DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015
|
|
- Rosaline Watts
- 8 years ago
- Views:
Transcription
1 DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the DoD. As you may know, the Defense Information Security Agency (DISA) released new Department of Defense (DoD) cloud security requirements as DoD looks to shift to commercial cloud services. While the premise of leveraging and aligning with the Federal Risk and Authorization Management Program (FedRAMP) hasn t changed, the DISA has supplemented the FedRAMP baseline with DoD-specific requirements. Effective as of yesterday (January 13, 2015), an updated Security Requirements Guide (SRG) Version 1 was released and supersedes all current guidance under the DISA Cloud Security Model. The acting DoD CIO, Terry Halvorsen, has gone on record several times searching for ways to better enable the cloud procurement process by granting more purchasing ability and authority to individual agencies/components within the DoD. While the SRG release is primarily focused on impact levels 2 and 4, there was acknowledgement of opportunities for future updates, and each quarterly release will focus on those improvements. The subsequent quarterly release will include a focus on impact level 5 and considerations for hosting the DoD workloads outside of U.S. facilities. Let s be clear about which audiences the SRG guidance serves. It applies to the following entities: Commercial and non-dod federal government Cloud Service Providers (CSPs) DoD programs operating as a CSP DoD Components and Mission Owners using, or considering the use of, commercial/non-dod and DoD cloud computing services DoD risk management assessment officials and Authorizing Officials (AOs) Key Changes While there have been some success stories for cloud adoption within the DoD, industry and many DoD stakeholders are looking for faster adoption to realize the value, elasticity, mobile and on-demand capabilities of cloud. The DoD has leveraged the FedRAMP Joint Authorization Board (JAB) and U.S. federal government agency authority to operate (ATO) packages residing in the FedRAMP Secure Repository. In this release, the term FedRAMP Plus (+) was introduced and applies to both the FedRAMP JAB and Agency sponsored authorization routes currently approved through the FedRAMP.
2 As applicable on the federal civilian side, every agency/component has the ability to leverage the baseline FedRAMP assessment, and either accept or add on additional security requirements, as is the case with the DoD. Specific critical mission and business needs drive this requirement; the specific controls will also need to be impacted/tested by an accredited third party assessment organization (3PAO) to ensure proper implementation. Security Objectives/Impact Levels Consolidated Cloud security impact levels help drive the security requirements for FedRAMP and DoD systems. In all cases, security information impact levels are defined by the combination of the level of information stored and processed within the CSP offering and potential impact of an event that results in the loss of confidentiality, integrity or availability of DoD data, systems or networks. Forget what you previously read about Levels 1-6. According to the latest SRG publication, these are the new cloud DoD impact levels and the corresponding amendments: Level 1 Level 2 Unclassified Information approved for Public release Non-controlled Unclassified Information DoD Impact Levels REMOVED - Level 1 has been merged with Level 2. Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control. REMOVED - Level 3 has been merged with Level 4. Level 3 Controlled Unclassified Information Level 4 Controlled Unclassified Level 4 accommodates CUI, which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order (November 2010) or other mission critical data: -Export Control -Privacy Information -Protected Health Information (PHI) -Other (FOUO, OUO, LES, etc.) Level 5 Level 6 Controlled Unclassified Information Classified Information up to SECRET Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs) At this time, only information classified as SECRET
3 The SRG also addressed the concept of FedRAMP submission/authorization paths and reiterated these paths as the only options for CSPs to follow. FedRAMP JAB Provisional Authorization (assessed by a 3PAO, P-ATO is authorized or in the process of obtaining a JAB P-ATO) FedRAMP Agency ATO (assessed by a 3PAO, system is authorized or in the process of obtaining an ATO, i.e. have a sponsor) DoD Self-Assessed PA (assessed by the DISA cloud assessment team, CSP is minimally assessed against the FedRAMP Moderate Baseline and FedRAMP+ requirements, typically seen in dedicated cloud service offerings and/or private) NIST SP Rev. 3 to Rev. 4 Transition It s worth noting that the DoD will be following the FedRAMP Program Management Office s (PMO) approach to meeting the latest NIST guidance transition guidelines. The accreditation/authorization issue still exists: Platform as a Service (PaaS)/Software as a Service (SaaS) offerings sitting on top of an already FedRAMP-approved Infrastructure as a Service (IaaS) provider have mainly been approved under the NIST SP Rev. 3 guidance. There are discussions underway to update the guidance provided from the FedRAMP PMO in Q1 of 2015, so expect this to come out soon. DoD FedRAMP+ Security Controls/Enhancements I won t bore you with the details of each and every control, save that for a rainy day. However, any control that is added can certainly cause impact to your CSP offering, so read the controls very closely. CSPs will be required to re-evaluate their current understanding of the previously published impact levels and respective security controls, and realign the levels against recently published security requirements. As of the date of this publication, the tailored baseline was only published for impact levels 4-6, which is summarized below: NIST SP r4 Control/Enhancement Total Level 2 Level 4 Level 5 Level 6 TBD 35 PLUS Privacy Overlay Controls if applicable 44 PLUS Privacy Overlay Controls if applicable 44 PLUS 98 from Classified Overlay The best way to navigate these security requirements is to review the current control values (pages 27-28), currently assigned to Levels 4-6, and then go to Appendix D (pages ) to view the actual security control values. Again, it is not clear why Level 2 security controls are missing from the publication, but expect to see these fleshed out with a sponsoring DoD entity or in a new SRG release for all CSPs to follow suit.
4 Continuous Monitoring The Continuous Monitoring Strategy Guide, published from the FedRAMP PMO, largely remains intact for CSPs seeking to maintain their authorization. DoD agencies/components can and will impose more stringent requirements in accordance with the latest impact levels and continuous monitoring guidance. At a minimum, the monthly requirements are as follows: Monthly Credentialed Network/OS, Web, and Database vulnerability scans, in addition to a frequently updated Plan of Actions and Milestones (POAM) and remediation plan for identified findings. Summary It s very clear that organizations need to take a tiered approach to navigating the DoD cloud market. I recommend you start with the FedRAMP Moderate Baseline and work to get approved under the FedRAMP JAB or FedRAMP Agency route. Once that is achieved, which is no small feat in itself, then look to engage your DoD buyers early in the process to help you fill in the blanks. If the potential DoD buyers are still on the periphery, you can certainly bank on the Level 4-6 approach for preparing your solution and FedRAMP documentation to include these specific controls. I anticipate this process and recommended approach will evolve, and am eager to see some traction in the DoD cloud space in 2015 and beyond.
5 References DoD Cloud Computing SRG - Version 1, Release 1: James Leach is VP, Service Development & Commercial of Veris Group, LLC, an industry-leading, awardwinning cybersecurity company headquartered in Vienna, VA. verisgroup.com E: info@verisgroup.com T:
DoD Cloud Computing Security Requirements Guide (SRG) Overview
DoD Cloud Computing Security Requirements Guide (SRG) Overview 1 General SRG Information Released 12 January 2015 Version 1, release 1 Provides comprehensive security guidance for components (missions)
More informationDEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1. 12 January 2015
DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1 12 January 2015 Developed by the Defense Information Systems Agency (DISA) for the Department of Defense
More informationCloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent
Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012
More informationWhat should go to the Cloud and When. What should NOT go to the Cloud and Why
What should go to the Cloud and When What should NOT go to the Cloud and Why Cloud a New Business Model for IT delivery in Federal Programmatic approach to Cloud Security (FedRAMP, DISA SRG) Cloud Service
More informationOverview. FedRAMP CONOPS
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationFederal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide
More informationHow To Write The Jab P-Ato Vulnerability Scan Requirements Guide
FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015 JAB P-ATO Vulnerability Scan Requirements Guide Page 1 Revision History Date Version Page(s) Description Author May 27,
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationDoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL
DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL Version 1.0 Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD) EXECUTIVE SUMMARY The 26 June 2012 DoD
More informationSeeing Though the Clouds
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
More informationSecurity Authorization Process Guide
Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationHow to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing
How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing Warren S. Udy, CISSP Senior Cyber Security Advisor Office of Cyber Security 301-903-5515 warren.udy@hq.doe.gov
More informationDoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process
Inspector General U.S. Department of Defense Report No. DODIG-2015-045 DECEMBER 4, 2014 DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process INTEGRITY EFFICIENCY ACCOUNTABILITY
More informationSTATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration
STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationInformation Security Risk and Compliance Series Risking Your Business
Information Security Risk and Compliance Series Risking Your Business Sergio Saenz and Ron Nemes June 2015 Introduction As the DoD Information Assurance Certification and Accreditation Process (DIACAP)
More informationEsri Managed Cloud Services and FedRAMP
Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP
More informationU.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition
U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition Dr. Charles Kiriakou, Ms. Kate Cunningham, Mr. Kevin Winters, & Mr. Carl Rice September 3, 2014 UNCLASSIFIED 1 Bottom Line Up Front (BLUF) The
More informationThe Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative
The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative September 2014 Council of the Inspectors General on Integrity and Efficiency Cloud Computing Initiative Executive
More informationPublic Sector Cloud Service Providers
Public Sector Cloud Service Providers Critical First Steps for FedRAMP Success (Boundary Scoping) Summary James Leach Veris Group, LLC A Federal Risk and Authorization Management Program (FedRAMP) authorization
More information10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015
10 Considerations for a Cloud Procurement Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 www.lbmctech.com info@lbmctech.com Purpose: Cloud computing provides public sector organizations
More informationDEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES
DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 Washington, DC 20420 Transmittal Sheet February 28, 2012 CLOUD COMPUTING SERVICES 1. REASON FOR ISSUE: This Directive establishes the Department of Veterans
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationAUDIT REPORT. The Energy Information Administration s Information Technology Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department
More informationCloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting.
Cloud Assessments SaaS Email Working Group John Connor, IT Security Specialist, OISM, NIST Meeting August, 2015 Background Photo - JILA strontium atomic clock (a joint institute of NIST and the University
More informationOffice of Inspector General
Audit Report OIG-15-003 INFORMATION TECHNOLOGY: Fiscal Service s Management of Cloud Computing Services Needs Improvement October 8, 2014 Office of Inspector General Department of the Treasury Contents
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationDEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE. REVISION HISTORY For Version 1, Release 2. 18 March, 2016
DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE REVISION HISTORY For Version 1, Release 2 18 March, 2016 Developed by the Defense Information Systems Agency for the Department of Defense
More informationCloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service
Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service Overview Cloud Computing
More informationInformation Assurance in the Cloud
Information Assurance in the Cloud The Status of FedRAMP, April 2013 AGA - Montgomery/Prince George s Chapter cliftonlarsonallen.com Session Outline 1. Cloud Services in Federal Government The Opportunity
More informationFedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO
FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov 1 Today s Training Welcome to Part Four of the FedRAMP Training Series:
More informationFISMA Cloud GovDataHosting Service Portfolio
FISMA Cloud Advanced Government Oriented Cloud Hosting Solutions Cyber FISMA Security Cloud Information Security Management Compliance Security Compliant Disaster Recovery Hosting Application Cyber Security
More informationWritten Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications
Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee
More informationLots of Updates! Where do we start?
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project Management Community Meeting October 18, 2011 .
More informationDepartment of Defense Use of Commercial Cloud Computing Capabilities and Services
I N S T I T U T E F O R D E F E N S E A N A L Y S E S Department of Defense Use of Commercial Cloud Computing Capabilities and Services Laura A. Odell, Project Leader Ryan R. Wagner Tristan J. Weir November
More informationArmy Cloud Computing Strategy
Army Cloud Computing Strategy MARCH 2015 Enterprise Architecture Division Army Architecture Integration Center HQDA CIO/G-6 Version 1.0 This page intentionally left blank. TABLE OF CONTENTS FOREWORD...
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationUCI FISMA Core Program Procedures & Processes Frequently Asked Questions (FAQs)
Health Affairs Information Systems University of California, Irvine UCI FISMA Core Program Procedures & Processes Frequently Asked Questions (FAQs) April 11, 2012 Version 1.1 HAIS Coordination Copy The
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8510.01 March 12, 2014 DoD CIO SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) References: See Enclosure 1 1. PURPOSE. This instruction:
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationContinuous Monitoring Strategy & Guide
Version 1.1 July 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization
More informationVA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker
VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker Office of Technology Strategies (TS) Architecture, Strategy, and Design (ASD) Office of Information and Technology
More informationCloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA
Cloud Services The Path Forward Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA November 1, 2012 Agenda Integrated Technology Services (ITS) Cloud Acquisition
More informationCloud Services Trends: From Pure IaaS to IaaS+PaaS Enterprise Platform with the Benefits of Cloud
Cloud Services Trends: From Pure IaaS to IaaS+PaaS Enterprise Platform with the Benefits of Cloud Pete Nuwayser Deloitte Consulting LLP 2 December 2015 Agenda A Quick Level Set Pure IaaS at a DoD Client
More informationAWS Worldwide Public Sector
15 Minute Introduction to AWS and Q&A April 2015 Mark Fox Sr. Manager DoD Sales I love/hate relationship with the term cloud Now the IT norm Commercial Cloud should not be scary nor considered less secure
More informationAudit of the Department of State Information Security Program
UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program
More informationHyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.
HyTrust Product Applicability Guide For Federal Risk and Authorization Management Program (FedRAMP) VMware Compliance Reference Architecture Framework to the VMware Product Applicability Guide For Federal
More informationThe Benefits of FedRAMP. Shamun Mahmud, DLT Cloud Advisory Group
The Benefits of FedRAMP Shamun Mahmud, DLT Cloud Advisory Group The Benefits of FedRAMP Shamun Mahmud, DLT Cloud Advisory Group, DLT Solutions LCC 2012 Executive Summary FedRAMP (Federal Risk and Authorization
More informationFedRAMP Master Acronym List. Version 1.0
FedRAMP Master Acronym List Version 1.0 September 10, 2015 Revision History Date Version Page(s) Description Author Sept. 10, 2014 1.0 All Initial issue. FedRAMP PMO How to Contact Us For questions about
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.01 May 28, 2014 DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: See Enclosure 1 1. PURPOSE. In accordance with the authority
More informationFederal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration
efast Cloud Computing Services 25 October 2012 1 Bottom Line Up Front The FAA Cloud Computing Vision released in 2012 identified the agency's road map to meet the Cloud First Policy efast must provide
More informationOffice of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and
More informationDepartment of Homeland Security
Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief
More informationBest Practices Guide for DoD Cloud Mission Owners
Best Practices Guide for Department of Defense Cloud Mission Owners Version 1.0 Last updated 2015-08-06 Developed by the Defense Information Systems Agency (DISA) For the Department of Defense (DoD) IMPORTANT:
More informationManagement of Cloud Computing Contracts and Environment
Management of Cloud Computing Contracts and Environment Audit Report Report Number IT-AR-14-009 September 4, 2014 Cloud computing contracts did not comply with Postal Service standards. Background The
More informationCyber Security Symposium 2015 September 29,2015
Cyber Security Symposium 2015 September 29,2015 Introducing David Langston Branch Manager Security Management Department of Technology 2 About CalCloud Mission Offer cost-effective cloud solutions that
More informationSecurity Control Standard
Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationNIST Cloud Computing Security Reference Architecture (SP 500-299 draft)
NIST Cloud Computing Security Reference Architecture (SP 500-299 draft) NIST Cloud Computing Security Working Group Dr. Michaela Iorga, NIST Senior Security Technical Lead for Cloud Computing Chair, NIST
More informationUNCLASSIFIED. Trademark Information
SAMSUNG KNOX ANDROID 1.0 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 3 May 2013 Developed by Samsung Electronics Co., Ltd.; Fixmo, Inc.; and General Dynamics C4 Systems,
More informationSecurity Control Standard
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationHow To Manage Cloud Computing In The United States Of American Agriculture
United States Department of Agriculture Office of Inspector General USDA s Implementation of Cloud Computing Services Audit Report 50501-0005-12 What Were OIG s Objectives Our objective was to evaluate
More informationStatus of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028)
MEMORANDUM FOR KATHERINE ARCHULETA Director FROM: SUBJECT: PATRICK E. McFARLAND Inspector General Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028) The purpose of this memorandum
More informationEnterprise Managed Cloud Computing at NASA. Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014
Enterprise Managed Cloud Computing at NASA Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014 What is Cloud Computing? Cloud Computing in a Nutshell Cloud computing
More informationAUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Department of Energy's Management of Cloud Computing Activities DOE/IG-0918 September 2014 Department
More informationDoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services
DoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services August 27, 2015 Government Contracts Overview On August 26, 2015, the Department of Defense (DoD) issued
More informationThe role of certification and standards for trusted Cloud solutions
The role of certification and standards for trusted Cloud solutions A CloudWATCH webinar 2014 Cloud Security Alliance - All Rights Reserved. Agenda 15:00 Welcome and Introduction 10 15:10 The role of
More informationSECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS
Committee on National Security Systems CNSS Instruction No. 1253 October 2009 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Version 1 Committee on National Security Systems
More informationLUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified
LUNARLINE: School of Cyber Security Dedicated to providing excellence in Cyber Security Training Certifications ISO 9001: 2008 Certified Maturity Level 2 of CMMI Top 2% D&B Rating VA Certified Service
More informationDoD Needs an Effective Process to Identify Cloud Computing Service Contracts
Inspector General U.S. Department of Defense Report No. DODIG-2016-038 DECEMBER 28, 2015 DoD Needs an Effective Process to Identify Cloud Computing Service Contracts INTEGRITY EFFICIENCY ACCOUNTABILITY
More informationInformation Systems Security Line of Business (ISS LoB)
Information Systems Security Line of Business (ISS LoB) Information Security and Privacy Advisory Board George Washington University Washington, DC March 22, 2007 Agenda Background Status Next Steps Background
More informationSECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS
1 CNSSI No. 1253 15 March 2012 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Version 2 THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER
More informationReview of the Total Information Technology Operations Cost for the Pentagon Reservation and National Capital Region
Review of the Total Information Technology Operations Cost for the Pentagon Reservation and National Capital Region Response to the Deputy Secretary of Defense (DSD) Memo subject Review of the Total Costs
More informationThe NIST Definition of Cloud Computing
Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationBaseline Cyber Security Program
NNSA Policy Letter NAP-14.1-D Approved: Baseline Cyber Security Program NATIONAL NUCLEAR SECURITY ADMINISTRATION Office of Information Management and the Chief Information Officer AVAILABLE ONLINE AT:
More informationNGEN Re-compete Industry Day Navy Data Center Consolidation
NGEN Re-compete Industry Day Navy Data Center Consolidation Mr. John Pope Director, DCAO 17 November 2015 Multiple independent data centers grew up organically to support the warfighter. Lack of configuration
More informationSecurity Control Standard
Department of the Interior Security Control Standard Maintenance January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information Officer
More informationFedRAMP Government Discussion Matt Goodrich, FedRAMP Director
FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 [classification marking] PAGE FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December
More informationITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
More informationU.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationCloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.
UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General Cloud Computing Report No. OIG-AMR-74-14-03 October 21, 2014 CONTENTS EXECUTIVE SUMMARY... 1 BACKGROUND... 2 OBJECTIVE,
More informationFederal Cloud Security
Federal Cloud Security The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision,
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8440.01 December 24, 2015 DoD CIO SUBJECT: DoD Information Technology (IT) Service Management (ITSM) References: See Enclosure 1 1. PURPOSE. Pursuant to the authority
More informationGuide to Understanding FedRAMP. Guide to Understanding FedRAMP
Guide to Understanding FedRAMP Version 1.0 June 5, 2012 Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP s requirements. The primary purpose of
More informationCloud Computing Strategy
Department of Defense Chief Information Officer Cloud Computing Strategy July 2012 This page intentionally left blank EXECUTIVE SUMMARY In the current political, economic, and technological landscape,
More informationAppendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)
Appendix 10 IT Security Implementation Guide For Information Management and Communication Support (IMCS) 10.1 Security Awareness Training As defined in NPR 2810.1A, all contractor personnel with access
More information1 Introduction... 1. 2 Roles and Responsibilities... 5. 3 Cloud Architectures... 7
Contents 1 Introduction..................................................... 1 1-1 Purpose.................................................................. 1 1-2 Scope...................................................................
More informationCLOUD COMPUTING SERVICES CATALOG
CLOUD COMPUTING SERVICES CATALOG... Including information about the FedRAMP SM authorized Unclassified Remote Hosted Desktop (URHD) Software as a Service solution CTC Cloud Computing Services Software
More information5 FAH-8 H-351 CLOUD COMPUTING
5 FAH-8 H-350 CLOUD COMPUTING (Office of Origin: IRM/BMP) 5 FAH-8 H-351 CLOUD COMPUTING GOVERNANCE BOARD a. The Cloud Computing Governance Board (CCGB) exists to provide advice to the Authorizing Official
More informationMarine Corps. Commercial Mobile Device Strategy
Marine Corps Commercial Mobile Device Strategy April 2013 THIS PAGE INTENTIONALLY LEFT BLANK FOREWORD The currently constrained budget environment requires us to balance fiscal responsibility and mission
More informationConcurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services
Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based
More informationCloud Computing Strategy
Department of Defense Chief Information Officer Cloud Computing Strategy July 2012 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is
More informationAudit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services
O F F I C E O F IN S P E C TO R GENERAL Audit Report 2014-IT-C-016 Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services September 30, 2014 B O A R D O F G O V E R
More informationTESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY
TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
More information