Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

6,163 views

Published on

Are you a member of the Department of Defense (DoD) and want to simplify the process to cloud deployment? Learn how you can adopt AWS's utility-based cloud services to process, store, and transmit DoD data.

This presentation is a step-by-step guide from AWS on how to navigate the DoD compliance framework. The guide outlines the planning, deployment, accreditation, and continuous monitoring phases to get you to the cloud.

AWS enables military organizations and their business associates to leverage the secure AWS environment through our attainment of a provisional authority to operate (P-ATO) from the Defense Information Systems Agency (DISA).

Published in: Technology

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

  1. 1. Jennifer Gray Public Sector Compliance Architect From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework Jim Caggy Senior DOD Security Architect
  2. 2. In today’s session we will…  Review DoD Cloud Guidance and Data Impact Levels  Four Phases of DoD System Accreditation  Questions
  3. 3. DoD Cloud References FEDRAMP Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. DoD Cloud Computing Security Requirements Guide (CC SRG) Outlines the security model by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions (as defined by NIST) by the DoD. NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations A catalog of security and privacy controls for federal information systems. The controls are customizable and implemented as part of an organization wide process that manages information security and privacy risk.
  4. 4. Cloud Services Provider DoD Cloud Security Requirements Guide – ATO Process 30+ FedRAMP Compliant CSP’s (20+ in-process) IaaS/PaaS/SaaS Providers are a mix of IaaS, PaaS, SaaS (Initial Focus is on IaaS) FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (Unclass) System- Specific ATO John Doe DoD DAA The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog DoD Cloud Security Model (Administered via DISA) 3 4 5 6 20+ Provisional Authorizations granted 3 Provisional Authorization granted 2 4 Increasing Security and Operating Requirements CSM ATO Level 6 (Secret) 100’s of Cloud Service Providers (CSP) 1 2
  5. 5. DoD Cloud Security Model Impact Levels Impact Level Description Level 1 Unclassified publicly releasable information e.g., recruiting websites. Level 2 Unclassified publicly releasable information e.g., recruiting websites. Unclassified publicly releasable information, with access controls e.g., library systems. Level 3 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Level 4 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Non-NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., HR systems. Level 5 NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., email systems. Level 6 Classified information up to and including SECRET – Moderate confidentiality impact, Moderate integrity impact e.g., C2 systems.
  6. 6. Phase 1: Planning Plan Document Assess Authorize Monitor Process Check DISA catalog of approved CSPs Select CSP Review AWS compliance documentation Review security control Inheritance and shared Responsibility Develop initial Architecture Phase I Categorize system Select SRG Impact Level Select security controls
  7. 7. Phase 2: Initial Deployment and Documentation Plan Document Assess Authorize Monitor Process Document security control implementation Coordinate with CNDSP Tier 2 Configure AWS CloudTrail, Config, VPC Flow Logs and CloudWatch Document PPSM Register in SNAP and coordinate CAP connection Phase I Phase II Request DOD IP space Build out base system and test implementation of security controls
  8. 8. Phase 3: Finalize and Accredit Architecture Plan Document Assess Authorize Monitor Process Load security authorization package into eMass Submit final ATO package to your DAA Phase I Phase III Phase II Remediate Document findings Create Plans of Action & Milestones Complete architecture build out, integrations Requirements Lock down system for testing Assess system ‒ Pentest ‒ Vulnerability scan ‒ Compliance reviews
  9. 9. Phase 4: Continuous Monitoring Plan Document Assess Authorize Monitor Process Update SSP Track and report significant changes to AO Phase I Phase III Phase IV Phase II Conduct monthly ACAS scans Update HBSS definitions Conduct patching (IAVM process) Perform annual assessment
  10. 10. NIST SP 800-37 Risk Management Framework Initiation Concept Planning Requirements Analysis Design Development Test Implemen- tation Operations & Maintenance Disposition 1 2 3 4 Architecture Review System Accreditation Security Control Assessment Annual Operational Analysis Independent Verification & Validation Assessment Implementatio n Readiness Review Validation Readiness Review Detailed Design Review Integrated Baseline Review Require- ments Review Post- Implemen- tation Review Security Authorization SLDC Project Review Project Selection Review Project Baseline Review Preliminary Design Review Operational Readiness Review CATAGORIZE THE SYSTEM SELECT CONTROLS IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE THE SYSTEM MONITOR CONTROLS NIST SP 800-37 Risk Management Framework
  11. 11. Questions?

×