FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0


Published on

Federal Agencies & Cloud Service Providers meeting FISMA requirements via FedRAMP

This presentation covers Federal Risk Authorization Management Program with FISMA, SCAP and Federal Data Center Consolidation Initiative to clarify how US government agencies purchase cloud services need to meet Federal Information Security Management Act (FISMA) requirements.

January 2013 - The FedRAMP Joint Authorization Board has granted its first provisional authorization to Autonomic Resources, who used Veris Group as their FedRAMP accredited 3PAO.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0

  1. 1. ISACA Research Triangle ChapterFebruary, 2012(final update May2013)Valdez LaddMBA, MS ISM, CISA, CISSPU.S. Government Cloud Services:Federal Risk and AuthorizationManagement Program(FedRAMP)
  2. 2. ISACA Research Triangle ChapterFedRAMP• .
  3. 3. ISACA Research Triangle ChapterOverview:• Fed CIO 25 point plan to reform Federal IT• FDCCI• Security - Conflicting Agency processes for vendors, cloud service providers• FedRAMP Overview - http://www.fedramp.gov• Process and Benefits• Phased Implementation•• Third Party Assessment Organizations (3PAO) Overview• Requirements• Application•• FedRAMP Security Controls• NIST Special Publication 800-53, Rev. 3• Selection of Controls• FISMA Approval/Review Process• 3PAO• Continuous Monitoring• ISAP, SCAP, CyberScope• Tools:• * Cloud Security Alliance GRC Stack & FedRAMP Baseline Security Controls
  4. 4. ISACA Research Triangle ChapterFedRAMPTIMELINE• Dec. 8, 2011 Fed CIO Steve VanRoekel launches FedRAMPprogram• Dec. 16, 2011 Industry Day on 3PAO Application Process• Dec. 23, 2011 Deadline for questions for first round of 3PAOapplications• Jan. 6, 2012 FedRAMP publishes responses to December 23questions• Jan. 9, 2012 First day for acceptance of FedRAMP applications forfirst round• Jan. 20, 2012 Last day for acceptance of FedRAMP applications forfirst round• March, 2012 ( estimated) First group of 3PAOs announced on– www.fedramp.gov–May 21, 2013- Amazon.coms AWS GovCloud (US) Achieves aFedRAMP Compliant Agency ATO (Authorized to Operate)℠3rdcompany awarded ATO
  5. 5. ISACA Research Triangle Chapter
  6. 6. ISACA Research Triangle Chapter• 25 POINT IMPLEMENTATION PLAN TO REFORM FEDERAL IT MANAGEMENT• Vivek Kundra U.S. Chief Information Officer DECEMBER 9, 2010• ACHIEVING OPERATIONAL EFFICIENCY .• - Apply Light Technology and Shared Solutions . . . . . . . . . . . .. . . . . . . .• * plans to consolidate at least 800 data centers by 2015 (Cloud First Strategy)• EFFECTIVELY MANAGING LARGE-SCALE IT PROGRAMS .• Streamline Governance and Improve Accountability .•• Strengthen Program Management . . . . . . . . . . . . . . . .. . . . . . .• Align the Acquisition Process and Budget Process with the Technology Life Cycle. .• Increase Engagement with Industry . . . . . . . . . . . . .• http://www.cio.gov/documents/25-point-implementation-plan-to-reform-federal%20it.pdf
  7. 7. ISACA Research Triangle ChapterFederal IT Shared Services Strategy• Shared Services Strategy• Implement a Shared First Plan – Each agency will develop ashared services plan that includes, at minimum, two commodity ITareas for migration to a shared environment by December 31, 2012,with an initial focus on consolidation at the intra-agency level.• Assess & Benchmark Existing Lines of Business – Eachexisting LoB will assess current services and develop benchmarkmetrics to measure quality and uptake of services provided;• Develop Roadmaps for Modernization & Improvement ofExisting Services – Each Managing Partner will develop aroadmap for improvement of existing services. Agencies and OMBwill work together to monitor progress toward these goalsthroughout the year.
  8. 8. ISACA Research Triangle ChapterFederal IT Shared Services Strategy
  9. 9. ISACA Research Triangle ChapterFederal Data Center Consolidation Initiative (FDCCI)• GOALS:• Reduce Costs / Reduce Energy Use• Limit Long-term Capital Investments (CAPEX)• Improve Efficiency & Service Levels via Automation• Guarantee Performance: Redundancy, Load Balancing, COOP(continuity of operations )• Enhance Business Agility & Effectively Manage Change• Maintain Security: CIA (Availability, Integrity, Confidentiality)• Implement ITSM Best Practices – ITIL, CMMI-Svc• Implement SDLC Best Practices – CMMI-Dev, CMMI-Acquisition
  10. 10. ISACA Research Triangle Chapter• The Federal Data Center ConsolidationInitiative (FDCCI) February 26, 2010•• ISSUES:- High data center redundancy- High costs, inefficiency, unsustainable and enormousenergy consumption• December 21, 2011• The federal government is on pace to close atleast 1,200 of its 3,100 data centers by the endof 2015, per Federal CIO Steven VanRoekel
  11. 11. ISACA Research Triangle ChapterFDCC Initiative• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf
  12. 12. ISACA Research Triangle ChapterFDCC InitiativeIT Security Management to improve FISMA compliance.Uses functional architecture that helps augment data center security andimprove compliance:• Identity Lifecycle Management• Provides an integrated identity administration solution that serves• As the foundation for automated user provisioning, self-service requests, and• identity governance—the centralized control of users, roles, and policies.• • Information Protection and Access Control• Enforces policies relating to access to systems, web applications, and• information. It also provides management of privileged users to limit improper• administrator actions.• Together = Content Aware Identity and Access Management• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf
  13. 13. ISACA Research Triangle ChapterFDCC Initiative
  14. 14. ISACA Research Triangle ChapterFDCC InitiativeReality: Confusion!Too many• - Agencies (State Dept., FDA, SEC, FTC, Agriculture, etc.,)• - Different processes & interpretations• - Separate FISMA implementations• *image courtesy nlm.nih.gov• FedRAMP to the Rescue!
  15. 15. ISACA Research Triangle ChapterFedRAMPPurpose ("Do Once, Use Many Times" )• Establishes Federal policy for the protection of Federalinformation in cloud services• Describes the key components and its operational capabilities• Defines Executive department and agency responsibilities indeveloping, implementing, operating, and maintaining theprogram• Defines the requirements for Executive departments andagencies using the program in the acquisition of cloud services• www.fedramp.net
  16. 16. ISACA Research Triangle ChapterFedRAMP• The FedRAMP security controls are based on NIST SP 800-53 R3 / 53A, controlsLow and moderate impact US systems that address cloud computing.• The program will deliver a cost-effective, risk-based approach for theadoption and use of cloud services.• Operating under a “do once, use many times” framework, federalofficials believe that FedRAMP will save cost, time and staff required toconduct security assessments for federal departments to make the jump tothe cloud.• The program is also designed to foster better relationships betweenagencies and cloud security providers (Shared Services Strategy)• Standardized security requirements for the authorization and ongoingcyber security operation of cloud services for selected informationsystem impact levels.
  17. 17. ISACA Research Triangle ChapterFedRAMP• A conformity assessment program capable of producing consistentindependent, third-party assessments of security controlsimplemented by cloud security providers;• •• Authorization packages of cloud services reviewed by a JointAuthorization Board (JAB) consisting of security experts from theDepartment of Homeland Security (DHS), Department of Defense(DoD) and General Services Administration (GSA);• •• Standardized contract language to help executive departments andagencies integrate FedRAMP requirements and best practices intoacquisition; and• •• A repository of authorization packages for cloud services that canbe leveraged government wide.• •
  18. 18. ISACA Research Triangle ChapterFedRAMP• How will cloud services be prioritized for FedRAMP review?Joint Authorization Board (JAB) priority:•• “FedRAMP will prioritize the review of cloud systems with theobjective to assess and authorize cloud systems that can beleveraged government-wide.• In order to accomplish this, FedRAMP will prioritize SecureInfrastructure as a Service (IaaS) solutions, contract vehicles forcommodity services, and shared services• (1) Cloud systems with existing Federal agency’s• authority-to-operates (ATOs) get first priority• (2) Cloud systems without an existing Federal agency ATO getsecond priority
  19. 19. ISACA Research Triangle ChapterFedRAMP• .
  20. 20. ISACA Research Triangle ChapterFederal Information SecurityManagement Act (FISMA) 2002• Created by OMB authorization and National Institute of Standards andTechnology (NIST) implementation guidance.• NIST Special Publication 800-53 Revision 3: 2009 Security Controls forFederal Information Systems and Organizations.• NIST Special Publication 800-37 Revision 1: Guide for Applying the RiskManagement Framework to Federal Information Systems: A Security LifeCycle Approach• Compliance framework defined by FISMA and supporting standards• 1. Inventory of information systems• 2. Categorize information and information systems according to risklevel• 3. Security controls• 4. Risk assessment• 5. System security plan• 6. Certification and accreditation• 7. Continuous monitoring (new)
  21. 21. ISACA Research Triangle ChapterFISMA• FedRAMP – Authorization deliverables for Cloudcomputing service providers (CSP).• ( *297 controls, 604 pages document)• A. Develop Plan of Action & Milestones: (POAM)• B. Assemble Security authorization Package(SAP)• C. Determine Risk• D. Determine the Acceptability of Risk• E. Obtain Security Authorization Decision(yes/no)
  22. 22. ISACA Research Triangle ChapterFedRAMP• Third Party Assessment Organizations (3PAOs)Required:• As a part of the FedRAMP process, cloud service providers(CSPs) must use a FedRAMP approved third party assessor toindependently validate and verify that they meet the FedRAMPrequirements.• Per NIST, FedRAMP implemented a conformity assessmentprocess to qualify 3PAOs. This conformity assessment processqualifies 3PAOs according to two requirements:• Independence and quality management in accordancewith ISO standards Technical competence throughFISMA knowledge testing
  23. 23. ISACA Research Triangle ChapterFedRAMP• Third Party Assessment Organizations (3PAOs)• Controls:• Perform initial and periodic assessment of CSP systems perFedRAMP requirements, provide evidence of compliance, and playan on-going role in ensuring cloud service providers (CSPs) meetrequirements.• FedRAMP provisional authorizations must include an assessmentby an accredited 3PAO to ensure a consistent assessment process.• Independent assessors of whether a cloud service provider has metthe 297 agreed upon FedRAMP security controls (604 pages) sothey can get an authority to operate (ATO).• Companies cannot be 3PAOs and cloud service providers (CSP) atthe same time for same contracts (MOU, etc.,)
  24. 24. ISACA Research Triangle ChapterFedRAMP• Cloud service providers or 3PAO?
  25. 25. ISACA Research Triangle ChapterFedRAMPSummary:• FedRAMP – Authorization deliverables for Cloud computingservice providers (CSP).• (*297 controls, 604 pages document – Requires 3PAO)• A. Develop Plan of Action & Milestones: (POAM)• B. Assemble Security authorization Package (SAP)• C. Determine Risk• D. Determine the Acceptability of Risk• E. Obtain Security Authorization Decision• Goals: Reduce Costs, time, and increase shared services &cyber security, etc., throughout Federal Agencies
  26. 26. ISACA Research Triangle ChapterFISMAContinuous Monitoring(FISMA) requires agencies to report quarterly and annually• based on performance measures (and security metrics) definedby the Office of Management of Budget (OMB).• FISMA guidance from OMB involves a four tiered approach:•1. Data feeds directly from security management tools2. Government-wide benchmarking on security posture3. Agency-specific interviews4. Office of Inspector (OIG) reviews• Data Feeds pulled from Security Management Tools- CyberScope & CyberStats
  27. 27. ISACA Research Triangle ChapterFISMAPre - Continuous Monitoring• Agencies were spending an estimated 10percent of their information technology budgetsto comply with FISMA.• $8 billion annual investment.• U,S. State Department Chief InformationSecurity Officer John Streufert achievedsignificant results in moving from the paperworkof compliance to real-time operational security:
  28. 28. ISACA Research Triangle ChapterFISMAPre - Continuous MonitoringHigh-risk security vulnerabilities was reducedby 90 % from July 2008 to July 2009Cost of certifying and accrediting IT systemsrequired under FISMA was cut by 62 % bycontinuously updating security data.* 2010 Wikileaks & US Army Private Bradley Manning – Insider Threat
  29. 29. ISACA Research Triangle ChapterFISMA1stContinuous Monitoring program: US State DepartmentPolicies put responsibility for security status in the hands of local officialsWho have direct control of systems and applying scanning tools that use theConsensus Audit Guidelines of critical security controls.• Perform scans every two to 15 days rather than every three years• By scoring each site and making local administrators responsible for securitystatus,• Each of the department’s 260 embassies and 40 domestic offices are regularlyscored on their security posture and assigned a grade ,• every 36 hours on a scale of A+ to F-.• .• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1
  30. 30. ISACA Research Triangle ChapterFISMAContinuous Monitoring• NIST SP 800-137, Information Security Continuous Monitoring for FederalInformation Systems and Organizations• - Manages risk consistently throughout the organization.• - Ensures continued effectiveness of all security controls.• - Verifies legislation, directives, regulations, policies andstandards/guidelines.• - Is informed by all organizational IT assets and helps to maintainvisibility into the security of the assets.• - Ensures knowledge and control of changes to organizational• systems and environments of operation.• - Maintains awareness of threats and vulnerabilities• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1
  31. 31. ISACA Research Triangle ChapterFISMA
  32. 32. ISACA Research Triangle ChapterFISMAContinuous MonitoringThe CyberScope system- A web-based application used to collect data from eachfederal agency through live data feeds and data entry byagency personnel.• - The expectation is that most Departments will be ableto leverage their internal security informationmanagement systems to supply the data required.• ** Unfunded Mandate **
  33. 33. ISACA Research Triangle ChapterFISMAThe CyberScope System: data feeds• NIST initiated the Information Security Automation Program (ISAP)• This capability is achieved through the Information Security AutomationProgram (ISAP). It is a U.S. government multi-agency initiative to enableautomation and standardization of technical security operations.• Standards based automation of security checking and remediation as wellas automation of technical compliance activities (e.g. FISMA).• The NIST Security Content Automation Protocol (SCAP) that support andcomplement the approach for achieving consistent, cost-effective securitycontrol assessments.• http://nvd.nist.gov/scap/docs/ISAP.doc
  34. 34. ISACA Research Triangle ChapterFISMASecurity Content Automation Protocol (SCAP)A methodology for using specific standards to enable automatedvulnerability management, measurement, and policy complianceevaluation (e.g., FISMA) compliance).The National Vulnerability Database (NVD) is the U.S. government contentrepository for SCAPhttp://nvd.nist.gov/scap/docs/ISAP.doc
  35. 35. ISACA Research Triangle ChapterFISMASecurity Content Automation Protocol (SCAP)• SP 800-126 Revision 2, The Technical Specification for theSecurity Content Automation Protocol: SCAP Version 1.2.•• SCAP - standardizing the format and nomenclature in whichsoftware flaw and security configuration information iscommunicated, to machines and humans.• SP 800-126 defines and explains SCAP version 1.2, including thebasics of the SCAP component specifications and theirinterrelationships, the characteristics of SCAP content and theSCAP requirements not defined in the individual componentspecifications.• http://nvd.nist.gov/scap/docs/ISAP.doc
  36. 36. ISACA Research Triangle ChapterFISMASCAP Components• Common Vulnerabilities and Exposures (CVE)• Common Configuration Enumeration (CCE)• Common Platform Enumeration (CPE)• Common Vulnerability Scoring System (CVSS)• Extensible Configuration Checklist Description Format (XCCDF)• Open Vulnerability and Assessment Language (OVAL)• Open Checklist Interactive Language (OCIL) Version 2.0• Asset Identification• Asset Reporting Format (ARF)• Common Configuration Scoring System (CCSS)• Trust Model for Security Automation Data (TMSAD)• Mitre "Making Security Measurable" web site• http://makingsecuritymeasurable.mitre.org/index.htmlhttp://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
  37. 37. ISACA Research Triangle ChapterFISMASCAP ChecklistsStandardize and enable automation ofthe linkage between computer security configurationsand the NIST SP 800-53 A controls framework.http://en.wikipedia.org/wiki/Security_Content_Automation_Protocolchecklists.nist.gov/
  38. 38. ISACA Research Triangle ChapterFISMASCAP Validation ProgramNIST focus on working with government and industry to establish moresecure systems and networks:- security assessment tools, techniques, services, and supportingprograms for testing, evaluation and validation;- Security metrics, security evaluation criteria and evaluationmethodologies, tests and test methods;- security-specific criteria for laboratory accreditation; guidance on theuse of evaluated and tested products; research methodologies;- security protocol validation activities; with voluntary industrystandards bodies and other assessment regimes.http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
  39. 39. ISACA Research Triangle ChapterFISMASCAPIndependent Third Party Testing-Assures the customer/user that the product meets the NIST specifications.- The SCAP standards can be complex and several configurations must be testedfor each component and capability to ensure that the product meets therequirements.- A third-party lab (accredited by National Voluntary Laboratory AccreditationProgram (NVLAP)) provides assurance that the product has been thoroughlytested and has been found to meet all of the requirements.- A vendor seeking validation of a product should contact an NVLAP accreditedSCAP validation laboratory for assistance in the validation process.http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
  40. 40. ISACA Research Triangle ChapterFedRAMP (future)Valdez LaddCISSP, CISA, MBA, MS ISM
  41. 41. ISACA Research Triangle ChapterGeneric Cloud Security Architecture• .
  42. 42. ISACA Research Triangle ChapterFedRAMP• Questions ?FedRAMPFISMAValdez LaddCISSP, CISA, MBA, MS ISMContact me: Linkedin
  43. 43. Cloud Security Alliance GRC Stack
  44. 44. .
  45. 45. Cloud Trust Protocol•http://assets1.csc.com/cloud/downloads/wp_cloudtrustprotocolprecis_073010.pdf
  46. 46. Cloud Security Alliance Guidance v3.0• Security Guidance for Critical Areas of Focus in Cloud Computing• Section I. Cloud Architecture•Domain 1: Cloud Computing Architectural FrameworkSection ll. Governing in the CloudDomain 2: Governance and Enterprise Risk ManagementDomain 3: Legal Issues: Contracts and Electronic DiscoveryDomain 4: Compliance and Audit ManagementDomain 5: Information Management and Data SecurityDomain 6: Interoperability and Portability•Section Ill. Operating in the Cloud•Domain 7: Traditional Security, Business Continuity, and Disaster RecoveryDomain 8: Data Center OperationsDomain 9: Incident ResponseDomain 10: Application SecurityDomain 11: Encryption and Key ManagementDomain 12: Identity, Entitlement, and Access ManagementDomain 13:Virtua|izationDomain 14: Security as a Service
  47. 47. FedRAMPFedRAMP Baseline Security Controls tool&FedRAMP Baseline Security Controls toolWalkthrough is outside of presentation
  48. 48. ISACA Research Triangle ChapterReferencesFedRAMPwww.fedramp.gov/fedramp.netwww.fedramp.net/Cloud Security Alliancehttps://cloudsecurityalliance.org/NIST Special Publications (800 Series)http://csrc.nist.gov/publications/PubsSPs.htmlValdez Ladd: linkedin