Successfully reported this slideshow.

Amped for FedRAMP

0

Share

Jun. 25, 2015
0 likes 1,170 views
Upcoming SlideShare
Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private Cloud
Loading in …3
×
1 of 26
1 of 26

Amped for FedRAMP

Jun. 25, 2015
0 likes 1,170 views

0

Share

Download to read offline

Technology

David Gerendas, Group Product Manager, Intel Security
Ray Potter, CEO of SafeLogic

With the advent of the cloud and the explosion of mobile endpoints, enterprises have increased their focus on maintaining data integrity and confidentiality from growing threats. As a result, the Federal Risk and Authorization Management Program, a.k.a. FedRAMP, has taken on greater significance outside of federal deployments. By standardizing requirements and expectations, the program has set a strong benchmark for the entire cloud industry. In response to repeated security breaches that have damaged brands’ credibility, corporate mandates are now matching and even exceeding their government counterparts. If you are not FedRAMP compliant, enterprises demand to know why not.

The use of encryption is integral to FedRAMP and has become ubiquitous in the effort to protect information assets. But while certain crypto algorithms are often installed alone and unverified, customer expectations have risen in recent years. Enterprises certainly no longer accept homegrown cryptography from vendors, strongly preferring to rely upon solutions that have been vetted by third-party labs and validated by the government. Federal Information Processing Standard (FIPS) 140-2 is the leading international standard for encryption and the Cryptographic Module Validation Program (CMVP) was established to certify solutions that meet the stringent benchmark. In tandem, FedRAMP and FIPS offer the highest level of assurance for cloud buyers, but both are still generally misunderstood.

You will learn:
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic module in the cloud
• How encryption modules become validated and the pitfalls of the process
• Meaning of FedRAMP compliance claims and how to confirm
• Right questions to ask vendors about their encryption and FedRAMP compliance

David Gerendas, Group Product Manager, Intel Security
Ray Potter, CEO of SafeLogic

With the advent of the cloud and the explosion of mobile endpoints, enterprises have increased their focus on maintaining data integrity and confidentiality from growing threats. As a result, the Federal Risk and Authorization Management Program, a.k.a. FedRAMP, has taken on greater significance outside of federal deployments. By standardizing requirements and expectations, the program has set a strong benchmark for the entire cloud industry. In response to repeated security breaches that have damaged brands’ credibility, corporate mandates are now matching and even exceeding their government counterparts. If you are not FedRAMP compliant, enterprises demand to know why not.

The use of encryption is integral to FedRAMP and has become ubiquitous in the effort to protect information assets. But while certain crypto algorithms are often installed alone and unverified, customer expectations have risen in recent years. Enterprises certainly no longer accept homegrown cryptography from vendors, strongly preferring to rely upon solutions that have been vetted by third-party labs and validated by the government. Federal Information Processing Standard (FIPS) 140-2 is the leading international standard for encryption and the Cryptographic Module Validation Program (CMVP) was established to certify solutions that meet the stringent benchmark. In tandem, FedRAMP and FIPS offer the highest level of assurance for cloud buyers, but both are still generally misunderstood.

You will learn:
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic module in the cloud
• How encryption modules become validated and the pitfalls of the process
• Meaning of FedRAMP compliance claims and how to confirm
• Right questions to ask vendors about their encryption and FedRAMP compliance

Technology

Recommended

More Related Content

Similar to Amped for FedRAMP

2017 02-17 rsac 2017 tech-f02
Shawn Wells
Transform Your Cloud Validation Strategy from Cloudy to Clear
TechWell
DFARS & CMMC Overview
Ignyte Assurance Platform
Ssdf nist
Naveen Koyi
EuroCACS 2016 There are giants in the sky
Carlos Chalico
Kantara May 2012
kantarainitiative
GSA on Cloud Computing and More
guest163bca0
Security in the cloud planning guide
Yury Chemerkin
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
Vendor Management Buyers Guide
NAFCU Services Corporation
nist_vs_icd
Shashi Dabir
What the auditor need to know about cloud computing
Moshe Ferber
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
BCC 2008 - NSTC
Duane Blackburn
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
gogo6
Reduce Third Party Developer Risks
Kevo Meehan
Security: Enabling the Journey to the Cloud
Capgemini
Cloud computing identity management summary
Brandon Dunlap
Demystifying the Cyber NISTs
Schellman & Company
Phil Green - We're migrating to the cloud - Who needs service management
itSMF UK

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
On War: With linked Table of Contents Carl Von Clausewitz
(4.5/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free
Wizard:: The Life and Times of Nikolas Tesla Marc Seifer
(2.5/5)
Free
How to Lie with Maps, Third Edition Mark Monmonier
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free

Amped for FedRAMP

  1. 1. Amped for FedRAMP Cloud Security World, New Orleans Ray Potter CEO SafeLogic David Gerendas Group Product Manager Intel Security
  2. 2. Takeaways • What FedRAMP compliance entails • Advantages of using a validated cryptographic module in the cloud • How encryption modules become validated and the pitfalls of the process • Meaning of FedRAMP compliance claims and how to confirm • Right questions to ask vendors about their encryption and FedRAMP compliance 2
  3. 3. Assurance • A measure of confidence and trust (usually via a third party) that a product, product component, or system meets its claims or meets a specified set of requirements • Applies to products and to systems 3
  4. 4. Systems Assurance / FedRAMP
  5. 5. Systems Assurance • Using evaluated products does not provide an appropriate level of assurance by default • Need to look at overall functionality of the system • Risk mitigation / due diligence 5
  6. 6. FedRAMP • December 9, 2010 • Office of Management and Budget (OMB) released the 25 Point Implementation Plan To Reform Federal Information Technology Management • Cloud First policy was enacted -- requiring agencies to use cloud- based solutions whenever a secure, reliable, cost-effective cloud option exists. • December 8, 2011 • OMB FedRAMP Policy Memo: Security Authorization of Information Systems in Cloud Computing Environments • Establishes the Federal Risk and Authorization Management Program (FedRAMP) • Requires all Federal agencies to meet FedRAMP requirements by June 2014
  7. 7. Purpose • Ensure that cloud based services have adequate information security • Eliminate duplication of effort and reduce risk management costs • Enable rapid and cost-effective procurement of information systems/services
  8. 8. Applicable Standards and Guidance  FIPS Publication 140-2: Security Requirements for Cryptographic Modules  FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems  FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems  NIST SP 800-37, Rev 1: Guide for Developing the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach  NIST SP 800-53, Rev 4: Recommended Security Controls for Federal Information Systems  NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems  NIST SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations
  9. 9. Goals • Standardize security requirements • Accredit qualified third-party assessors • Provide repository of authorized secure cloud packages • Standardize on-going assessment methodologies • Standardize contract language
  10. 10. Key Stakeholders • Federal agency customer – has a requirement for cloud technology that will be deployed into their security environment and is responsible for ensuring FISMA compliance • Cloud Service Provider (CSP) – is willing and able to fulfill agency requirements and to meet security requirements • Joint Authorization Board (JAB) – reviews the security package submitted by the CSP and grants a provisional Authority to Operate (ATO) • Third Party Assessor (3PAO) – validates and attests to the quality and compliance of the CSP provided security package • FedRAMP Program Management Office (PMO) – manages the process assessment, authorization, and continuous monitoring process
  11. 11. Executive Sponsorship & Governance
  12. 12. Security Assessment Packages • JAB Provisional ATO • may take 18+ months; requires broader reviews/approvals • more widely accepted (government wide) • Agency ATO • May take 12+ months; only requires sponsoring Agency ATO • Agency reputation and experience matters • CSP Supplied • Package “in-waiting” • May not meet all acquiring agency requirements Category Assessed By Authorizing Authority FedRAMP Provisional Authorization Accredited 3PAO JAB Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency CSP Supplied Accredited 3PAO None
  13. 13. Security Testing • Systems Security Plan • Security Assessment Plan • Security Test Cases • Security Assessment Report • Scanning / Continuous Monitoring
  14. 14. Authorization Process and Timeline Authorize CSP Addresses JAB Concerns JAB Review ISSO & CSP Review SSP 3PAO Creates SAP/ ISSO Reviews SAP JAB Review Final JAB Review / P-ATO Sign Off 3PAO Tests & Creates SAR System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting JAB Review ISSO / CSP Reviews SAR CSP Addresses Jab Concerns Creates POA&M CSP Addresses JAB Concerns CSP Addresses Agency Concerns Agency Review CSP Implements Control Delta Agency Review SAP Address Agency Notes Final Agency ATO Sign Off 3PAO Tests & Creates SAR System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting Authorize CSP Addresses Concerns Agency Reviews SAR CSP Creates POA&M Quality of documentation will determine length of time and possible cycles throughout the entire process -
  15. 15. AWS – Shared Security Model
  16. 16. AWS – Shared Security Model (Cont.)
  17. 17. Product Assurance / FIPS 140
  18. 18. Product Assurance • Certification or evaluation of a product or product functionality against a set of requirements • Required for product procurement in government and commercial industry • Sets a barrier to entry 18
  19. 19. FIPS 140-2 • Federal Information Processing Standard 140 • Specifies requirements for cryptographic hardware and software modules • Published by US (NIST) and Canadian Governments • Tested by independent laboratories • Offers 4 levels of validation 19
  20. 20. Areas of Validation • Module Definition • Ports and Interfaces • Roles, Services, and Authentication • Finite State Model • Physical Security • Operating Environment • Key Management • Self Tests 20
  21. 21. Why FIPS 140-2? • Required for Federal and industry procurement • Provides a level of confidence that encryption functions are implemented correctly and to a benchmark • FIPS Compliant – Embedding a module that already has a FIPS validation – Uses proven crypto functions • FIPS Validated – Getting your own certificate – Reassures buyers 21
  22. 22. Challenges of a Typical FIPS 140-2 Validation • Definition of the Module • HW & OS platform support • Use of approved algorithms • Development of appropriate documentation • Algorithm testing • Lengthy validation process • Significant time and resource requirements 22
  23. 23. Where Does FIPS 140 Fit? • Encrypt Data in Motion • Encrypt Data at Rest
  24. 24. The Role of FIPS 140-2 in FedRAMP • Validated crypto is required for government – FedRAMP – FISMA – SP800-53 • If crypto isn’t validated, it might as well be plaintext
  25. 25. Do Your Due Diligence • Where is your FIPS 140 Certificate? • Is the product / module FIPS-tested on a current platform? • For consumers / developers, is your CSP doing the right things? • Did you go through the FedRAMP process?
  26. 26. Let’s Connect • @SafeLogic_Ray • @SafeLogic • www.SafeLogic.com • info@SafeLogic.com

Editor's Notes

  • Intro SafeLogic, RapidCert, and this presentation will tell you why what we do is important
  • Assurance != Security
  • 1. Products are used in different types of systems
    Different systems address disparate risks and threats
    2. Does the system do what it is supposed to do?
    Does the system do something it’s not supposed to do?
    3. Structured approach to identifying components and concerns
  • Much like everything else, we need a standard and a process
  • FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA

    Federal has historically sucked at procurement. FedRAMP helps them get the latest tech while still meeting their requirements for assurance.
  • Source: FedRAMP Security Assessment Framework, v2.0 (June 6, 2014)
  • JAB is security experts from the (DHS) (DOD) (GSA)
  • Fedramp.gov
  • SAP: describe the security test plan and get approval to proceed from JAB
    Test cases modified from NIST SP 800-53A due to the uniqueness of cloud implementations.
    SAR highlights findings, mitigations, and operational requirements, as well as identify any problems or areas of concern.
  • Systems certification and accreditation requirements include the use of evaluated products
  • -2 is second revision
    Document, Test, Validate
  • Perform CAVP algorithm testing
    Build tools / harnesses to accept input vectors from lab and properly format responses
    Guide testing laboratory through source code to demonstrate compliance to functions specified in FIPS 140
    Develop functional test harnesses
  • Patrick talked about this from a CSP perspective. Penetration tests, etc. Trust is sometimes a shortcut. These assurance programs provide a level of trust

    • ×