David Gerendas, Group Product Manager, Intel Security
Ray Potter, CEO of SafeLogic
With the advent of the cloud and the explosion of mobile endpoints, enterprises have increased their focus on maintaining data integrity and confidentiality from growing threats. As a result, the Federal Risk and Authorization Management Program, a.k.a. FedRAMP, has taken on greater significance outside of federal deployments. By standardizing requirements and expectations, the program has set a strong benchmark for the entire cloud industry. In response to repeated security breaches that have damaged brands’ credibility, corporate mandates are now matching and even exceeding their government counterparts. If you are not FedRAMP compliant, enterprises demand to know why not.
The use of encryption is integral to FedRAMP and has become ubiquitous in the effort to protect information assets. But while certain crypto algorithms are often installed alone and unverified, customer expectations have risen in recent years. Enterprises certainly no longer accept homegrown cryptography from vendors, strongly preferring to rely upon solutions that have been vetted by third-party labs and validated by the government. Federal Information Processing Standard (FIPS) 140-2 is the leading international standard for encryption and the Cryptographic Module Validation Program (CMVP) was established to certify solutions that meet the stringent benchmark. In tandem, FedRAMP and FIPS offer the highest level of assurance for cloud buyers, but both are still generally misunderstood.
You will learn:
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic module in the cloud
• How encryption modules become validated and the pitfalls of the process
• Meaning of FedRAMP compliance claims and how to confirm
• Right questions to ask vendors about their encryption and FedRAMP compliance
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Amped for FedRAMP
1. Amped for FedRAMP
Cloud Security World, New Orleans
Ray Potter
CEO
SafeLogic
David Gerendas
Group Product Manager
Intel Security
2. Takeaways
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic
module in the cloud
• How encryption modules become validated and
the pitfalls of the process
• Meaning of FedRAMP compliance claims and how
to confirm
• Right questions to ask vendors about their
encryption and FedRAMP compliance 2
3. Assurance
• A measure of confidence and trust (usually via
a third party) that a product, product
component, or system meets its claims or
meets a specified set of requirements
• Applies to products and to systems
3
5. Systems Assurance
• Using evaluated products does not provide an
appropriate level of assurance by default
• Need to look at overall functionality of the
system
• Risk mitigation / due diligence
5
6. FedRAMP
• December 9, 2010
• Office of Management and Budget (OMB) released the 25 Point
Implementation Plan To Reform Federal Information Technology
Management
• Cloud First policy was enacted -- requiring agencies to use cloud-
based solutions whenever a secure, reliable, cost-effective cloud
option exists.
• December 8, 2011
• OMB FedRAMP Policy Memo: Security Authorization of
Information Systems in Cloud Computing Environments
• Establishes the Federal Risk and Authorization Management
Program (FedRAMP)
• Requires all Federal agencies to meet FedRAMP requirements
by June 2014
7. Purpose
• Ensure that cloud based services have
adequate information security
• Eliminate duplication of effort and reduce risk
management costs
• Enable rapid and cost-effective procurement
of information systems/services
8. Applicable Standards and Guidance
FIPS Publication 140-2: Security Requirements for Cryptographic Modules
FIPS Publication 199: Standards for Security Categorization of Federal
Information and Information Systems
FIPS Publication 200: Minimum Security Requirements for Federal
Information and Information Systems
NIST SP 800-37, Rev 1: Guide for Developing the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-53, Rev 4: Recommended Security Controls for Federal
Information Systems
NIST SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems
NIST SP 800-137: Information Security Continuous Monitoring for Federal
Information Systems and Organizations
9. Goals
• Standardize security requirements
• Accredit qualified third-party assessors
• Provide repository of authorized secure cloud
packages
• Standardize on-going assessment
methodologies
• Standardize contract language
10. Key Stakeholders
• Federal agency customer – has a requirement for cloud technology
that will be deployed into their security environment and is responsible
for ensuring FISMA compliance
• Cloud Service Provider (CSP) – is willing and able to fulfill agency
requirements and to meet security requirements
• Joint Authorization Board (JAB) – reviews the security package
submitted by the CSP and grants a provisional Authority to Operate
(ATO)
• Third Party Assessor (3PAO) – validates and attests to the quality and
compliance of the CSP provided security package
• FedRAMP Program Management Office (PMO) – manages the process
assessment, authorization, and continuous monitoring process
12. Security Assessment Packages
• JAB Provisional ATO
• may take 18+ months; requires broader reviews/approvals
• more widely accepted (government wide)
• Agency ATO
• May take 12+ months; only requires sponsoring Agency ATO
• Agency reputation and experience matters
• CSP Supplied
• Package “in-waiting”
• May not meet all acquiring agency requirements
Category Assessed By Authorizing
Authority
FedRAMP Provisional Authorization Accredited 3PAO JAB
Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency
CSP Supplied Accredited 3PAO None
13. Security Testing
• Systems Security Plan
• Security Assessment Plan
• Security Test Cases
• Security Assessment Report
• Scanning / Continuous Monitoring
14. Authorization Process and Timeline
Authorize
CSP
Addresses
JAB
Concerns
JAB
Review
ISSO &
CSP
Review
SSP
3PAO
Creates
SAP/ ISSO
Reviews
SAP
JAB
Review
Final JAB
Review /
P-ATO Sign
Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting
JAB
Review
ISSO /
CSP
Reviews
SAR
CSP
Addresses
Jab
Concerns
Creates
POA&M
CSP
Addresses
JAB
Concerns
CSP
Addresses
Agency
Concerns
Agency
Review
CSP
Implements
Control
Delta
Agency
Review
SAP
Address
Agency
Notes
Final Agency
ATO Sign Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment
Plan
SAR & POA&M ReviewTesting Authorize
CSP
Addresses
Concerns
Agency
Reviews
SAR
CSP
Creates
POA&M
Quality of documentation will determine length of time
and possible cycles throughout the entire process
-
18. Product Assurance
• Certification or evaluation of a product or
product functionality against a set of
requirements
• Required for product procurement in
government and commercial industry
• Sets a barrier to entry
18
19. FIPS 140-2
• Federal Information Processing Standard 140
• Specifies requirements for cryptographic
hardware and software modules
• Published by US (NIST) and Canadian
Governments
• Tested by independent laboratories
• Offers 4 levels of validation
19
20. Areas of Validation
• Module Definition
• Ports and Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operating Environment
• Key Management
• Self Tests 20
21. Why FIPS 140-2?
• Required for Federal and industry procurement
• Provides a level of confidence that encryption functions
are implemented correctly and to a benchmark
• FIPS Compliant
– Embedding a module that already has a FIPS validation
– Uses proven crypto functions
• FIPS Validated
– Getting your own certificate
– Reassures buyers
21
22. Challenges of a Typical FIPS 140-2
Validation
• Definition of the Module
• HW & OS platform support
• Use of approved algorithms
• Development of appropriate documentation
• Algorithm testing
• Lengthy validation process
• Significant time and resource requirements
22
23. Where Does FIPS 140 Fit?
• Encrypt
Data in
Motion
• Encrypt
Data at
Rest
24. The Role of FIPS 140-2 in FedRAMP
• Validated crypto is required for government
– FedRAMP
– FISMA
– SP800-53
• If crypto isn’t validated, it might as well be
plaintext
25. Do Your Due Diligence
• Where is your FIPS 140 Certificate?
• Is the product / module FIPS-tested on a
current platform?
• For consumers / developers, is your CSP doing
the right things?
• Did you go through the FedRAMP process?
Intro SafeLogic, RapidCert, and this presentation will tell you why what we do is important
Assurance != Security
1. Products are used in different types of systems
Different systems address disparate risks and threats
2. Does the system do what it is supposed to do?
Does the system do something it’s not supposed to do?
3. Structured approach to identifying components and concerns
Much like everything else, we need a standard and a process
FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA
Federal has historically sucked at procurement. FedRAMP helps them get the latest tech while still meeting their requirements for assurance.
JAB is security experts from the (DHS) (DOD) (GSA)
Fedramp.gov
SAP: describe the security test plan and get approval to proceed from JAB
Test cases modified from NIST SP 800-53A due to the uniqueness of cloud implementations.
SAR highlights findings, mitigations, and operational requirements, as well as identify any problems or areas of concern.
Systems certification and accreditation requirements include the use of evaluated products
-2 is second revision
Document, Test, Validate
Perform CAVP algorithm testing
Build tools / harnesses to accept input vectors from lab and properly format responses
Guide testing laboratory through source code to demonstrate compliance to functions specified in FIPS 140
Develop functional test harnesses
Patrick talked about this from a CSP perspective. Penetration tests, etc. Trust is sometimes a shortcut. These assurance programs provide a level of trust