1 FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 [classification marking] PAGE
2 FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December FedRAMP is the first government-wide security authorization program for FISMA mandatory for all agencies and all cloud services FedRAMP s framework is being modeled in other government security programs (mobile, data) and by other countries (Canada, UK, EU, China) FedRAMP s focus is to ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems, key of which is re-use Conservative cost estimates for FedRAMP is $40M for the govt alone Pre-FedRAMP FedRAMP Model [classification marking] PAGE 1
3 FedRAMP Overview Current Statistics Authorizations JAB P-ATOs -15 Includes services from IBM, Microsoft, Akamai, HP, Lockheed Martin Agency ATOs -11 Includes Amazon, AINs, USDA, Micropact, Salesforce In Process CSPs JAB P-ATO 15 Includes services from Dell, SecureKey, Oracle, Amazon, Microsoft, IT-CNP, IBM Agency ATOs 23 Includes Microsoft, Google, Adobe, IBM, Oracle, Verizon [classification marking] PAGE 2
4 Agency ATO Quick Guide [classification marking] PAGE
5 FedRAMP Security Assessment Framework The agency ATO process should follow the FedRAMP Security Assessment Framework(SAF) The SAF is based on the NIST Risk Management Framework The FedRAMP Security Assessment Frameworkis a available at FedRAMP.gov on the Templates and Key Documents webpage [classification marking] PAGE 4
6 Timeline for the SAF Document Assess Authorize Monitor ConMon SSP SAP Testing SAR POAM Reports NIST RMF 1, 2, 3 NIST RMF 4 NIST RMF 5 NIST RMF 6 JAB P-ATOs Agency ATOs 9+ mos 5+ mos CSP Supplied 3+ mos [classification marking] 5 PAGE 5
7 Considerations During SAF TRUSTED INTERNATE CONNECTIONS (TIC) CSPs are required to support agency TIC implementations CSPs do not host TIC components in their environments FEDERAL INFORMATION PROCESSING STANDARD (FIPS) PUB CSPs are required to implement only FIPS Pub for all cryptographic implementations External interfaces with Federal customers PERSONAL IDENTITY VERIFICATION (PIV) Agencies are required to use PIV for multi-factor authentication CSPs are required to support PIV as a multi-factor solution [classification marking] PAGE 6
8 ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage We suggest that you use the Test Cases that we released in Excel format for public comment: nt/rev-4-test-case-workbook Agency ATO Guide DocumentChecklist Templates Available FIPS 199 FedRAMP Templates Available: Control Implementation Summary (CIS) System Security Plan Information System Security Policy User Guide E-Authentication Template Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) ATO Letter Cert Letter [classification marking] PAGE 7
9 Document Checklist Docs w/o Templates The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness The documents listed on this slide do not have an FedRAMP template No Template Available: Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA/ MOU) Penetration Test Plan [classification marking] PAGE 8
10 Granting an ATO GRANTING AN AUTHORITY TO OPERATE (ATO) Once a review is complete, an authorization should be granted and provided to the FedRAMP PMO Authorization for Cloud Providers should not be tied to individual Applications or Platforms CSPs are intended for multiple tenants, use by different customers Authorizations should be viewed as building blocks For Microsoft packages, consuming agencies will need to leverage all of the packages that relate to the service being consumed e.g. GFS, Azure, O365 Customer Agencies will ALWAYS have some responsibility for controls e.g. an agency will always have to enforce 2 factor authentication [classification marking] PAGE 9
11 Sample ATO and Cert Letter Template Included with the authorization package should be a Certification Letter and ATO Memo detailing your agency s authorization. A sample Certification Letter is attached below: Sample Cert Letter You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpage [classification marking] PAGE 10
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
NIST Special Publication 800-66 Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Matthew Scholl, Kevin Stine, Joan
Business Process Design As-Is and To-Be Checklists Introduction These business process design checklists were developed to help Federal IT staff, Records Managers, and Program Managers identify records
Continuous Cyber Situational Awareness Continuous monitoring of security controls and comprehensive cyber situational awareness represent the building blocks of proactive network security. A publication
CNSSP No. 22 January 2012 Policy on Information Assurance Risk Management for National Security Systems THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION
WHITE PAPER Securing Your Cloud-Based Data Integration A Best Practices Checklist A Report on Secure Integration Techniques Targeted at the Information Technology Executive Prepared by Mercury Consulting,
INFOCOMM DEVELOPMENT AUTHORITY OF SINGAPORE Multi-Tiered Cloud Security Standard for Singapore (MTCS SS) Audit Checklist Report For cross-certification from MTCS SS to Cloud Security Alliance (CSA) Security,
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
Whitepaper: Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider WHITEPAPER Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider Requirements Checklist
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
Work.com Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: June 20, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
Managing the Shadow Cloud Integrating cloud governance into your existing compliance program August 2014 Shadow IT is not a new concept and organizations are well aware of the risks associated with unauthorized
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Setting Up Person Accounts Salesforce, Summer 15 @salesforcedocs Last updated: June 30, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Federal Server Core Configuration (FSCC) A high-level overview of the value and benefits of deploying a single, standard, enterprise-wide managed server environment A Microsoft U.S. Public Sector White
GUIDANCE ON EXHIBITS 53 AND 300 INFORMATION TECHNOLOGY AND E-GOVERNMENT Table of Contents 1. Why must I report on information technology (IT) investments? 2. What background information must I know? 3.
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...