The Benefits of FedRAMP. Shamun Mahmud, DLT Cloud Advisory Group

Transcription

1 The Benefits of FedRAMP Shamun Mahmud, DLT Cloud Advisory Group

2 The Benefits of FedRAMP Shamun Mahmud, DLT Cloud Advisory Group, DLT Solutions LCC 2012 Executive Summary FedRAMP (Federal Risk and Authorization Management Program) serves as the primary program for federal acquisition of cloud computing services. FedRAMP uses a risk management approach to improve security postures in federal IT enterprises. Cloud service acquisition via FedRAMP is a form of outsourcing. The government already uses outsourcing as a strategic initiative to improve customer service, quality, and reduce costs. Agencies can use FedRAMP to outsource a portion of the security controls authorization process. FedRAMP allows one agency to leverage another agency s vetted security requirements and authorization packages. The leveraging of FedRAMP authorizations-to-operate (ATOs) also establishes a digital trust ecosystem. Further, this re-use adds a level of assessment transparency. Multi-agency assessment and authorization of common systems helps agencies address their program s technical requirements in a timely and cost-effective manner. Cloud Service Providers (CSPs) that attain FedRAMP authorization also reduce an agency s time-to-production. As a logical extension of current federal IT security best practices, FedRAMP leverages the Cloud Security Alliance s (CSA s) Cloud Controls Matrix (CCM) to improve independent accountability of governmentdeveloped systems used by multiple agencies. For parties that have an interest in cloud computing within government, this whitepaper will further describe several additional benefits that FedRAMP will bring to federal agencies as follows: 1. Increased security through focused risk management 2. Reduced duplication of effort 3. Ensured security oversight 4. Improved independent accountability 5. Integration with current government-wide security efforts 6. Rapid acquisition cycle 7. Heightened assessment transparency 8. Reduced resource hurdles What is FedRAMP? The Federal Risk and Authorization Management Program, or FedRAMP, has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows for joint authorizations and continuous security monitoring services of government and commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the federal government. The use of this common security risk model provides a consistent baseline for cloud-based services. This common baseline ensures that the benefits of cloud-based services are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to approve once, and use often by ensuring multiple agencies gain the benefit and insight of FedRAMP s authorization and access to service provider s authorized packages. i

3 Increased Security through Focused Risk Management FedRAMP uses a risk management approach to harden security postures in federal IT enterprises. Risk management is a fundamental challenge and must be addressed appropriately for an agency to successfully complete its mission. FedRAMP is designed to streamline agencies efforts expended on all phases of risk management. When an agency develops a risk management policy, a collection of tasks and procedures must be compiled. There are programs that can assist in the proper development of risk management procedures and templates to help guide the managers as they formulate the policy for their particular requirements. The first important step of risk management is the identification of all known risks. You cannot mitigate the risk if you are unaware of it. This step must be performed accurately and thoroughly so all possible known risks can be addressed by the policy. The second step in the process is determining the impact and probability of each identified risk. The impact of each risk is different for every agency exposed to it. With these two factors known, the prioritization of the known risks can take place. The final step is to define the reason and objectives for the policy, based on the risk assessments. The policy should be implemented to mitigate and lessen the impact of all the indentified risks as much as possible. Only when all steps are complete can the magnitude and the importance of risk management policy be fully understood (and realized). The importance of a risk management policy is clear, and that is why every agency has one. The better the risks are managed, the less of a compliance burden and impact they will cause the agency to bare. Developing a Policy Identify Risks Determine Risk Impact Define Policy Reasons/Objectives Policy Implementation Reduced Duplication of Effort Grouping baseline security controls within FedRAMP allows agencies to better focus on agency-specific requirements and reduce certification and accreditation costs. Grouping baseline security controls within FedRAMP allow agencies to better focus on agency-specific requirements and reduce certification and accreditation costs. FedRAMP was created to provide transparent standards and processes that benefit the government and its constituency. Several government agencies were already working on initiatives for collecting and sharing information and services. The standards and processes established within FedRAMP leverage this work and facilitate the dissemination of shareable information through documented best practices. One of the FedRAMP s goals is to shift some of the procurement workload from the Certification and Accreditation (C&A) function to the Assessment and Authorization (A&A) function. One of the highest costs for government IT shops that this model addresses is the cost of C&A. Current C&A recertifications are required every 3-years, and the process is unwieldy at best. Given the rigidity of the

4 process, IT is sometimes seen as a roadblock to meeting mission objectives. FedRAMP provides a consistent and coherent Cloud Risk Authorization Management (CRAM) model that spans across multiple levels of government. FedRAMP also promises a significant impact on A&A overheads by reducing redundancy and duplication of effort. From an end-user viewpoint: FedRAMP ultimately facilitates secured work anywhere access to required information and services. FedRAMP will also provide a more consistent government experience by reducing the level of knowledge of government processes constituents, particularly non-federal entities, must possess in order to interact with the government. From an agency s (particularly its Programs Office) point of view: the creation and implementation of an interoperability model will enable them to add value to their existing information and services by bundling similar acquisitions. There will be opportunities to reduce duplication of effort and to reuse intellectual property to deliver better returns on investment and better services to constituents. FedRAMP streamlines the successful execution of programs, allowing agencies to fulfill their mission s requirements. Ensured Security Oversight of Outsourced Systems Cloud service acquisition through FedRAMP is a form of outsourcing. Agencies can use FedRAMP to outsource a portion of the security controls authorization process. What is Outsourcing? In its most basic form, outsourcing is simply the hiring out of services to a third party. With regards to information technology, it can include anything from outsourcing all IT management to a third party like IBM or HP, all the way to outsourcing a very small and easily defined service, such as disaster recovery or data storage, and everything in between. The classic make/buy decision revolves around doing things in-house versus outsourcing. Agencies already use outsourcing as a strategic initiative to improve customer service, quality, and reduce costs. The cloud is a new delivery method for outsourced information technology services owned and operated by a third party. In the context of FedRAMP, the third party (outsourcer) is a Cloud Service Provider (CSP).

5 Advantages and Disadvantages of Outsourcing Advantages Cost savings - There can be significant cost savings when a business function is outsourced. Shifts focus to core business - Outsourcing to a CSP allows agencies to focus on their expertise and core business. Improved quality - Improved quality can be achieved by using CSPs with more expertise and more specialized processes. Improved customer service - Contract binds CSP to certain levels of service and quality. Operational efficiency - Specialization provides more efficiency that allows for a quicker turnaround time and higher levels of quality. Disadvantages Quality risk - Even if there is an SLA, outsourcing can expose an agency to potential risks and compliance exposure. Quality service - Unless a contract specifically identifies a measurable process for quality service reporting, there could be a poor service quality experience. Language barriers - Agencies have unique cultures and vocabularies. Employee morale - There can be negative perceptions with outsourcing services. Organizational knowledge - A Cloud Service Provider (CSP) may not have the same understanding and passion for an agency s mission as the agency s resources.. Compliance and security -Services that are outsourced need to be managed to ensure there is diligence with compliance and system security. An example of a potential risk with outsourcing is a data breach - where access to confidential customer data is used for unauthorized purposes. Compliance and Security Issues with Outsourcing Services Unauthorized disclosure threatens vast amounts of sensitive and/or Personally Identifiable Information (PII). In addition, poor controls over access to data and inadequate disaster recovery plans diminish the reliability of the large quantities of electronically maintained information essential for delivering federal services, assessing the success of federal programs, and monitoring agency performance. An underlying cause is that agencies have not implemented information security programs that establish appropriate policies and controls and routinely monitor their effectiveness. Each agency can improve its oversight effectiveness by taking advantage of insights into information security that is becoming routinely available from agency compliance audits required under FedRAMP. Although these audits pertain primarily to cloud systems, they are independent assessments of information security that will be available to most major agencies on a continuous basis. Agencies can use this audit information, in conjunction with the results of agency self assessments, to evaluate the scope and adequacy of information security reviews by individual agencies. Lastly, audit data and self-assessments are key determinants to monitor progress in mitigating identified problems. Further, aside from NIST s FedRAMP enforcement, the recently established Chief Information Officers (CIO) Council, can also serve as a mechanism for strategically addressing cloud security on a government-wide basis. However, it is important that agencies continually monitor the threat landscape. It must develop and improve staff expertise for proactively and systematically overseeing the overall design and effectiveness of agency information security programs that are migrated to the cloud ii.

6 Improved Independent Accountability As a logical extension of current federal IT security best practices, FedRAMP leverages the Cloud Security Alliance s (CSA s) Cloud Controls Matrix (CCM) to improve independent accountability of government-developed systems used by multiple agencies. FedRAMP is designed to foster inter-agency trust. One objective of FedRAMP is to establish a common security risk model that serves as a consistent risk baseline deployable across multiple agencies. The commonality enables an approve once, use often authorization process, based upon inter-agency trust relationships. Ultimately, the FedRAMP will save costs, time, and staff required by reducing redundant security assessments performed on an agency-by-agency basis. FedRAMP Security Requirements FedRAMP serves as the primary program for federal acquisition of cloud services. Since the scope of FedRAMP is government-wide, agencies need to verify the program as a credible authority. Therefore, it is imperative that the program formally establishes inter-agency trust relationships built upon rigid security measures. To proactively address concerns, stringent security requirements are an integral part of the program s model. It is important to note that government IT enterprises have built a vast knowledgebase of security related measures. Due to their tried and true nature, personnel feel a certain level of comfort with the measures. In fact, many consider their current measures to be best practice(s). FedRAMP recognizes this valuable level of trust built over the last three decades of IT operations. Its security requirements leverage government IT best practices and robustly extends them for cloud services. For a detailed clarification on how FedRAMP leverages the Cloud Security Alliance s (CSA s) Cloud Controls Matrix (CCM) to foster accountability, refer to Appendix A. Integration with Government-wide Security Efforts For a detailed clarification on how FedRAMP leverages the Cloud Security Alliance s (CSA s) Cloud Controls Matrix (CCM) to foster accountability, refer to Appendix A. Integrated Security Architectures There are several benefits of integrated security: 1. Increased security posture 2. Operational efficiency of security functions 3. Minimized impact of attacks on workloads 4. Features of integrated security

7 Increased Security Posture Minimized Impact of Attacks on Business Operational Efficiency of Security Functions Features of Integrated Security Increased Security Posture Security technologies that are integrated will interoperate, providing an enhanced security posture over their standalone counterparts. Intrusion detection technology could identify a potential threat and encourage a higher firewall posture, or the firewall technology could initiate a virus scan of a suspicious transmission. FedRAMP aims to harden security postures. This reduces the risk of a technology becoming the weakest link in the security chain, and increases the potential for capture and containment of blended threats. Operational Efficiency of Security Functions Integrated security reduces the need to purchase, install, update, and manage multiple security products or address interoperability issues between various products at each cloud or network tier. Such a solution maximizes the productivity of the often overburdened IT department, while improving overall security manageability. Minimized Impact of Attacks on Workloads Since an integrated security solution can be implemented at each cloud layer (or network tiers), it offers greater protection of proprietary assets. Integrated security better allows for uninterrupted program operations, promotes employee productivity, and minimizes the possibility of noncompliance. Features of Integrated Security The threat landscape in the cloud is rapidly evolving. As a result, security is only as effective as the most recent update of a virus definition, firewall rule, intrusion signature, or other content updates. By applying a uniform approach to systems and devices that contain business-critical and sensitive information assets, agencies can ensure the integrated and timely updates of their security content and other critical aspects of a security system. Technology alone does not address security issues. An integrated security solution works best when built upon strong policies and procedures and supplemented by appropriate personnel and physical security measures. Solid security policy and standards define what needs to be protected, who is granted access, and the reason access is required. Executive-level support in the organization for the security policy, as well as employee awareness, helps ensure successful policy adoption.

8 FedRAMP facilitates strategic security integration. An integrated security strategy improves the overall security posture of the network in a way not possible via implementation of individual products. Whether security is handled in-house or outsourced, ensuring that all of these capabilities are in place is vital to maintaining a secure critical infrastructure. An Aside on the Future of the Integrated Security Landscape Government can now benefit from integrated security in a variety of ways, including improved efficiency of security functions, minimized business impact of attacks, and an improved overall security posture. In fact, agencies that adopt an integrated security strategy today will be in the best position to take advantage of the next stage of integrated security, whereby all network tiers will be integrated and centrally managed. Through this government-wide integration of security, administrator resources will be optimized, as installation, reporting, and updates will be possible from a single console. This management capability will further improve protection, while reducing the administrative, support, and ownership costs typically associated with cloud (and enterprise) security. Rapid Acquisition Cycle CSPs that attain FedRAMP authorization reduce time-to-production. FedRAMP will reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process. Agencies will be able to save significant time and money by leveraging FedRAMP authorizations, where appropriate. While significant savings can be achieved, agencies will typically need to perform some security risk management and privacy activities related to agency-specific usage of information systems. FedRAMP will help agencies decide whether acquisitions are appropriate for FedRAMP authorizations. Ultimately, the actual number of control objectives that individual agencies must address during their formal authorization process will be significantly reduced. For example, let s examine the General Services Administration s (GSA s) Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS). As a purchasing option, BPAs eliminate such contracting and open market costs as the search for sources, the need to prepare solicitations, and the requirement to synopsize the acquisition iii. In other words, a BPA streamlines the acquisition process by eliminating redundant processes; which in turn leads to reduction in time-to-production. The GSA s BPA for IaaS will be issued to CSPs that have attained FedRAMP authorization. Once FedRAMPapproved, their offerings are authorized as covering most of the security control objectives that are commonplace throughout government. That translates into a decrease in the number of agencyspecific control objectives that need to be addressed during the individual agency s acquisition process. Further, since common control objectives have been addressed proactively, government IT personnel will be more comfortable with the agile implementation. Thus, the BPA will result in shorter acquisition cycles, as well as reduced time-to-production.

9 Heightened Transparency FedRAMP allows one agency to leverage another agency s vetted security requirements and authorization packages. The leveraging of FedRAMP authorizations-to-operate (ATOs) indirectly establishes a digital trust ecosystem. This re-use model adds a level of assessment transparency. So, why do we need transparency? Without transparency, buyers cannot adequately assess their risks. Without objectively understanding their risks, buyers cannot determine what the most cost-effective path to calculate their risk exposure. The elements of transparency empower the cloud consumer with the right information to make the best choices about what processing and data to put in the cloud and which cloud is best suited to satisfy processing needs. This is the nature of digital trust. It reinforces again why such reclaimed transparency is so essential to creating new value within the enterprise. Transparency of certain important elements of information is at the root of digital trust, and thus the source of value capture and payoff. It doesn t mean having to show every detail of the implementation beneath. CSPs might only have to release enough details that people can accurately calculate risks. For example, one doesn t have to know the details of the parts in a disk drive to be able to accept a mean time between failure (MTBF) or annualized failure rate (AFR) from the manufacturer. In essence, transparency does not require that CSPs reveal their trade secrets. Transparency is also addressed in NIST s Risk Management Framework (SP800-37). For a detailed mapping of FedRAMP Security Requirements to NIST SP800-37, please refer to Appendix B. Reduced Resource Hurdles Multi-agency assessment and authorization of shared systems helps agencies address technical requirements in a more timely and cost effective manner. Cloud computing is as much of a paradigm shift for government as it is for the industry. Acquisitions offices within individual agencies might not possess the requisite technical understanding to authorize cloud services in an informed manner. By leveraging multi-agency assessments and authorizations, FedRAMP ensures that agencies authorize cloud services more effectively. Agencies may still choose to sponsor a cloud service to be authorized under FedRAMP. Sponsoring a cloud service shifts the compliance burden from the sponsor agency to FedRAMP but still enables the agency to participate in the final authorization decision. Summary FedRAMP provides numerous benefits that allow the federal government to streamline its secure migration to cloud computing. This paper addressed eight areas where FedRAMP improves government s current authorization practices. FedRAMP leverages and consolidates current security practices. It extends those lessons learned by using industry-standard tools like CSA s CCM. FedRAMP also improves procurement best practices by reducing duplication of effort expended during the A&A process. Ultimately, the benefits reduce overall costs while improving the quality of services provided to constituencies.

10 Appendix A: Clarification on how FedRAMP leverages the Cloud Security Alliance s (CSA s) Cloud Controls Matrix (CCM) to foster Accountability The following FedRAMP excerpt focuses on exploring the selected security control baseline as part of the Cloud Security Alliance s (CSA) Cloud Controls Matrix v1.2 (CCM) in order to: Ensure coverage and applicability within Cloud Computing operating environments and within NIST SP , Rev. 3; Identify and address Cloud-specific security considerations relevant to the objectives of each security control; and List relevant references to support implementation and assessment. The CSA s CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. For our discussion, we will focus on the Audit and Accountability Policy and Procedures Domain [aka Audit Domain (AU)]. Below is an abstraction of Control AU-1 - Audit and Accountability Policy and Procedures: Audit and Accountability Policy and Procedures Control Baseline: Low = AU-1, Moderate = AU-1 Control Number: AU-1: Control: The organization develops, disseminates, and reviews/updates at least annually: a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls Thus, Control AU-1, Sub-section A formalizes the POLICY for Independent Accountability by multiple Agencies. Whereas Sub-section B formalizes the PROCEDURES to assist the implementation of POLICY as well as associated controls. As a side benefit, FedRAMP works with the CSA to create an environment conducive for exchanging and sharing experiences. In turn, the CSA proactively solicits independent contributions in the support the government Community of Practice for independent accountability mechanisms. Discussion topics would include (but not limited to) independent accountability mechanisms (IAMs) in the areas of risk management, compliance, and governance. The CSA compiles (and shares) cloud consumers views on topical issues, and emerging best practices and developments.

11 Appendix B: Detailed mapping of FedRAMP Security Requirements to NIST s Risk Management Framework (SP ) A brief background: The FedRAMP security process is based on NIST s Risk Management Framework (RMF) as described in NIST Special Publication revision 1. The concept of transparency is addressed within the Six Step flow of the RMF, Step 6 Monitor, Task 6-4: TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. When updating key information in security plans, security assessment reports, and plans of action and milestones, organizations ensure that the original information needed for oversight, management, and auditing purposes is not modified or destroyed. Providing an effective method of tracking changes to information over time through strict configuration management and control procedures (including version control) is necessary to: (i) achieve transparency in the information security activities of the organization; (ii) obtain individual accountability for security-related actions; and (iii) better understand emerging trends in the organization s information security program. Disparate Audit and Continuous Monitoring systems within government IT must interoperate. Transparency is the key to interoperability. Subtask (i) formalizes the mandate to meet the transparency requirement. Links and References i Melvin Greer, Why FedRAMP really matters, (Jan 2012). ii INFORMATION SECURITY: Opportunities for Improved OMB Oversight of Agency Practices (GAO/ AIMD , September 1996). iii U.S. General Services Administration. December 29, Blanket Purchase Agreements (BPAs) (Mar 2012).

12 13861 Sunrise Valley Drive, Suite 400 Herndon, VA Copyright DLT Solutions, LLC, All rights reserved.