Federal Risk and Authorization Management Program (FedRAMP)


Published on

Description of FedRAMP program

Published in: Technology, Business
1 Comment
  • Very Comprehensive
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Federal Risk and Authorization Management Program (FedRAMP)

  1. 1. Click to edit Master title style Federal Risk and Authorization Management Program An Interagency Program Pete Tseronis Cloud Computing Advisory Council, Chair Katie Lewin GSA Cloud Computing PMO, Director Kurt Garbars GSA Senior Agency Information Security Officer Peter Mell NIST FedRAMP Technical Advisor Cloud Computing Advisory Council, Vice Chair 1
  2. 2. Click to edit in FedRAMP NIST’s Role Master title style •  FedRAMP is a multiagency initiative –  Conducted under the Federal CIO, the Cloud Computing Advisory Council’s security working group, and the Federal Cloud Initiative •  NIST provides technical advice •  NIST led the definition of the FedRAMP process: –  Risk management processes –  Foundational guidance –  Technical frameworks 2
  3. 3. Click to edit Master title style The Problem Statement Problem: How do we best perform security authorization for large outsourced and multi- agency systems? •  Government is increasing its use of large shared and outsourced systems –  Technical drivers: the move to cloud computing, virtualization, service orientation, and web 2.0 –  Cost savings: through datacenter and application consolidation •  Independent agency risk management of shared systems can create inefficiencies 3
  4. 4. The Problem: Independent Agency Risk Click to edit Master title style Management of Shared Systems : Duplicative risk Federal Agencies management efforts … : Incompatible requirements : Acquisition slowed by lengthy compliance processes … : Potential for inconsistent Outsourced Systems application of Federal security requirements 4
  5. 5. Click to edit Master title style The Solution Concept: FedRAMP •  A government-wide initiative to provide joint authorization services –  Unified government-wide risk management –  Agencies would leverage FedRAMP authorizations (when applicable) •  Agencies retain their responsibility and authority to ensure use of systems that meet their security needs •  FedRAMP would provide an optional service to agencies 5
  6. 6. The Solution: Government-wide Risk Click to edit Master title style Management of Shared Systems : Risk management cost Federal Agencies savings and increased … effectiveness Risk Management - Authorization : Interagency vetted - Federal Security FedRAMP Requirements approach : Rapid acquisition through consolidated risk management : Consistent … application of Federal Outsourced Systems security requirements FedRAMP: Federal Risk and Authorization Management Program 6
  7. 7. Click to edit Master title style Agency Perspective Independent Agency Effort Leveraged Authorization Security Control Selection Review security details Security Implementation Leverage the existing authorization Security Assessment Secure agency usage of system Authorization Assurance strengthened through Plan of Action and Milestones focused effort Monitoring : Slower acquisition : Enables rapid acquisition : Significant effort : Reduced effort 7
  8. 8. Click to edit Master title style Agency Responsibilities •  Review FedRAMP authorization packages prior to making a decision to accept the risk –  Determine suitability to agencies mission/risk posture –  Determine if additional security work is needed •  Perform agency specific security activities –  FedRAMP will publish a list of security controls that are the responsibility of the agency (can’t be done government-wide) –  Need for agency system security plans 8
  9. 9. Click to Perspective title style Vendor edit Master Coverage of the Federal market Vendor Vendor … Acquiring Agencies FedRAMP •  Products publicly listed as FedRAMP authorized 9
  10. 10. Overview of Master title style Click to edit FedRAMP Government-Wide Risk Management Process Risk Management Framework Steps 1-4 Government Cloud Provider/Independent 3rd party Activity 1: Categorize Information and Information System Activity 3: Implement Security Controls Activity 2 : Create Security Activity 4: Assess Security Controls Specifications (including security Activity 5: Create Authorization Package control selection) Executed Once per System Executed Once per Type Risk Management Framework Step 5 Government Agencies Activity 6: Authorize System Activity 7: Agency Review and Acceptance of Authorization Executed Once per System Executed Once per Agency Risk Management Framework Step 6 Provider Government See Risk Management Activity 8: Perform Continuous Monitoring Activity 9: Monitor and Accept Ongoing Level of Risk Framework (NIST 800-37 revision 1) Executed Continuously per System Executed Continuously per System for step details
  11. 11. Expected FedRAMPtitle style Security and Click to edit Master Benefits: Privacy Perspective •  increases security through focused risk management •  reduces duplication of effort •  ensures security oversight of outsourced systems •  provides independent accountability for government-developed systems used by multiple agencies •  ensures integration with government-wide security efforts 11
  12. 12. Click to edit Master title style CIO Perspective Expected FedRAMP Benefits: •  reduces costs by eliminating duplication of effort •  enables rapid acquisition by leveraging pre- authorized solutions •  provides transparency through agency vetted security requirements and authorization packages •  ameliorate technical hurdles with multi-agency assessment and authorization of shared systems 12
  13. 13. Click to edit Master title style Questions? Presenter Name: Peter Mell NIST FedRAMP Technical Representative Cloud Computing Advisory Council, Vice Chair 13
  14. 14. Click to edit Master title style The NIST Cloud Definition •  Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. •  The full extended definition is available at: http://csrc.nist.gov/groups/SNS/cloud-computing
  15. 15. Click to edit Master title style The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Infrastructure Service Software as a Platform as a as a Service Models Service (SaaS) Service (PaaS) (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security