SlideShare a Scribd company logo
1 of 71
Download to read offline
Agency Workshop


FedRAMP Compliance and Implementation
March 18, 2013




                                        1
Welcome
                         Dave McClure
Federal Risk and Authorization
                     Associate Administrator
Management of Citizen Services and Innovative Technologies
         Office Program

(FedRAMP)




                                                             2
Session Purpose and Outcomes

• Purpose
  – Detail agency FedRAMP compliance and implementation
    requirements
• Outcomes
  – Understand FedRAMP its processes, benefits, and key
    players
  – Ability to explain agency FedRAMP requirements
  – Understand the different FedRAMP assessment paths
  – Clarity on how an agency complies with FedRAMP
    requirements for existing and planned cloud systems



                                                          3
Agenda

Topic                                     Speaker            Time
Welcome                                   Dave McClure       9:00 – 9:10
Cloud and FedRAMP Overview                Katie Lewin        9:10 – 9:20
FedRAMP Responsibilities and Compliance   Maria Roat         9:20 – 9:35
Cloud Inventory                           Maria Roat         9:35 – 9:40
Implementation: Planning Phase            Matthew Goodrich   9:40 – 10:10
           Questions and Answers                             10:10 – 10:30
                    BREAK                                    10:30 – 10:40
Implementation: Assessment Phase          Matthew Goodrich   10:40 – 11:10
Implementation: Customer Controls &       Maria Roat         11:10 – 11:20
Authorization
Ongoing Assessment & Authorization        Maria Roat         11:20 – 11:30
    Wrap-up and Questions and Answers                        11:30 – 12:00

                                                                             4
Cloud and FedRAMP Overview
Federal Risk and Authorization Katie Lewin
Management Program Computing Initiative
                   Federal Cloud
         Office of Citizen Services and Innovative Technologies
(FedRAMP)




                                                                  5
Cloud: A Fundamental Shift in IT


                         Efficiency
                         • Improved Asset
                           Utilization
                         • Aggregated Demand                          Total Federal IT       Potential
                         • Improved Productivity                         Spending          Spending on
                                                                                         Cloud Computing


       Innovation                         Agility
       • From Owner to Service
                                          • “As a Service” Purchase
       • Private Sector
         Innovation                       • Near Instantaneous
                                            Capacity Adjustments
       • Entrepreneurial Culture
                                          • Responsiveness
       • Emerging Technologies




Source: www.cio.gov

                                                                                                           6
Administration’s Drive to the Cloud

“The Administration’s Federal Cloud Computing
Strategy requires agencies to default to cloud-based
solutions whenever a secure, reliable and cost-effective
cloud option exists – however, the move to the cloud
requires a dramatic shift in the way Federal agencies buy
IT – from capital expenditures to operating expenditures.

With this shift comes a learning curve as the government
analyzes how to best procure this new service-based
model. . . .”

                                             -Steven VanRoekel
                            U.S. Chief Information Officer, OMB
                                              February 24, 2012

                                                                  7
Federal Timeline for Cloud



  “Cloud First”
 25 Point Plan to              FedRAMP Policy
Reform Federal IT                  Memo
 December 9, 2010                December 8, 2011




                    Federal Cloud               Creating Effective
                     Computing                  Cloud Computing
                      Strategy                      Contracts
                    February 8, 2011                February 24, 2012



                                                                        8
Federal Cloud Computing Program


To foster the adoption of cloud
across the Federal government
and to address obstacles to
cloud adoption
 New Information Portal &
  Collaboration Website
                              Blanket Purchase Agreements

                              •   Infrastructure as a Service

                              •   Email as a Service


cloud.cio.gov (coming soon)
                                                                9
What is FedRAMP?

FedRAMP is a government-wide program that provides
a standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services.
   This approach uses a “do once, use
    many times” framework that will save
    cost, time, and staff required to
    conduct redundant agency security
    assessments.




                                                     10
Federal Cloud Computing Initiative
                     and FedRAMP Timeline
April 2009
Cloud Computing Program
Management Office                                       July – Sept. 2010
Established                                             FedRAMP Concept
                                                                                 Feb – Mar 2011                                     June 2012
                                                        Vetted with
                                                                                 Government Tiger                                   FedRAMP Launches
                                                        Industry &
                                                                                 Teams Review                                       Initial Operational
                                                        Government
                               February 2010                                     Comments                                           Capability
                               FedRAMP Concept                     November 2010
                               Announced                           FedRAMP              Apr – June 2011             December 2011
                                                                   Concept,             Executive Team                                               January 2013
                                                                                                         FedRAMP Policy                              JAB Grants 2nd
                                                                   Controls, &          Solidifies Tiger signed
                                                                   Templates            Team                                                         Provisional
                                                                   Released             Recommendations                                              Authorization




                                                                             January 2011                                                       December 2012
                                                                                                              February 2012
                                                 June 2010                   Over 1,200 public                                                  JAB Grants 1st
                                                                             comments received                FedRAMP
                                                 FedRAMP Drafts                                               CONOPS                            Provisional
                         October 2009            Initial Baseline                                             Published                         Authorization
                         Security Working
                         Group Established                                                      July – Sept. 2011       May 2012
March 2009                                                         December 2010
Cloud Computing Program                                            Federal Cloud                3PAO Concept            3PAOs Accredited
Launched                                                           Computing Strategy           Planned
Executive Steering                                                 Published
Committee Established




Q1 09        Q2 09   Q3 09   Q4 09      Q1 10   Q2 10      Q3 10     Q4 10     Q1 11    Q2 11      Q3 11     Q4 11       Q1 12      Q2 12   Q3 12    Q4 12      Q1 13

                                                                                                                                                                    11
Key Benefits

• Re-use of existing security assessments across agencies
• Savings in cost, time and resources – do once, use
  many times
• Risk based not compliance based
• Transparency between government and cloud service
  providers
• Transparency        trust, reliability, consistency, and
  quality of the Federal security authorization process




                                                             12
FedRAMP Responsibilities & Compliance
Federal Risk and Authorization  Maria Roat
Management Program          FedRAMP Director
         Office of Citizen Services and Innovative Technologies
(FedRAMP)




                                                                  13
FedRAMP Policy Memo

            December 8, 2011 OMB Policy Memo
•   Establishes Federal policy for the protection of Federal
    information in cloud services
•   Describes the key components of FedRAMP and its
    operational capabilities
•   Defines Executive department and agency
    responsibilities in developing, implementing, operating
    and maintaining FedRAMP
•   Defines the requirements for Executive departments
    and agencies using FedRAMP in the acquisition of
    cloud services
                                                               14
FedRAMP Key Players


                                Federal Agencies
                              JAB (DOD, DHS, GSA)
                                   PMO- GSA
                            Technical Advisor – NIST
                          Continuous Monitoring - DHS



      Cloud Service Provider                        Independent Assessor
 Provides Cloud IT Services with a                Performs initial and periodic
 provisional authorization granted             assessment of security and privacy
         by FedRAMP JAB                            controls deployed in Cloud
                                                      information systems


Responsibilities established by the December 8, 2011 OMB Policy Memo
                                                                                    15
Responsibilities of Key Parties

                         • Require CSPs to meet FedRAMP requirements via
   Federal Agencies        contractual provisions
                         • Submit security assessment documentation and query
                           FedRAMP repository for existing documentation
                         • Implement customer responsibility controls
                         • Establish and implement continuous monitoring plans
                           through incident response and mitigation capabilities
                         • Submit application for FedRAMP authorization
Cloud Service Provider   • Hire independent third party assessor to perform
                           initial system assessment and on-going monitoring
                           of controls
                         • Create, submit and maintain authorization packages
                         • Provide Continuous Monitoring reports and updates
                           to FedRAMP and leveraging agencies

                         • Conduct Assessment of CSP Security Control
Independent Assessor       Implementation
                         • Generate Security Assessment Reports and associated
                           evidence
                         • Maintain independence from CSP


                                                                                16
FedRAMP Relationship to the
 NIST Risk Management Framework
                               Agency

                         1. Categorize the
                        Information System
       CSP                                         Agency
                            -Low Impact
6. Monitor Security      -Moderate Impact      2. Select the
     Controls                                    Controls
  - Continuous                               -FedRAMP Low or
   Monitoring                                Moderate Baseline

                      NIST Risk Management
   JAB / Agency            Framework                CSP

  5. Authorize                                 3. Implement
   Information                               Security Controls
      System
-Provisional Auth.          CSP and 3PAO      -Describe in SSP
   -Agency ATO             4. Assess the
                         Security Controls
                            -FedRAMP
                         Accredited 3PAO
                                                                 17
Complying with FedRAMP Policy

     All assessments of cloud-based products and services must use the
                       FedRAMP security requirements:
             baseline set of controls and all FedRAMP templates

•   All assessments do not require a provisional ATO granted by the JAB
•   Agencies can continue to grant their own ATOs without JAB sign-off
•   CSPs can submit FedRAMP compliant packages to agencies requesting an ATO
•   All assessment documentation must be submitted to FedRAMP PMO for
    inclusion in the secure repository

               Agencies must leverage existing FedRAMP ATOs
                     found in the FedRAMP repository
                 June 2014 All Cloud Projects Must Meet
                            FedRAMP Requirements
                                                                               18
Exception Guidance

• Private cloud deployments                      Bureaus,
   – Implemented within a Federal facility    components or
                                                subordinate
   – Operated solely for the use of the        organizations
     Executive Department or Agency          within an agency
                                              are considered
   – Not providing cloud services from the   external entities
     system to any external entities
• Cloud systems at a FIPS 199 Impact
  Level of High

  Cloud systems exempt from FedRAMP requirements
 must continue to comply with FISMA requirements and
  appropriate NIST security standards and guidelines

                                                                 19
Cloud Inventory
Federal Risk and Authorization  Maria Roat
Management Program          FedRAMP Director
         Office of Citizen Services and Innovative Technologies
(FedRAMP)




                                                                  20
Conducting the Inventory

• April 2013 Portfolio Stat online data call will gather
  information on agency cloud deployments
• Agencies will report information on their FIPs 199
  low and moderate impact cloud deployments being
  implemented or planned
   – Agency POC
   – CSP Detail : Name, Service Name, Brief Description, Service
     Model, Deployment Model, Assessor, FIPS 199 level
   – Implementation detail




                                                                   21
FedRAMP Inventory Questions

                      Fully Implemented
• Do you have an Authority to Operate (ATO) for the system?
• Have you performed a security controls gap analysis against the
  FedRAMP baseline controls?
• Were FedRAMP requirements met?
• How were FedRAMP requirements met?

             FedRAMP Requirements Not Met
• What is the rationale for being unable to meet FedRAMP
  requirements?
• Have you initiated discussions with the cloud system owner to
  review missing FedRAMP security controls?
• How do you plan on meeting FedRAMP requirements in the future?
• When will your agency’s use of this system be compliant with
  FedRAMP requirements?


                                                                    22
Plans for Cloud Inventory Effort

• Identify synergies between agency cloud portfolios
• Connect organizations using the same cloud service
  provider (CSP) to provide the same or similar cloud
  service
• Promote special interest groups of agencies using the
  same cloud service to establish an organized
  approach for requesting the CSP implement
  FedRAMP baseline controls
• Prioritize services to receive a Joint Authorization
  Board provisional authorization
• Assess FedRAMP applications and documentation
  received as compared to agency cloud portfolios

                                                          23
FedRAMP Implementation
                   Planning Phase
Federal Risk and Authorization
Management ProgramMatthew Goodrich
(FedRAMP)     FedRAMP Program Manager
         Office of Citizen Services and Innovative Technologies




                                                                  24
Three Phases of Implementation

Phase         Description
Planning      What path will my agency use to establish or
              implement a cloud service that is FedRAMP
              compliant?
Assessment    What is my agency’s role in assessing the
              cloud service?
Customer      How does my agency add additional controls
Controls &    and authorize the system?
Authorization




                                                             25
Planning Phase
   Purpose and Key Steps

• Purpose
  – Determine the agency’s path for meeting FedRAMP
    requirements


• Key Steps
  1. Incorporate FedRAMP requirements into contract clauses
  2. Identify if FedRAMP security assessment package
     available to leverage
  3. Gain access to the FedRAMP secure repository to review
     security assessment documentation
  4. Determine FedRAMP implementation path
  5. Alert FedRAMP PMO of implementation path

                                                              26
FedRAMP Contract Language
           Planning Phase

     FedRAMP is the implementation of FISMA and applicable NIST security
      standards and guidelines, commonly found in existing procurements

        FedRAMP contract language available at www.fedramp.gov
    Standard Contract Language                         Control Specific Language
 Designed for agencies to leverage for use     Agencies should not:
    within cloud procurements                        govern how the provider’s administrative
   Templates help agencies address:                   end user accounts are managed or
        requirement to be FedRAMP compliant           authenticated
        FedRAMP privacy requirements                 specify parameters for controls in the
        FedRAMP security assessment process           FedRAMP baseline, except from the
         requirements                                  perspective of a consumer’s
                                                       implementation
        authorization of system requirement
                                                  Some controls that may need additional clauses
        FedRAMP ongoing assessment and
                                                    Data          Audit      Incident     Personnel
         authorization requirement              Jurisdiction    Retention   Reporting     Screening
                                                   Boundary       Media      Info at     Identification
                                                   Protection   Transport     Rest      Authentication

                                                                                                      27
FedRAMP Website
    Planning Phase




         Leverage      www.fedramp.gov       Create



• Website lists CSPs with security assessment documentation
  available in the FedRAMP secure repository

       CSP Name         Service Name          Service
                                            Description
        ATO Date       Repository Level        3PAO
     FIPS 199 Level     Service Model       Deployment
                                              Model

                                                              28
Access Secure Repository
         Planning Phase

1.   Identify package for review
     based on website listing
2.   Complete FedRAMP Package
     Access Request form
     –     Supervisor must signoff on
           form
     –     FedRAMP will provide
           notification of acceptance or
           rejection of request
     –     Must demonstrate a need to
           view the package
3.   Receive access to OMB MAX
     folder corresponding to
     security assessment package
     for cloud service
     –     Access granted on a per
           person per package basis



                                           29
Leverage an Authorization
                              Planning Phase

FedRAMP maintains a repository of standardized security assessment
   packages Agencies can leverage to make their own risk-based
   decisions to grant an ATO for a cloud solution for their Agency.
                    This repository is key to the
              “do once, use many times” approach.




                                                                                                  Speed to Enter Repository
                                          Review
  Increased Level of review




                               Level                       Assessed by         Authorization
                                         Completed

                                        CSP Supplied,                          Candidate for
                                CSP                       Accredited 3PAO
                                       not yet reviewed                        Authorization
                                                              Optional
                              Agency   Agency reviewed                          Agency ATO
                                                          Accredited 3PAO
                                       FedRAMP ISSO &                       FedRAMP PA & Agency
                                JAB                       Accredited 3PAO
                                         JAB reviewed                              ATO


                                                                                                                              30
Package Type’s Impact on Agency Responsibilities
      Planning Phase



        Agency Responsibility             Repository level
                                      CSP    Agency      JAB
Accept risks and issue authority to                    
operate
Review documentation for both                  
completeness and accuracy
Submit annual assessment to the                
FedRAMP PMO
Provide continuous monitoring based                 Review
on FedRAMP requirements


                                                               31
Initial Review of Leveraged Documentation
    Planning Phase

• Control Tailoring Workbook (CTW) and Control
  Implementation Summary (CIS) are good documents to
  assess the extent to which the cloud solution’s security
  control implementation will meet your agency’s needs
  and ability to leverage corresponding security
  assessment packages
   – CTW – identifies controls that have been adapted by the cloud
     service provider
   – CIS – identifies who is responsible for each security control
• Documents summarize what a customer’s responsibility
  is in securely using a CSPs services as well as what a CSP
  does to meet FedRAMP security controls

                                                                     32
Existing Agency ATO – Migration Path
    Planning Phase

• Agency updates existing security assessment to meet
  FedRAMP requirements

An agency must…
• Provide own resources and bear all costs for the development
  of the package and ongoing use of the system
• Perform gap analysis of missing controls against the FedRAMP
  baseline
• Consider modifying existing contract to specifically stipulate
  FedRAMP Compliance
• Obtain commitment and compliance schedule for CSP to meet
  FedRAMP control requirements
• Migrate existing security package documents to required
  FedRAMP templates


                                                                   33
Alert FedRAMP PMO
    Planning Phase


                        Check with FedRAMP
                         PMO (repository) for
                        existing CSP Security
 Yes                    Assessment Package
                                                             No


 Leverage Existing                              Follow FedRAMP Security
Security Assessment                               Assessment Process,
      Package                                        Send package to
                                                        FedRAMP




                       Alert FedRAMP PMO of
                      Planned Compliance Path

                                                                      34
Questions and Answers




                        35
BREAK




        36
FedRAMP Implementation
Federal Risk and AuthorizationPhase
                  Assessment
Management ProgramMatthew Goodrich
(FedRAMP)     FedRAMP Program Manager
         Office of Citizen Services and Innovative Technologies




                                                                  37
Assessment Phase
    Purpose and Key Steps

• Purpose: Develop or review security assessment
  documentation required to make a risk-based
  decision to authorize the cloud service for use at
  your agency
• Key Steps
   1) Document security controls
   2) Perform security tests
   3) Finalize security assessment package




                                                       38
Document Security Controls
   Assessment Phase – Document Controls

1. Understand FedRAMP controls
2. Address and document how the CSP implements
   each FedRAMP security control
  – Control responsibility
  – What solution is being used for the control
  – How the solution meets the control requirement




                                                     39
FedRAMP Baseline Security Controls
            Assessment Phase – Document Controls

Controls are based upon the NIST SP 800-53 R3 catalog of controls for low and
moderate impact systems
                                                 Additional FedRAMP   Total Controls Agreed to
    Impact level        NIST Baseline Controls         Controls         by JAB for FedRAMP
 Low                             115                     1                       116
 Moderate                        252                    46                       298




         Additional FedRAMP
         controls selected to
       address unique elements
         of cloud computing



                   FedRAMP Security Controls Baseline Available on FedRAMP.gov

                                                                                                 40
System Security Plan (SSP)
      Assessment Phase – Document Controls

• Describes the purpose of the
  system
• Detailed description of Control
  Implementation
• Global view of how the system is
  structured
• Defines roles of the systems
  users and identifies personnel
  responsible for system security
• Delineates control responsibility
  between the customer or vendor
• The SSP is the key document to
  moving the FedRAMP assessment
  process forward



                                             41
Reviewing Security Controls in the SSP
       Assessment Phase – Document Controls

• Security control section
  details all the security
  controls and control
  enhancements required for
  FedRAMP
   – Responsible role – maintain
     and implement the control
   – Parameter of control –
     frequency
   – Implementation Status
   – Control origination –
     organization responsible for
     implementing and managing
     the control (vendor,
     customer, shared)
   – Solution and how
     implemented


                                                42
SSP Supporting Documentation (1/2)
    Assessment Phase – Document Controls

• Information Security Policies –CSP’s Information
  Security Policy that governs the system described in
  the SSP
• User Guide - describes how leveraging agencies use
  the system
• Rules of Behavior - defines the rules that describe
  the system user's responsibilities and expected
  behavior with regard to information and information
  system usage and access
• Configuration Management Plan - describes how
  changes to the system are managed and tracked
  (consistent with NIST SP 800-128)

                                                         43
SSP Supporting Documentation (2/2)
    Assessment Phase – Document Controls

• IT Contingency Plan - details how the recovery of the
  system occurs in the case of a disruption of service
• Incident Response Plan – explains provider actions in
  response to a security incident
• Privacy Threshold Analysis - questionnaire used to
  help determine if a Privacy Impact Assessment is
  required
• Privacy Impact Assessment - assesses what
  Personally Identifiable Information (PII) is captured
  and if it is being properly safeguarded


                                                          44
Perform Security Tests
    Assessment Phase – Perform Security Tests

1. Assess against the SSP with NIST SP 800-53a test
   cases
2. Independent Assessor audits assessment and
   results
3. Independent Assessor generates security
   assessment report




                                                      45
Role of the Independent Assessor
   Assessment Phase – Perform Security Tests


• Develops Security Assessment Plan (SAP)
• Performs Initial and Periodic Assessments of CSP
  Security Controls
• Conducts Security Testing
   – Use Test Case Workbooks
   – Manual Tests
   – Automated Tests
• Develops Security Assessment Report (SAR)
• Assessor must be independent
   – Cannot test and help CSP prepare documents
   – Cannot test and assist CSP in implementing controls
                                                           46
Independent Assessor Conformity
     Assessment Phase – Perform Security Tests

Third Party Assessment                           Accredited Independent
 Organization (3PAO)                                    Assessor



                                             Creates consistency in security
                                             assessments in accordance
  Benefits of leveraging                     with FISMA and NIST standards
      an accredited                          • Ensures assessor
                                               independence from CSP in
  independent assessor                         accordance with international
       (Third Party                            standards
       Assessment                            • Establishes an approved list of
   Organization – 3PAO)                        assessors - 3PAOs for CSPs and
                                               agencies to choose from to
                                               satisfy FedRAMP
                                               requirements.

                                                                                 47
Third Party Assessment Organizations
Assessment Phase – Perform Security Tests

                                                     Accredited 3PAOs
                                     BrightLine                 Homeland Security
                                                                Consultants
                                     COACT, Inc.                J.D. Biggs and Associates,
                                                                Inc.
                                     Coalfire Systems           Knowledge Consulting
                                                                Group, Inc.
                                     Department of              Logyx LLC
                                     Transportation (DOT)
                                     Enterprise Service Center
                                     (ESC)
                                     Dynamics Research         Lunarline, Inc.
                                     Corporation (DRC)

                                     Earthling Security, Inc.   Secure Info

                                     Electrosoft Services, Inc. SRA International, Inc.

                                                                Veris Group, LLC




                                                                                             48
Security Assessment Plan (SAP)
Assessment Phase – Perform Security Tests

                             • Independent Assessor develops the
                               SAP
                             • Defines scope of assessment
                                 - Hardware
                                 - Software
                                 - Databases
                                 - Applications
                                 - Facilities
                             • Testing Schedule
                             • Rules of Engagement (ROE)
                                 - Components included and
                                   excluded in assessment
                                 - Rules for transmission of results
                                 - ROE signed by CSP and
                                   Independent Assessor


                                                                       49
Security Assessment Report (SAR)
Assessment Phase – Perform Security Tests

                                 • Independent Assessor
                                   develops the SAR
                                 • Documents findings
                                 • Analysis of test results
                                 • Highlights ways for CSPs to
                                   mitigate security weaknesses
                                 • Primary document for
                                   making risk-based decisions




                                                                  50
Finalize Security Assessment
   Assessment Phase – Finalize Assessment

1. CSP develops plan of actions and milestones
   (POA&M)
2. CSP declares conformity with FedRAMP
   requirements and submits security assessment
   package




                                                  51
Plan of Action and Milestones
    Assessment Phase – Finalize Assessment

• Detailed plan with a schedule of how the CSP plans
  to address and fix and vulnerabilities found during
  testing
• All SAR findings must map to a POA&M item
• False positives marked in the SAR but not identified
  in the POA&M – as there is no remediation needed
  to correct false positives.
• CSPs applying for Provisional ATO:
   – Remediate high severity findings before Provisional ATO is
     granted
   – Remediate moderate findings within 90 days

                                                                  52
Declaration of Conformity
Assessment Phase – Finalize Assessment


                           • CSP attests and verifies that the
                             system conforms to FedRAMP
                             requirements.
                           • Certifies that all controls are
                             working properly
                           • Both JAB and leveraging agencies
                             use the Self-Attestation
                             Declaration of Conformity when
                             considering issuing an ATO




                                                                 53
Complete Assessment Package
   Assessment Phase – Finalize Assessment

• A complete security authorization
  package includes deliverables in
  section 10 of the FedRAMP CONOPS
               • Mandatory Templates:
                     •   System Security Plan
                     •   Security Assessment Plan
                     •   Security Assessment Report



                  • Other Templates located
                    on fedramp.gov:
                    •    Control Tailoring Workbook
                    •    Control Implementation Summary
                    •    IT Contingency Plan
                    •    Plan Of Action & Milestones
                    •    Supplier’s Declaration of Conformity

                                                                54
FedRAMP Implementation
Federal Risk andControls and Authorization Phase
     Customer Authorization
Management Program Maria Roat
(FedRAMP)        FedRAMP Director
         Office of Citizen Services and Innovative Technologies




                                                                  55
Customer Controls & Authorization Phase
       Purpose and Key Steps

• Purpose: Review security assessment documentation
  and grant authority to operate
• Key Steps
  1.    Review FedRAMP security authorization package
  2.    Implement customer controls
  3.    Grant authorization
  4.    Alert FedRAMP PMO of authorization granted and
        provide feedback regarding additional controls used




                                                              56
Customer Review of Authorization Package
    Customer Controls & Authorization Phase

• Security Authorization Package
   – Complete, consistent, and compliant with FedRAMP policy
   – Hardware or software inventory included
   – Content addresses the who, what, when, and how
   – Delivery of supporting documentation and information
     adequately referenced
   – Non-applicable controls not presented as implemented
• Risk review of Security Assessment Report and
  current Plan of Actions and Milestones




                                                               57
Agency Controls
    Customer Controls & Authorization Phase

• Include controls added on to FedRAMP baseline
• Include controls for applications & middleware
• Include controls with agency shared responsibility
      Shared Responsibility
  Both the CSP and the agency
  use two-factor authentication
  for authenticating to
  privileged and non-privileged
  accounts.

  Both CSP and agency must
  ensure users take security
  awareness training.




                                                       58
Authorize System
     Customer Controls & Authorization Phase

• Agencies make own risk-based determination for
  granting Authority to Operate

 Complete                     Agency             Agency
Authorization             Responsibilities     Authority to
  Package                  Implemented          Operate


• Submit final security assessment package to
  FedRAMP PMO if not already in the secure
  repository
• Notify FedRAMP PMO if Agency ATO withdrawn

                                                              59
FedRAMP Ongoing Assessment & Authorization
Federal Risk and Authorization  Maria Roat
Management Program          FedRAMP Director
         Office of Citizen Services and Innovative Technologies
(FedRAMP)




                                                                  60
Ongoing Assessment and Authorization

• Purpose: Determine whether deployed security
  controls remain effective in light of planned and
  unplanned changes that occur in the system and its
  environment over time.
• Key Steps
   1. Review of control implementation
   2. Review changes to the system
   3. Monitor incidents and new vulnerabilities




                                                       61
Overview
                                       Ongoing Assessment & Authorization

                                                         Cloud Service Provider (CSP)       Govt. Agency


                                                                                        Review control
                                                                   Annual
                                       1 Operational                                    reporting provided by
Ongoing Assessment and Authorization




                                                              Self-Attestation          CSP
                                           Visibility
      (Continuous Monitoring)




                                                              Obtains Change            Ensure POA&M /
                                       2
                                           Change            Reports / POA&M            System Changes meet
                                           Control               Updates                ATO requirements




                                         Incident                                       Responds to Incidents
                                       3                     Notifications              & Coordinate with US-
                                         Response                                       CERT


                                                                                                                62
Operational Visibility
           Ongoing Assessment & Authorization

CSPs                                                           CSP Submission   Number of
• CSP submits artifacts to the FedRAMP ISSO as defined by      Schedule         Deliverables
   the FedRAMP Continuous Monitoring Strategy and Guide        Monthly          1
• Artifacts include POA&Ms, Scans, and the Annual Self         Quarterly        2
   Attestation                                                 Semi-Annually    1
                                                               Annually         10
FedRAMP                                                        Every 3 Years    1
• The ISSOs monitor POA&Ms and reporting artifacts
   (vulnerability scan reports)
• Artifacts are stored in the Secure Repository
• ISSOs provide the JAB and leveraging agencies with
   updated information on the system so that risk-based
   decisions can be made about ongoing authorization

Agency
• Review artifacts in the Secure Repository to ensure that
   the risk posture of the CSP falls within agency tolerance
• Monitor security controls that are agency responsibilities
                                                                                               63
Change Control
           Ongoing Assessment & Authorization

CSPs
• CSPs must notify FedRAMP of any planned significant changes
  to the system before implementing the change
• CSPs must submit an updated SAR 30-days after
  implementation

FedRAMP
• Changes are reviewed by FedRAMP ISSOs and approved by the
  JAB
• FedRAMP will notify leveraging agencies:
    • If a significant change is planned and when it occurs
    • If it affects security posture or adds unacceptable levels
      of risk

Agency
• Upon notification of a significant change agencies should
  inform FedRAMP if they believe the planned changes will
  adversely affect the security of their information
• Agencies should review the change following the
  implementation of an approved change
                                                                   64
Incident Response
           Ongoing Assessment & Authorization

• Multiple incident response notification scenarios based on
  first responder to incident (Refer to the FedRAMP Incident
  Communication Plan)

Agency Responsibilities for Incident Response:

• Provide a primary and secondary POC to CSPs and US-CERT

• Notify US-CERT when a CSP reports an incident

• Work with CSPs to resolve incidents by providing
  coordination with US-CERT
• Notify CSPs, if the agency becomes aware of an incident that a CSP has not yet reported

• Notify FedRAMP ISSO of CSP incident activity

• Monitor security controls that are agency responsibilities.



                                                                                            65
Agency Responsibilities – JAB vs. Other Paths
       Ongoing Assessment & Authorization


Review                                                       Responsibility for
                 Description            Authorization
 Level                                                     Continuous Monitoring


             CSP Supplied, not yet      Candidate for
 CSP                                                               None
                  reviewed              Authorization


              Reviewed by agency
Agency         (*Accredited 3PAO         Agency ATO               Agency
                   Optional)


            Reviewed by FedRAMP      FedRAMP PA & Agency
 JAB                                                             FedRAMP
                 ISSO & JAB                 ATO




                                                                               66
Wrap-Up




          67
Cloud System Compliant with FedRAMP

• The system security package has been created using
  the required FedRAMP templates
• The systems meets the FedRAMP security control
  requirements
• The system has been assessed by an independent
  assessor
• A Provisional Authorization, and/or an Agency ATO,
  has been granted for the system
• An authorization letter for the system is on file with
  the FedRAMP PMO


                                                           68
Common Agency Questions

• Do I need to have the JAB grant a Provisional Authorization to be
  FedRAMP Compliant?
    – No, an agency can grant an ATO using the FedRAMP Controls and
      templates.
• If an agency wishes to grant their own ATO using the FedRAMP
  process, must the CSP use an accredited 3PAO?
    – No, but the JAB will only grant Provisional Authorizations if an accredited
      3PAO performs the assessment.
• If an agency is starting an acquisition, what must be included in the
  solicitation?
    – Sample contract clauses are located on FedRAMP.gov.
• If an agency leverages a FedRAMP authorization, must the agency
  still grant an ATO?
    – Yes, the agency must implement the consumer controls and grant an ATO
      for the entire information system.
• Does an agency need to report the FedRAMP system in their FISMA
  reporting?
    – The agency needs to include its Information System in the FISMA
      inventory.
                                                                                    69
Questions and Answers




                        70
For more information, please contact us or
visit us the following website:
www.FedRAMP.gov
Email: info@fedramp.gov

               @ FederalCloud

                                             71

More Related Content

What's hot

Top 5 Ways the Cloud is Impacting Your IT
Top 5 Ways the Cloud is Impacting Your ITTop 5 Ways the Cloud is Impacting Your IT
Top 5 Ways the Cloud is Impacting Your ITValencell, Inc.
 
Kevin jackson cloud service brokerage for datacenter service providers for we...
Kevin jackson cloud service brokerage for datacenter service providers for we...Kevin jackson cloud service brokerage for datacenter service providers for we...
Kevin jackson cloud service brokerage for datacenter service providers for we...GovCloud Network
 
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...Khazret Sapenov
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityEd Wong
 
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel Sabbah
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel SabbahIBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel Sabbah
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel SabbahKathy (Kat) Mandelstein
 
OSD ATL class on Agile Acquisition
OSD ATL class on Agile AcquisitionOSD ATL class on Agile Acquisition
OSD ATL class on Agile AcquisitionJohn Weiler
 
It performance suite_overview_ebc_11062012
It performance suite_overview_ebc_11062012It performance suite_overview_ebc_11062012
It performance suite_overview_ebc_11062012Lilian Schaffer
 
Bary pangrle mentor track d
Bary pangrle   mentor track dBary pangrle   mentor track d
Bary pangrle mentor track dAlona Gradman
 
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...Cloud transformation enabling through tsg service lifecycle tool by helmuth z...
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...Khazret Sapenov
 
Rationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT ArchitectureRationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT ArchitectureBob Rhubart
 
Making Scrum Stick Inside Heavy Regulated Industries (2012)
Making Scrum Stick Inside Heavy Regulated Industries (2012) Making Scrum Stick Inside Heavy Regulated Industries (2012)
Making Scrum Stick Inside Heavy Regulated Industries (2012) Laszlo Szalvay
 
SAP BusinessObjects BI OnDemand
SAP BusinessObjects BI OnDemandSAP BusinessObjects BI OnDemand
SAP BusinessObjects BI OnDemandPierre Leroux
 

What's hot (16)

Top 5 Ways the Cloud is Impacting Your IT
Top 5 Ways the Cloud is Impacting Your ITTop 5 Ways the Cloud is Impacting Your IT
Top 5 Ways the Cloud is Impacting Your IT
 
Kevin jackson cloud service brokerage for datacenter service providers for we...
Kevin jackson cloud service brokerage for datacenter service providers for we...Kevin jackson cloud service brokerage for datacenter service providers for we...
Kevin jackson cloud service brokerage for datacenter service providers for we...
 
Dispelling the vapor around cloud computing
Dispelling the vapor around cloud computingDispelling the vapor around cloud computing
Dispelling the vapor around cloud computing
 
IBM Solutions for Egovernment
IBM Solutions for Egovernment IBM Solutions for Egovernment
IBM Solutions for Egovernment
 
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...
Accelerating Time to Market with Next Generation Cloud Platforms by Michael M...
 
EMC a TBIZ2011
EMC a TBIZ2011EMC a TBIZ2011
EMC a TBIZ2011
 
Hp Fortify Mobile Application Security
Hp Fortify Mobile Application SecurityHp Fortify Mobile Application Security
Hp Fortify Mobile Application Security
 
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel Sabbah
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel SabbahIBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel Sabbah
IBM Rational Software Conference 2009 Day 1 Keynote: Dr Daniel Sabbah
 
OSD ATL class on Agile Acquisition
OSD ATL class on Agile AcquisitionOSD ATL class on Agile Acquisition
OSD ATL class on Agile Acquisition
 
It performance suite_overview_ebc_11062012
It performance suite_overview_ebc_11062012It performance suite_overview_ebc_11062012
It performance suite_overview_ebc_11062012
 
Bary pangrle mentor track d
Bary pangrle   mentor track dBary pangrle   mentor track d
Bary pangrle mentor track d
 
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...Cloud transformation enabling through tsg service lifecycle tool by helmuth z...
Cloud transformation enabling through tsg service lifecycle tool by helmuth z...
 
Rationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT ArchitectureRationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT Architecture
 
Making Scrum Stick Inside Heavy Regulated Industries (2012)
Making Scrum Stick Inside Heavy Regulated Industries (2012) Making Scrum Stick Inside Heavy Regulated Industries (2012)
Making Scrum Stick Inside Heavy Regulated Industries (2012)
 
101 cd 1315-1345
101 cd 1315-1345101 cd 1315-1345
101 cd 1315-1345
 
SAP BusinessObjects BI OnDemand
SAP BusinessObjects BI OnDemandSAP BusinessObjects BI OnDemand
SAP BusinessObjects BI OnDemand
 

Viewers also liked

FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training1ECG
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesTuan Phan
 
Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarTuan Phan
 
Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Tuan Phan
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspTuan Phan
 
Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudMicrosoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudDavid Ziembicki
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508Tuan Phan
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelFocus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelAkamai Technologies
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework  isc2 quanticoNist cybersecurity framework  isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)GovCloud Network
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 

Viewers also liked (20)

FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinar
 
Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
 
Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudMicrosoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private Cloud
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C Panels
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelFocus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Azure gov march 15th
Azure gov march 15thAzure gov march 15th
Azure gov march 15th
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework  isc2 quanticoNist cybersecurity framework  isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRC
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 

Similar to March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final

Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 
Cloud Privada: más que solo virtualización
Cloud Privada: más que solo virtualizaciónCloud Privada: más que solo virtualización
Cloud Privada: más que solo virtualizaciónAlejandro Marin
 
Oracle enterprise architects day
Oracle enterprise architects dayOracle enterprise architects day
Oracle enterprise architects dayAyodele Peter Boglo
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelOpen Data Center Alliance
 
Federal Cloud Computing: From Business Use Cases to Pilots to Implementations
Federal Cloud Computing:From Business Use Cases to Pilots to ImplementationsFederal Cloud Computing:From Business Use Cases to Pilots to Implementations
Federal Cloud Computing: From Business Use Cases to Pilots to ImplementationsGovCloud Network
 
Cloud Essentials Launch
Cloud Essentials LaunchCloud Essentials Launch
Cloud Essentials LaunchCompTIA
 
Opening Keynote and Welcome
Opening Keynote and WelcomeOpening Keynote and Welcome
Opening Keynote and WelcomeCarahsoft
 
Get ahead of the cloud or get left behind
Get ahead of the cloud or get left behindGet ahead of the cloud or get left behind
Get ahead of the cloud or get left behindMatt Mandich
 
Ibm puresystems deck for tcs abhed_11102012
Ibm puresystems  deck for tcs abhed_11102012Ibm puresystems  deck for tcs abhed_11102012
Ibm puresystems deck for tcs abhed_11102012abhedk
 
Smarter Test Automation for Web & Mobile Apps
Smarter Test Automation for Web & Mobile AppsSmarter Test Automation for Web & Mobile Apps
Smarter Test Automation for Web & Mobile AppsKeao Caindec
 
Welcome to SoftSummit 2011
Welcome to SoftSummit 2011Welcome to SoftSummit 2011
Welcome to SoftSummit 2011Flexera
 
Infosys – Cloud Business Value Architecture
Infosys – Cloud Business Value ArchitectureInfosys – Cloud Business Value Architecture
Infosys – Cloud Business Value ArchitectureInfosys
 
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...Global Business Events
 
How to Plan and Budget for 2013 with Cloud in Mind
How to Plan and Budget for 2013 with Cloud in MindHow to Plan and Budget for 2013 with Cloud in Mind
How to Plan and Budget for 2013 with Cloud in MindBluelock
 
Governing from the Cloud
Governing from the CloudGoverning from the Cloud
Governing from the CloudWorkday
 
Best practices to build a sustainable data lake on cloud - Impetus Webinar
Best practices to build a sustainable data lake on cloud - Impetus WebinarBest practices to build a sustainable data lake on cloud - Impetus Webinar
Best practices to build a sustainable data lake on cloud - Impetus WebinarImpetus Technologies
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAmazon Web Services
 

Similar to March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final (20)

Day 2 p3 - automation
Day 2   p3 - automationDay 2   p3 - automation
Day 2 p3 - automation
 
Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 
Cloud Privada: más que solo virtualización
Cloud Privada: más que solo virtualizaciónCloud Privada: más que solo virtualización
Cloud Privada: más que solo virtualización
 
Oracle enterprise architects day
Oracle enterprise architects dayOracle enterprise architects day
Oracle enterprise architects day
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, Intel
 
Federal Cloud Computing: From Business Use Cases to Pilots to Implementations
Federal Cloud Computing:From Business Use Cases to Pilots to ImplementationsFederal Cloud Computing:From Business Use Cases to Pilots to Implementations
Federal Cloud Computing: From Business Use Cases to Pilots to Implementations
 
Cloud Essentials Launch
Cloud Essentials LaunchCloud Essentials Launch
Cloud Essentials Launch
 
Opening Keynote and Welcome
Opening Keynote and WelcomeOpening Keynote and Welcome
Opening Keynote and Welcome
 
Get ahead of the cloud or get left behind
Get ahead of the cloud or get left behindGet ahead of the cloud or get left behind
Get ahead of the cloud or get left behind
 
CIO Summit Macau
CIO Summit MacauCIO Summit Macau
CIO Summit Macau
 
Ibm puresystems deck for tcs abhed_11102012
Ibm puresystems  deck for tcs abhed_11102012Ibm puresystems  deck for tcs abhed_11102012
Ibm puresystems deck for tcs abhed_11102012
 
Smarter Test Automation for Web & Mobile Apps
Smarter Test Automation for Web & Mobile AppsSmarter Test Automation for Web & Mobile Apps
Smarter Test Automation for Web & Mobile Apps
 
Welcome to SoftSummit 2011
Welcome to SoftSummit 2011Welcome to SoftSummit 2011
Welcome to SoftSummit 2011
 
Infosys – Cloud Business Value Architecture
Infosys – Cloud Business Value ArchitectureInfosys – Cloud Business Value Architecture
Infosys – Cloud Business Value Architecture
 
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...
Riaan Van Nierkirk, CIO at Mc Gregor - Can business transformation be success...
 
How to Plan and Budget for 2013 with Cloud in Mind
How to Plan and Budget for 2013 with Cloud in MindHow to Plan and Budget for 2013 with Cloud in Mind
How to Plan and Budget for 2013 with Cloud in Mind
 
Governing from the Cloud
Governing from the CloudGoverning from the Cloud
Governing from the Cloud
 
Best practices to build a sustainable data lake on cloud - Impetus Webinar
Best practices to build a sustainable data lake on cloud - Impetus WebinarBest practices to build a sustainable data lake on cloud - Impetus Webinar
Best practices to build a sustainable data lake on cloud - Impetus Webinar
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
 

Recently uploaded

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 

Recently uploaded (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 

March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final

  • 1. Agency Workshop FedRAMP Compliance and Implementation March 18, 2013 1
  • 2. Welcome Dave McClure Federal Risk and Authorization Associate Administrator Management of Citizen Services and Innovative Technologies Office Program (FedRAMP) 2
  • 3. Session Purpose and Outcomes • Purpose – Detail agency FedRAMP compliance and implementation requirements • Outcomes – Understand FedRAMP its processes, benefits, and key players – Ability to explain agency FedRAMP requirements – Understand the different FedRAMP assessment paths – Clarity on how an agency complies with FedRAMP requirements for existing and planned cloud systems 3
  • 4. Agenda Topic Speaker Time Welcome Dave McClure 9:00 – 9:10 Cloud and FedRAMP Overview Katie Lewin 9:10 – 9:20 FedRAMP Responsibilities and Compliance Maria Roat 9:20 – 9:35 Cloud Inventory Maria Roat 9:35 – 9:40 Implementation: Planning Phase Matthew Goodrich 9:40 – 10:10 Questions and Answers 10:10 – 10:30 BREAK 10:30 – 10:40 Implementation: Assessment Phase Matthew Goodrich 10:40 – 11:10 Implementation: Customer Controls & Maria Roat 11:10 – 11:20 Authorization Ongoing Assessment & Authorization Maria Roat 11:20 – 11:30 Wrap-up and Questions and Answers 11:30 – 12:00 4
  • 5. Cloud and FedRAMP Overview Federal Risk and Authorization Katie Lewin Management Program Computing Initiative Federal Cloud Office of Citizen Services and Innovative Technologies (FedRAMP) 5
  • 6. Cloud: A Fundamental Shift in IT Efficiency • Improved Asset Utilization • Aggregated Demand Total Federal IT Potential • Improved Productivity Spending Spending on Cloud Computing Innovation Agility • From Owner to Service • “As a Service” Purchase • Private Sector Innovation • Near Instantaneous Capacity Adjustments • Entrepreneurial Culture • Responsiveness • Emerging Technologies Source: www.cio.gov 6
  • 7. Administration’s Drive to the Cloud “The Administration’s Federal Cloud Computing Strategy requires agencies to default to cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists – however, the move to the cloud requires a dramatic shift in the way Federal agencies buy IT – from capital expenditures to operating expenditures. With this shift comes a learning curve as the government analyzes how to best procure this new service-based model. . . .” -Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 7
  • 8. Federal Timeline for Cloud “Cloud First” 25 Point Plan to FedRAMP Policy Reform Federal IT Memo December 9, 2010 December 8, 2011 Federal Cloud Creating Effective Computing Cloud Computing Strategy Contracts February 8, 2011 February 24, 2012 8
  • 9. Federal Cloud Computing Program To foster the adoption of cloud across the Federal government and to address obstacles to cloud adoption New Information Portal & Collaboration Website Blanket Purchase Agreements • Infrastructure as a Service • Email as a Service cloud.cio.gov (coming soon) 9
  • 10. What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments. 10
  • 11. Federal Cloud Computing Initiative and FedRAMP Timeline April 2009 Cloud Computing Program Management Office July – Sept. 2010 Established FedRAMP Concept Feb – Mar 2011 June 2012 Vetted with Government Tiger FedRAMP Launches Industry & Teams Review Initial Operational Government February 2010 Comments Capability FedRAMP Concept November 2010 Announced FedRAMP Apr – June 2011 December 2011 Concept, Executive Team January 2013 FedRAMP Policy JAB Grants 2nd Controls, & Solidifies Tiger signed Templates Team Provisional Released Recommendations Authorization January 2011 December 2012 February 2012 June 2010 Over 1,200 public JAB Grants 1st comments received FedRAMP FedRAMP Drafts CONOPS Provisional October 2009 Initial Baseline Published Authorization Security Working Group Established July – Sept. 2011 May 2012 March 2009 December 2010 Cloud Computing Program Federal Cloud 3PAO Concept 3PAOs Accredited Launched Computing Strategy Planned Executive Steering Published Committee Established Q1 09 Q2 09 Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Q4 10 Q1 11 Q2 11 Q3 11 Q4 11 Q1 12 Q2 12 Q3 12 Q4 12 Q1 13 11
  • 12. Key Benefits • Re-use of existing security assessments across agencies • Savings in cost, time and resources – do once, use many times • Risk based not compliance based • Transparency between government and cloud service providers • Transparency trust, reliability, consistency, and quality of the Federal security authorization process 12
  • 13. FedRAMP Responsibilities & Compliance Federal Risk and Authorization Maria Roat Management Program FedRAMP Director Office of Citizen Services and Innovative Technologies (FedRAMP) 13
  • 14. FedRAMP Policy Memo December 8, 2011 OMB Policy Memo • Establishes Federal policy for the protection of Federal information in cloud services • Describes the key components of FedRAMP and its operational capabilities • Defines Executive department and agency responsibilities in developing, implementing, operating and maintaining FedRAMP • Defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services 14
  • 15. FedRAMP Key Players Federal Agencies JAB (DOD, DHS, GSA) PMO- GSA Technical Advisor – NIST Continuous Monitoring - DHS Cloud Service Provider Independent Assessor Provides Cloud IT Services with a Performs initial and periodic provisional authorization granted assessment of security and privacy by FedRAMP JAB controls deployed in Cloud information systems Responsibilities established by the December 8, 2011 OMB Policy Memo 15
  • 16. Responsibilities of Key Parties • Require CSPs to meet FedRAMP requirements via Federal Agencies contractual provisions • Submit security assessment documentation and query FedRAMP repository for existing documentation • Implement customer responsibility controls • Establish and implement continuous monitoring plans through incident response and mitigation capabilities • Submit application for FedRAMP authorization Cloud Service Provider • Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls • Create, submit and maintain authorization packages • Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies • Conduct Assessment of CSP Security Control Independent Assessor Implementation • Generate Security Assessment Reports and associated evidence • Maintain independence from CSP 16
  • 17. FedRAMP Relationship to the NIST Risk Management Framework Agency 1. Categorize the Information System CSP Agency -Low Impact 6. Monitor Security -Moderate Impact 2. Select the Controls Controls - Continuous -FedRAMP Low or Monitoring Moderate Baseline NIST Risk Management JAB / Agency Framework CSP 5. Authorize 3. Implement Information Security Controls System -Provisional Auth. CSP and 3PAO -Describe in SSP -Agency ATO 4. Assess the Security Controls -FedRAMP Accredited 3PAO 17
  • 18. Complying with FedRAMP Policy All assessments of cloud-based products and services must use the FedRAMP security requirements: baseline set of controls and all FedRAMP templates • All assessments do not require a provisional ATO granted by the JAB • Agencies can continue to grant their own ATOs without JAB sign-off • CSPs can submit FedRAMP compliant packages to agencies requesting an ATO • All assessment documentation must be submitted to FedRAMP PMO for inclusion in the secure repository Agencies must leverage existing FedRAMP ATOs found in the FedRAMP repository June 2014 All Cloud Projects Must Meet FedRAMP Requirements 18
  • 19. Exception Guidance • Private cloud deployments Bureaus, – Implemented within a Federal facility components or subordinate – Operated solely for the use of the organizations Executive Department or Agency within an agency are considered – Not providing cloud services from the external entities system to any external entities • Cloud systems at a FIPS 199 Impact Level of High Cloud systems exempt from FedRAMP requirements must continue to comply with FISMA requirements and appropriate NIST security standards and guidelines 19
  • 20. Cloud Inventory Federal Risk and Authorization Maria Roat Management Program FedRAMP Director Office of Citizen Services and Innovative Technologies (FedRAMP) 20
  • 21. Conducting the Inventory • April 2013 Portfolio Stat online data call will gather information on agency cloud deployments • Agencies will report information on their FIPs 199 low and moderate impact cloud deployments being implemented or planned – Agency POC – CSP Detail : Name, Service Name, Brief Description, Service Model, Deployment Model, Assessor, FIPS 199 level – Implementation detail 21
  • 22. FedRAMP Inventory Questions Fully Implemented • Do you have an Authority to Operate (ATO) for the system? • Have you performed a security controls gap analysis against the FedRAMP baseline controls? • Were FedRAMP requirements met? • How were FedRAMP requirements met? FedRAMP Requirements Not Met • What is the rationale for being unable to meet FedRAMP requirements? • Have you initiated discussions with the cloud system owner to review missing FedRAMP security controls? • How do you plan on meeting FedRAMP requirements in the future? • When will your agency’s use of this system be compliant with FedRAMP requirements? 22
  • 23. Plans for Cloud Inventory Effort • Identify synergies between agency cloud portfolios • Connect organizations using the same cloud service provider (CSP) to provide the same or similar cloud service • Promote special interest groups of agencies using the same cloud service to establish an organized approach for requesting the CSP implement FedRAMP baseline controls • Prioritize services to receive a Joint Authorization Board provisional authorization • Assess FedRAMP applications and documentation received as compared to agency cloud portfolios 23
  • 24. FedRAMP Implementation Planning Phase Federal Risk and Authorization Management ProgramMatthew Goodrich (FedRAMP) FedRAMP Program Manager Office of Citizen Services and Innovative Technologies 24
  • 25. Three Phases of Implementation Phase Description Planning What path will my agency use to establish or implement a cloud service that is FedRAMP compliant? Assessment What is my agency’s role in assessing the cloud service? Customer How does my agency add additional controls Controls & and authorize the system? Authorization 25
  • 26. Planning Phase Purpose and Key Steps • Purpose – Determine the agency’s path for meeting FedRAMP requirements • Key Steps 1. Incorporate FedRAMP requirements into contract clauses 2. Identify if FedRAMP security assessment package available to leverage 3. Gain access to the FedRAMP secure repository to review security assessment documentation 4. Determine FedRAMP implementation path 5. Alert FedRAMP PMO of implementation path 26
  • 27. FedRAMP Contract Language Planning Phase FedRAMP is the implementation of FISMA and applicable NIST security standards and guidelines, commonly found in existing procurements FedRAMP contract language available at www.fedramp.gov Standard Contract Language Control Specific Language  Designed for agencies to leverage for use  Agencies should not: within cloud procurements  govern how the provider’s administrative  Templates help agencies address: end user accounts are managed or  requirement to be FedRAMP compliant authenticated  FedRAMP privacy requirements  specify parameters for controls in the  FedRAMP security assessment process FedRAMP baseline, except from the requirements perspective of a consumer’s implementation  authorization of system requirement  Some controls that may need additional clauses  FedRAMP ongoing assessment and Data Audit Incident Personnel authorization requirement Jurisdiction Retention Reporting Screening Boundary Media Info at Identification Protection Transport Rest Authentication 27
  • 28. FedRAMP Website Planning Phase Leverage www.fedramp.gov Create • Website lists CSPs with security assessment documentation available in the FedRAMP secure repository CSP Name Service Name Service Description ATO Date Repository Level 3PAO FIPS 199 Level Service Model Deployment Model 28
  • 29. Access Secure Repository Planning Phase 1. Identify package for review based on website listing 2. Complete FedRAMP Package Access Request form – Supervisor must signoff on form – FedRAMP will provide notification of acceptance or rejection of request – Must demonstrate a need to view the package 3. Receive access to OMB MAX folder corresponding to security assessment package for cloud service – Access granted on a per person per package basis 29
  • 30. Leverage an Authorization Planning Phase FedRAMP maintains a repository of standardized security assessment packages Agencies can leverage to make their own risk-based decisions to grant an ATO for a cloud solution for their Agency. This repository is key to the “do once, use many times” approach. Speed to Enter Repository Review Increased Level of review Level Assessed by Authorization Completed CSP Supplied, Candidate for CSP Accredited 3PAO not yet reviewed Authorization Optional Agency Agency reviewed Agency ATO Accredited 3PAO FedRAMP ISSO & FedRAMP PA & Agency JAB Accredited 3PAO JAB reviewed ATO 30
  • 31. Package Type’s Impact on Agency Responsibilities Planning Phase Agency Responsibility Repository level CSP Agency JAB Accept risks and issue authority to    operate Review documentation for both   completeness and accuracy Submit annual assessment to the   FedRAMP PMO Provide continuous monitoring based   Review on FedRAMP requirements 31
  • 32. Initial Review of Leveraged Documentation Planning Phase • Control Tailoring Workbook (CTW) and Control Implementation Summary (CIS) are good documents to assess the extent to which the cloud solution’s security control implementation will meet your agency’s needs and ability to leverage corresponding security assessment packages – CTW – identifies controls that have been adapted by the cloud service provider – CIS – identifies who is responsible for each security control • Documents summarize what a customer’s responsibility is in securely using a CSPs services as well as what a CSP does to meet FedRAMP security controls 32
  • 33. Existing Agency ATO – Migration Path Planning Phase • Agency updates existing security assessment to meet FedRAMP requirements An agency must… • Provide own resources and bear all costs for the development of the package and ongoing use of the system • Perform gap analysis of missing controls against the FedRAMP baseline • Consider modifying existing contract to specifically stipulate FedRAMP Compliance • Obtain commitment and compliance schedule for CSP to meet FedRAMP control requirements • Migrate existing security package documents to required FedRAMP templates 33
  • 34. Alert FedRAMP PMO Planning Phase Check with FedRAMP PMO (repository) for existing CSP Security Yes Assessment Package No Leverage Existing Follow FedRAMP Security Security Assessment Assessment Process, Package Send package to FedRAMP Alert FedRAMP PMO of Planned Compliance Path 34
  • 36. BREAK 36
  • 37. FedRAMP Implementation Federal Risk and AuthorizationPhase Assessment Management ProgramMatthew Goodrich (FedRAMP) FedRAMP Program Manager Office of Citizen Services and Innovative Technologies 37
  • 38. Assessment Phase Purpose and Key Steps • Purpose: Develop or review security assessment documentation required to make a risk-based decision to authorize the cloud service for use at your agency • Key Steps 1) Document security controls 2) Perform security tests 3) Finalize security assessment package 38
  • 39. Document Security Controls Assessment Phase – Document Controls 1. Understand FedRAMP controls 2. Address and document how the CSP implements each FedRAMP security control – Control responsibility – What solution is being used for the control – How the solution meets the control requirement 39
  • 40. FedRAMP Baseline Security Controls Assessment Phase – Document Controls Controls are based upon the NIST SP 800-53 R3 catalog of controls for low and moderate impact systems Additional FedRAMP Total Controls Agreed to Impact level NIST Baseline Controls Controls by JAB for FedRAMP Low 115 1 116 Moderate 252 46 298 Additional FedRAMP controls selected to address unique elements of cloud computing FedRAMP Security Controls Baseline Available on FedRAMP.gov 40
  • 41. System Security Plan (SSP) Assessment Phase – Document Controls • Describes the purpose of the system • Detailed description of Control Implementation • Global view of how the system is structured • Defines roles of the systems users and identifies personnel responsible for system security • Delineates control responsibility between the customer or vendor • The SSP is the key document to moving the FedRAMP assessment process forward 41
  • 42. Reviewing Security Controls in the SSP Assessment Phase – Document Controls • Security control section details all the security controls and control enhancements required for FedRAMP – Responsible role – maintain and implement the control – Parameter of control – frequency – Implementation Status – Control origination – organization responsible for implementing and managing the control (vendor, customer, shared) – Solution and how implemented 42
  • 43. SSP Supporting Documentation (1/2) Assessment Phase – Document Controls • Information Security Policies –CSP’s Information Security Policy that governs the system described in the SSP • User Guide - describes how leveraging agencies use the system • Rules of Behavior - defines the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access • Configuration Management Plan - describes how changes to the system are managed and tracked (consistent with NIST SP 800-128) 43
  • 44. SSP Supporting Documentation (2/2) Assessment Phase – Document Controls • IT Contingency Plan - details how the recovery of the system occurs in the case of a disruption of service • Incident Response Plan – explains provider actions in response to a security incident • Privacy Threshold Analysis - questionnaire used to help determine if a Privacy Impact Assessment is required • Privacy Impact Assessment - assesses what Personally Identifiable Information (PII) is captured and if it is being properly safeguarded 44
  • 45. Perform Security Tests Assessment Phase – Perform Security Tests 1. Assess against the SSP with NIST SP 800-53a test cases 2. Independent Assessor audits assessment and results 3. Independent Assessor generates security assessment report 45
  • 46. Role of the Independent Assessor Assessment Phase – Perform Security Tests • Develops Security Assessment Plan (SAP) • Performs Initial and Periodic Assessments of CSP Security Controls • Conducts Security Testing – Use Test Case Workbooks – Manual Tests – Automated Tests • Develops Security Assessment Report (SAR) • Assessor must be independent – Cannot test and help CSP prepare documents – Cannot test and assist CSP in implementing controls 46
  • 47. Independent Assessor Conformity Assessment Phase – Perform Security Tests Third Party Assessment Accredited Independent Organization (3PAO) Assessor Creates consistency in security assessments in accordance Benefits of leveraging with FISMA and NIST standards an accredited • Ensures assessor independence from CSP in independent assessor accordance with international (Third Party standards Assessment • Establishes an approved list of Organization – 3PAO) assessors - 3PAOs for CSPs and agencies to choose from to satisfy FedRAMP requirements. 47
  • 48. Third Party Assessment Organizations Assessment Phase – Perform Security Tests Accredited 3PAOs BrightLine Homeland Security Consultants COACT, Inc. J.D. Biggs and Associates, Inc. Coalfire Systems Knowledge Consulting Group, Inc. Department of Logyx LLC Transportation (DOT) Enterprise Service Center (ESC) Dynamics Research Lunarline, Inc. Corporation (DRC) Earthling Security, Inc. Secure Info Electrosoft Services, Inc. SRA International, Inc. Veris Group, LLC 48
  • 49. Security Assessment Plan (SAP) Assessment Phase – Perform Security Tests • Independent Assessor develops the SAP • Defines scope of assessment - Hardware - Software - Databases - Applications - Facilities • Testing Schedule • Rules of Engagement (ROE) - Components included and excluded in assessment - Rules for transmission of results - ROE signed by CSP and Independent Assessor 49
  • 50. Security Assessment Report (SAR) Assessment Phase – Perform Security Tests • Independent Assessor develops the SAR • Documents findings • Analysis of test results • Highlights ways for CSPs to mitigate security weaknesses • Primary document for making risk-based decisions 50
  • 51. Finalize Security Assessment Assessment Phase – Finalize Assessment 1. CSP develops plan of actions and milestones (POA&M) 2. CSP declares conformity with FedRAMP requirements and submits security assessment package 51
  • 52. Plan of Action and Milestones Assessment Phase – Finalize Assessment • Detailed plan with a schedule of how the CSP plans to address and fix and vulnerabilities found during testing • All SAR findings must map to a POA&M item • False positives marked in the SAR but not identified in the POA&M – as there is no remediation needed to correct false positives. • CSPs applying for Provisional ATO: – Remediate high severity findings before Provisional ATO is granted – Remediate moderate findings within 90 days 52
  • 53. Declaration of Conformity Assessment Phase – Finalize Assessment • CSP attests and verifies that the system conforms to FedRAMP requirements. • Certifies that all controls are working properly • Both JAB and leveraging agencies use the Self-Attestation Declaration of Conformity when considering issuing an ATO 53
  • 54. Complete Assessment Package Assessment Phase – Finalize Assessment • A complete security authorization package includes deliverables in section 10 of the FedRAMP CONOPS • Mandatory Templates: • System Security Plan • Security Assessment Plan • Security Assessment Report • Other Templates located on fedramp.gov: • Control Tailoring Workbook • Control Implementation Summary • IT Contingency Plan • Plan Of Action & Milestones • Supplier’s Declaration of Conformity 54
  • 55. FedRAMP Implementation Federal Risk andControls and Authorization Phase Customer Authorization Management Program Maria Roat (FedRAMP) FedRAMP Director Office of Citizen Services and Innovative Technologies 55
  • 56. Customer Controls & Authorization Phase Purpose and Key Steps • Purpose: Review security assessment documentation and grant authority to operate • Key Steps 1. Review FedRAMP security authorization package 2. Implement customer controls 3. Grant authorization 4. Alert FedRAMP PMO of authorization granted and provide feedback regarding additional controls used 56
  • 57. Customer Review of Authorization Package Customer Controls & Authorization Phase • Security Authorization Package – Complete, consistent, and compliant with FedRAMP policy – Hardware or software inventory included – Content addresses the who, what, when, and how – Delivery of supporting documentation and information adequately referenced – Non-applicable controls not presented as implemented • Risk review of Security Assessment Report and current Plan of Actions and Milestones 57
  • 58. Agency Controls Customer Controls & Authorization Phase • Include controls added on to FedRAMP baseline • Include controls for applications & middleware • Include controls with agency shared responsibility Shared Responsibility Both the CSP and the agency use two-factor authentication for authenticating to privileged and non-privileged accounts. Both CSP and agency must ensure users take security awareness training. 58
  • 59. Authorize System Customer Controls & Authorization Phase • Agencies make own risk-based determination for granting Authority to Operate Complete Agency Agency Authorization Responsibilities Authority to Package Implemented Operate • Submit final security assessment package to FedRAMP PMO if not already in the secure repository • Notify FedRAMP PMO if Agency ATO withdrawn 59
  • 60. FedRAMP Ongoing Assessment & Authorization Federal Risk and Authorization Maria Roat Management Program FedRAMP Director Office of Citizen Services and Innovative Technologies (FedRAMP) 60
  • 61. Ongoing Assessment and Authorization • Purpose: Determine whether deployed security controls remain effective in light of planned and unplanned changes that occur in the system and its environment over time. • Key Steps 1. Review of control implementation 2. Review changes to the system 3. Monitor incidents and new vulnerabilities 61
  • 62. Overview Ongoing Assessment & Authorization Cloud Service Provider (CSP) Govt. Agency Review control Annual 1 Operational reporting provided by Ongoing Assessment and Authorization Self-Attestation CSP Visibility (Continuous Monitoring) Obtains Change Ensure POA&M / 2 Change Reports / POA&M System Changes meet Control Updates ATO requirements Incident Responds to Incidents 3 Notifications & Coordinate with US- Response CERT 62
  • 63. Operational Visibility Ongoing Assessment & Authorization CSPs CSP Submission Number of • CSP submits artifacts to the FedRAMP ISSO as defined by Schedule Deliverables the FedRAMP Continuous Monitoring Strategy and Guide Monthly 1 • Artifacts include POA&Ms, Scans, and the Annual Self Quarterly 2 Attestation Semi-Annually 1 Annually 10 FedRAMP Every 3 Years 1 • The ISSOs monitor POA&Ms and reporting artifacts (vulnerability scan reports) • Artifacts are stored in the Secure Repository • ISSOs provide the JAB and leveraging agencies with updated information on the system so that risk-based decisions can be made about ongoing authorization Agency • Review artifacts in the Secure Repository to ensure that the risk posture of the CSP falls within agency tolerance • Monitor security controls that are agency responsibilities 63
  • 64. Change Control Ongoing Assessment & Authorization CSPs • CSPs must notify FedRAMP of any planned significant changes to the system before implementing the change • CSPs must submit an updated SAR 30-days after implementation FedRAMP • Changes are reviewed by FedRAMP ISSOs and approved by the JAB • FedRAMP will notify leveraging agencies: • If a significant change is planned and when it occurs • If it affects security posture or adds unacceptable levels of risk Agency • Upon notification of a significant change agencies should inform FedRAMP if they believe the planned changes will adversely affect the security of their information • Agencies should review the change following the implementation of an approved change 64
  • 65. Incident Response Ongoing Assessment & Authorization • Multiple incident response notification scenarios based on first responder to incident (Refer to the FedRAMP Incident Communication Plan) Agency Responsibilities for Incident Response: • Provide a primary and secondary POC to CSPs and US-CERT • Notify US-CERT when a CSP reports an incident • Work with CSPs to resolve incidents by providing coordination with US-CERT • Notify CSPs, if the agency becomes aware of an incident that a CSP has not yet reported • Notify FedRAMP ISSO of CSP incident activity • Monitor security controls that are agency responsibilities. 65
  • 66. Agency Responsibilities – JAB vs. Other Paths Ongoing Assessment & Authorization Review Responsibility for Description Authorization Level Continuous Monitoring CSP Supplied, not yet Candidate for CSP None reviewed Authorization Reviewed by agency Agency (*Accredited 3PAO Agency ATO Agency Optional) Reviewed by FedRAMP FedRAMP PA & Agency JAB FedRAMP ISSO & JAB ATO 66
  • 67. Wrap-Up 67
  • 68. Cloud System Compliant with FedRAMP • The system security package has been created using the required FedRAMP templates • The systems meets the FedRAMP security control requirements • The system has been assessed by an independent assessor • A Provisional Authorization, and/or an Agency ATO, has been granted for the system • An authorization letter for the system is on file with the FedRAMP PMO 68
  • 69. Common Agency Questions • Do I need to have the JAB grant a Provisional Authorization to be FedRAMP Compliant? – No, an agency can grant an ATO using the FedRAMP Controls and templates. • If an agency wishes to grant their own ATO using the FedRAMP process, must the CSP use an accredited 3PAO? – No, but the JAB will only grant Provisional Authorizations if an accredited 3PAO performs the assessment. • If an agency is starting an acquisition, what must be included in the solicitation? – Sample contract clauses are located on FedRAMP.gov. • If an agency leverages a FedRAMP authorization, must the agency still grant an ATO? – Yes, the agency must implement the consumer controls and grant an ATO for the entire information system. • Does an agency need to report the FedRAMP system in their FISMA reporting? – The agency needs to include its Information System in the FISMA inventory. 69
  • 71. For more information, please contact us or visit us the following website: www.FedRAMP.gov Email: info@fedramp.gov @ FederalCloud 71