP PMO. After FedRAMP receives the form, the PMO will perform a review and provide notification of accepting or rejecting the request. [Click]To leverage the package, agencies must implement customer responsibility controls and grant an Agency ATO. CSPs with packages in the secure repository are required to maintain a continuous monitoring program which provides for periodic reporting on control implementations, POAM resolution, and annual re-testing. Further details about Continuous Monitoring are available on FedRAMP.gov in the FedRAMP Continuous Monitoring Strategy & Guide. [Click to next slide]
  18. In summary, the perform testing step of the FedRAMP process introduces the independent assessor to the process. CSPs must use a 3PAO to plan the test and develop the SAP, perform the assessment, and document the findings in the SAR. This is a requirement for FedRAMP rooted in the FedRAMP security controls baseline. CSPs must use a 3PAO to provide an independent assessment of the CSP’s system. While agencies have flexibility in selecting a 3PAO, FedRAMP recommends the use of FedRAMP accredited 3PAOs because the FedRAMP accreditation program ensures accredited 3PAOs are independent, have the knowledge to assess cloud systems, and that the assessment is consistent in terms of the process and level of rigor. The CSP will work closely with a 3PAO to assess their system and then uses the findings in the SAR to develop a plan of action for remediating any vulnerabilities in a CSP environment. After completion of the testing process, the CSP updates all the security documentation and submits it as a single package ready for authorization. FedRAMP will post the packages to the FedRAMP secure repository based on the level of review and authorization granted. Only federal Federal Agencies will have access to CSP security authorization packages in the secure repository. To remain in the repository, CSPs must implement a continuous monitoring program and update security documents in accordance with the FedRAMP Continuous Monitoring Strategy & Guide.[Click to next slide]