SlideShare a Scribd company logo
Amped for FedRAMP
Cloud Security World, New Orleans
Ray Potter
CEO
SafeLogic
David Gerendas
Group Product Manager
Intel Security
Takeaways
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic
module in the cloud
• How encryption modules become validated and
the pitfalls of the process
• Meaning of FedRAMP compliance claims and how
to confirm
• Right questions to ask vendors about their
encryption and FedRAMP compliance 2
Assurance
• A measure of confidence and trust (usually via
a third party) that a product, product
component, or system meets its claims or
meets a specified set of requirements
• Applies to products and to systems
3
Systems Assurance / FedRAMP
Systems Assurance
• Using evaluated products does not provide an
appropriate level of assurance by default
• Need to look at overall functionality of the
system
• Risk mitigation / due diligence
5
FedRAMP
• December 9, 2010
• Office of Management and Budget (OMB) released the 25 Point
Implementation Plan To Reform Federal Information Technology
Management
• Cloud First policy was enacted -- requiring agencies to use cloud-
based solutions whenever a secure, reliable, cost-effective cloud
option exists.
• December 8, 2011
• OMB FedRAMP Policy Memo: Security Authorization of
Information Systems in Cloud Computing Environments
• Establishes the Federal Risk and Authorization Management
Program (FedRAMP)
• Requires all Federal agencies to meet FedRAMP requirements
by June 2014
Purpose
• Ensure that cloud based services have
adequate information security
• Eliminate duplication of effort and reduce risk
management costs
• Enable rapid and cost-effective procurement
of information systems/services
Applicable Standards and Guidance
 FIPS Publication 140-2: Security Requirements for Cryptographic Modules
 FIPS Publication 199: Standards for Security Categorization of Federal
Information and Information Systems
 FIPS Publication 200: Minimum Security Requirements for Federal
Information and Information Systems
 NIST SP 800-37, Rev 1: Guide for Developing the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach
 NIST SP 800-53, Rev 4: Recommended Security Controls for Federal
Information Systems
 NIST SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems
 NIST SP 800-137: Information Security Continuous Monitoring for Federal
Information Systems and Organizations
Goals
• Standardize security requirements
• Accredit qualified third-party assessors
• Provide repository of authorized secure cloud
packages
• Standardize on-going assessment
methodologies
• Standardize contract language
Key Stakeholders
• Federal agency customer – has a requirement for cloud technology
that will be deployed into their security environment and is responsible
for ensuring FISMA compliance
• Cloud Service Provider (CSP) – is willing and able to fulfill agency
requirements and to meet security requirements
• Joint Authorization Board (JAB) – reviews the security package
submitted by the CSP and grants a provisional Authority to Operate
(ATO)
• Third Party Assessor (3PAO) – validates and attests to the quality and
compliance of the CSP provided security package
• FedRAMP Program Management Office (PMO) – manages the process
assessment, authorization, and continuous monitoring process
Executive Sponsorship & Governance
Security Assessment Packages
• JAB Provisional ATO
• may take 18+ months; requires broader reviews/approvals
• more widely accepted (government wide)
• Agency ATO
• May take 12+ months; only requires sponsoring Agency ATO
• Agency reputation and experience matters
• CSP Supplied
• Package “in-waiting”
• May not meet all acquiring agency requirements
Category Assessed By Authorizing
Authority
FedRAMP Provisional Authorization Accredited 3PAO JAB
Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency
CSP Supplied Accredited 3PAO None
Security Testing
• Systems Security Plan
• Security Assessment Plan
• Security Test Cases
• Security Assessment Report
• Scanning / Continuous Monitoring
Authorization Process and Timeline
Authorize
CSP
Addresses
JAB
Concerns
JAB
Review
ISSO &
CSP
Review
SSP
3PAO
Creates
SAP/ ISSO
Reviews
SAP
JAB
Review
Final JAB
Review /
P-ATO Sign
Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting
JAB
Review
ISSO /
CSP
Reviews
SAR
CSP
Addresses
Jab
Concerns
Creates
POA&M
CSP
Addresses
JAB
Concerns
CSP
Addresses
Agency
Concerns
Agency
Review
CSP
Implements
Control
Delta
Agency
Review
SAP
Address
Agency
Notes
Final Agency
ATO Sign Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment
Plan
SAR & POA&M ReviewTesting Authorize
CSP
Addresses
Concerns
Agency
Reviews
SAR
CSP
Creates
POA&M
Quality of documentation will determine length of time
and possible cycles throughout the entire process
-
AWS – Shared Security Model
AWS – Shared Security Model (Cont.)
Product Assurance / FIPS 140
Product Assurance
• Certification or evaluation of a product or
product functionality against a set of
requirements
• Required for product procurement in
government and commercial industry
• Sets a barrier to entry
18
FIPS 140-2
• Federal Information Processing Standard 140
• Specifies requirements for cryptographic
hardware and software modules
• Published by US (NIST) and Canadian
Governments
• Tested by independent laboratories
• Offers 4 levels of validation
19
Areas of Validation
• Module Definition
• Ports and Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operating Environment
• Key Management
• Self Tests 20
Why FIPS 140-2?
• Required for Federal and industry procurement
• Provides a level of confidence that encryption functions
are implemented correctly and to a benchmark
• FIPS Compliant
– Embedding a module that already has a FIPS validation
– Uses proven crypto functions
• FIPS Validated
– Getting your own certificate
– Reassures buyers
21
Challenges of a Typical FIPS 140-2
Validation
• Definition of the Module
• HW & OS platform support
• Use of approved algorithms
• Development of appropriate documentation
• Algorithm testing
• Lengthy validation process
• Significant time and resource requirements
22
Where Does FIPS 140 Fit?
• Encrypt
Data in
Motion
• Encrypt
Data at
Rest
The Role of FIPS 140-2 in FedRAMP
• Validated crypto is required for government
– FedRAMP
– FISMA
– SP800-53
• If crypto isn’t validated, it might as well be
plaintext
Do Your Due Diligence
• Where is your FIPS 140 Certificate?
• Is the product / module FIPS-tested on a
current platform?
• For consumers / developers, is your CSP doing
the right things?
• Did you go through the FedRAMP process?
Let’s Connect
• @SafeLogic_Ray
• @SafeLogic
• www.SafeLogic.com
• info@SafeLogic.com

More Related Content

What's hot

FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training
1ECG
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
ControlCase
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
EnergySec
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
Tripwire
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
Project Forecasting from the Perspective of an EVMA and EIA-748
Project Forecasting from the Perspective of an EVMA and EIA-748Project Forecasting from the Perspective of an EVMA and EIA-748
Project Forecasting from the Perspective of an EVMA and EIA-748
Unanet
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
Precisely
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?
continohq
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
Prolifics
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
timmcguinness
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
Unanet
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
LexComply
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Unanet
 

What's hot (20)

FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Project Forecasting from the Perspective of an EVMA and EIA-748
Project Forecasting from the Perspective of an EVMA and EIA-748Project Forecasting from the Perspective of an EVMA and EIA-748
Project Forecasting from the Perspective of an EVMA and EIA-748
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 

Similar to Amped for FedRAMP

Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinar
Tuan Phan
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data Envirnment
Armor
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposal
Dale White
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
Ignyte Assurance Platform
 
Practical application of the tmf reference model
Practical application of the tmf reference modelPractical application of the tmf reference model
Practical application of the tmf reference model
Subhash Chandra
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
Information Security Awareness Group
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
StevenTharp2
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
Robert E Jones
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
How To Avoid Procuring Ip When Doing Procurement
How To Avoid Procuring Ip When Doing ProcurementHow To Avoid Procuring Ip When Doing Procurement
How To Avoid Procuring Ip When Doing Procurement
William Tanenbaum
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
SolarWinds
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
Cyber Security Partners
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
KBIZEAU
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
Wendy Knox Everette
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
EnergySec
 

Similar to Amped for FedRAMP (20)

Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinar
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data Envirnment
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposal
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
 
Practical application of the tmf reference model
Practical application of the tmf reference modelPractical application of the tmf reference model
Practical application of the tmf reference model
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
How To Avoid Procuring Ip When Doing Procurement
How To Avoid Procuring Ip When Doing ProcurementHow To Avoid Procuring Ip When Doing Procurement
How To Avoid Procuring Ip When Doing Procurement
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 

Recently uploaded

Empowering Businesses in the Digital Age
Empowering Businesses in the Digital AgeEmpowering Businesses in the Digital Age
Empowering Businesses in the Digital Age
Bert Blevins
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
WriteMe
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
Inglês no Mundo Digital
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
Toru Tamaki
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 

Recently uploaded (20)

Empowering Businesses in the Digital Age
Empowering Businesses in the Digital AgeEmpowering Businesses in the Digital Age
Empowering Businesses in the Digital Age
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 

Amped for FedRAMP

  • 1. Amped for FedRAMP Cloud Security World, New Orleans Ray Potter CEO SafeLogic David Gerendas Group Product Manager Intel Security
  • 2. Takeaways • What FedRAMP compliance entails • Advantages of using a validated cryptographic module in the cloud • How encryption modules become validated and the pitfalls of the process • Meaning of FedRAMP compliance claims and how to confirm • Right questions to ask vendors about their encryption and FedRAMP compliance 2
  • 3. Assurance • A measure of confidence and trust (usually via a third party) that a product, product component, or system meets its claims or meets a specified set of requirements • Applies to products and to systems 3
  • 5. Systems Assurance • Using evaluated products does not provide an appropriate level of assurance by default • Need to look at overall functionality of the system • Risk mitigation / due diligence 5
  • 6. FedRAMP • December 9, 2010 • Office of Management and Budget (OMB) released the 25 Point Implementation Plan To Reform Federal Information Technology Management • Cloud First policy was enacted -- requiring agencies to use cloud- based solutions whenever a secure, reliable, cost-effective cloud option exists. • December 8, 2011 • OMB FedRAMP Policy Memo: Security Authorization of Information Systems in Cloud Computing Environments • Establishes the Federal Risk and Authorization Management Program (FedRAMP) • Requires all Federal agencies to meet FedRAMP requirements by June 2014
  • 7. Purpose • Ensure that cloud based services have adequate information security • Eliminate duplication of effort and reduce risk management costs • Enable rapid and cost-effective procurement of information systems/services
  • 8. Applicable Standards and Guidance  FIPS Publication 140-2: Security Requirements for Cryptographic Modules  FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems  FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems  NIST SP 800-37, Rev 1: Guide for Developing the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach  NIST SP 800-53, Rev 4: Recommended Security Controls for Federal Information Systems  NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems  NIST SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations
  • 9. Goals • Standardize security requirements • Accredit qualified third-party assessors • Provide repository of authorized secure cloud packages • Standardize on-going assessment methodologies • Standardize contract language
  • 10. Key Stakeholders • Federal agency customer – has a requirement for cloud technology that will be deployed into their security environment and is responsible for ensuring FISMA compliance • Cloud Service Provider (CSP) – is willing and able to fulfill agency requirements and to meet security requirements • Joint Authorization Board (JAB) – reviews the security package submitted by the CSP and grants a provisional Authority to Operate (ATO) • Third Party Assessor (3PAO) – validates and attests to the quality and compliance of the CSP provided security package • FedRAMP Program Management Office (PMO) – manages the process assessment, authorization, and continuous monitoring process
  • 12. Security Assessment Packages • JAB Provisional ATO • may take 18+ months; requires broader reviews/approvals • more widely accepted (government wide) • Agency ATO • May take 12+ months; only requires sponsoring Agency ATO • Agency reputation and experience matters • CSP Supplied • Package “in-waiting” • May not meet all acquiring agency requirements Category Assessed By Authorizing Authority FedRAMP Provisional Authorization Accredited 3PAO JAB Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency CSP Supplied Accredited 3PAO None
  • 13. Security Testing • Systems Security Plan • Security Assessment Plan • Security Test Cases • Security Assessment Report • Scanning / Continuous Monitoring
  • 14. Authorization Process and Timeline Authorize CSP Addresses JAB Concerns JAB Review ISSO & CSP Review SSP 3PAO Creates SAP/ ISSO Reviews SAP JAB Review Final JAB Review / P-ATO Sign Off 3PAO Tests & Creates SAR System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting JAB Review ISSO / CSP Reviews SAR CSP Addresses Jab Concerns Creates POA&M CSP Addresses JAB Concerns CSP Addresses Agency Concerns Agency Review CSP Implements Control Delta Agency Review SAP Address Agency Notes Final Agency ATO Sign Off 3PAO Tests & Creates SAR System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting Authorize CSP Addresses Concerns Agency Reviews SAR CSP Creates POA&M Quality of documentation will determine length of time and possible cycles throughout the entire process -
  • 15. AWS – Shared Security Model
  • 16. AWS – Shared Security Model (Cont.)
  • 18. Product Assurance • Certification or evaluation of a product or product functionality against a set of requirements • Required for product procurement in government and commercial industry • Sets a barrier to entry 18
  • 19. FIPS 140-2 • Federal Information Processing Standard 140 • Specifies requirements for cryptographic hardware and software modules • Published by US (NIST) and Canadian Governments • Tested by independent laboratories • Offers 4 levels of validation 19
  • 20. Areas of Validation • Module Definition • Ports and Interfaces • Roles, Services, and Authentication • Finite State Model • Physical Security • Operating Environment • Key Management • Self Tests 20
  • 21. Why FIPS 140-2? • Required for Federal and industry procurement • Provides a level of confidence that encryption functions are implemented correctly and to a benchmark • FIPS Compliant – Embedding a module that already has a FIPS validation – Uses proven crypto functions • FIPS Validated – Getting your own certificate – Reassures buyers 21
  • 22. Challenges of a Typical FIPS 140-2 Validation • Definition of the Module • HW & OS platform support • Use of approved algorithms • Development of appropriate documentation • Algorithm testing • Lengthy validation process • Significant time and resource requirements 22
  • 23. Where Does FIPS 140 Fit? • Encrypt Data in Motion • Encrypt Data at Rest
  • 24. The Role of FIPS 140-2 in FedRAMP • Validated crypto is required for government – FedRAMP – FISMA – SP800-53 • If crypto isn’t validated, it might as well be plaintext
  • 25. Do Your Due Diligence • Where is your FIPS 140 Certificate? • Is the product / module FIPS-tested on a current platform? • For consumers / developers, is your CSP doing the right things? • Did you go through the FedRAMP process?
  • 26. Let’s Connect • @SafeLogic_Ray • @SafeLogic • www.SafeLogic.com • info@SafeLogic.com

Editor's Notes

  1. Intro SafeLogic, RapidCert, and this presentation will tell you why what we do is important
  2. Assurance != Security
  3. 1. Products are used in different types of systems Different systems address disparate risks and threats 2. Does the system do what it is supposed to do? Does the system do something it’s not supposed to do? 3. Structured approach to identifying components and concerns
  4. Much like everything else, we need a standard and a process
  5. FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA Federal has historically sucked at procurement. FedRAMP helps them get the latest tech while still meeting their requirements for assurance.
  6. Source: FedRAMP Security Assessment Framework, v2.0 (June 6, 2014)
  7. JAB is security experts from the (DHS) (DOD) (GSA)
  8. Fedramp.gov
  9. SAP: describe the security test plan and get approval to proceed from JAB Test cases modified from NIST SP 800-53A due to the uniqueness of cloud implementations. SAR highlights findings, mitigations, and operational requirements, as well as identify any problems or areas of concern.
  10. Systems certification and accreditation requirements include the use of evaluated products
  11. -2 is second revision Document, Test, Validate
  12. Perform CAVP algorithm testing Build tools / harnesses to accept input vectors from lab and properly format responses Guide testing laboratory through source code to demonstrate compliance to functions specified in FIPS 140 Develop functional test harnesses
  13. Patrick talked about this from a CSP perspective. Penetration tests, etc. Trust is sometimes a shortcut. These assurance programs provide a level of trust