Intrductin t FedRAMP Abel Sussman June, 2015 1
Agenda FedRAMP Overview and Backgrund FedRAMP Final Package Authrizatin Types and Timeline Cmmn Challenges and Keys t Success Fr mre infrmatin. 2
Backgrund Brief Histry f FedRAMP OCT 2010 General Services Administratin (GSA) awards first Infrastructure-as-a-Service (IaaS) Clud Prviders under a Blanket Purchase Agreement (BPA). 12 Clud Prviders were selected. FEB 2011 White Huse Issues its Federal Clud Cmputing Strategy Clud First Plicy AUG 2011 First GSA BPA hlder receives its Authrity t Operate (ATO). SEP 2011 NIST releases 800-145, The NIST Definitin f Clud Cmputing. This was fllwed in DEC 2011 by NIST 800-144 Guidelines n Security and Privacy in Public Clud Cmputing and in MAY 2012 by NIST 800-146 Clud Cmputing Synpsis and Recmmendatins. DEC 2011 The White Huse releases OMB Mem Security Authrizatin f Infrmatin Systems in Clud Cmputing Envirnments which establishes FedRAMP. JUN 2012 FedRAMP reaches initial perating capability (IOC) in accrdance with OMB FedRAMP mem timelines, and the 24 mnth clck starts fr all cluds t meet FedRAMP requirements. FedRAMP baseline and parameters established. JAN 2013 First CSP received FedRAMP Prvisinal Authrizatin (P-ATO). MAR 2013 White huse issues OMB M-13-9 mandating a certificatin in writing frm the Executive department r agency CIO and CFO, a listing f all clud services that an agency determines cannt meet the FedRAMP security authrizatin requirements with apprpriate ratinale and prpsed reslutins. Quarterly updates. JUN 2013 DISA releases a pre-slicitatin fr IaaS leveraging the FedRAMP requirements. JUN 2014 3 All currently implemented clud services and authrizatins must meet the FedRAMP requirements. 3 3
4 OMB FedRAMP Plicy Mem December 8, 2011 Mandates FedRAMP cmpliance fr all clud services used by the Federal gvernment All new services acquired after June 2012 All existing services by June 2014 Establishes Jint Authrizatin Bard CIOs frm DOD, DHS, GSA Creates the FedRAMP requirements Establishes PMO Maintained at GSA Establishes FedRAMP prcesses fr agency cmpliance Maintains 3PAO prgram
What is FedRAMP? Federal Risk and Authrizatin Management Prgram "FedRAMP establishes a standardized apprach t security assessment, authrizatin and cntinuus mnitring. It will save cst, time, mney and staff assciated with ding this wrk." Steven Van Rekel, Federal Chief Infrmatin Officer 5 Gals: Ensure cmmn CSP security and cmpliance standards by awarding an Authrity t Operate (ATO) which is accepted by all Federal Agencies D nce, use many framewrk
6 FedRAMP Risk Management Framewrk FedRAMP simplifies the NIST Risk Management Framewrk by creating fur prcess areas that encmpass the 6 steps within NIST 800-37: Dcument, Assess, Authrize, and Mnitr Dcument Categrize IS Select Cntrls Implement and Dcument Cntrls Assess Independent Assessment Authrize ATO and/r P-ATO Mnitr Cntinuusly Mnitr System
7 FISMA vs. FedRAMP FISMA is required fr all federal agencies, departments, and their cntractrs regardless if they are a clud service prvider r nt FedRAMP was develped in cllabratin with the Natinal Institute f Standards and Technlgy (NIST), the General Services Administratin (GSA), the Department f Defense (DOD), and the Department f Hmeland Security (DHS) FedRAMP is required fr all agencies r clud service prviders that currently use, hst, r want t hst federal infrmatin in a clud envirnment FedRAMP des nt deply any new cntrls, but rather adds additinal cntrls frm the NIST Baseline Cntrls, which are built frm the NIST SP 800-53 Rev 4. The number f cntrls fr a FedRAMP assessment will cntain mre than a FISMA assessment The gal f the NIST SP 800-53 Rev. 4 was t address cntrls and imprvements fr the attributes f a clud envirnment
FISMA vs. FedRAMP Cntrls NIST SP 800-53 Revisin 3 Cntrl Sensitivity FISMA* FedRAMP High 328 N/A Mderate 252 298 Lw 115 116 NIST SP 800-53 Revisin 4 Cntrl Sensitivity FISMA* FedRAMP High 342 N/A Mderate 261 325 Lw 124 125 8 *Baseline
FedRAMP Key Stakehlders & Respnsibilities 9 Federal Agencies Cntract with Clud Service Prvider Leverage ATO r use FedRAMP Prcess when authrizing Implement Cnsumer Cntrls 3PAOs Third Party Assessment Organizatins Clud Service Prvider Implement and Dcument Security Use Independent Assessr Mnitr Security Prvide Artifacts Clud auditr, maintains independence frm CSP Perfrms initial and peridic assessment f FedRAMP cntrls Des NOT assist in creatin f cntrl dcumentatin FedRAMP PMO & JAB Establish Prcesses and Standards fr Security Authrizatins Maintain Secure Repsitry f Available Security Packages Prvisinally Authrize Systems That Have Greatest Ability t be Leveraged Gvernment-wide
FedRAMP News The Cuncil f the Inspectr General n Integrity and Efficiency s Clud Cmputing Initiative September 2014 Finding 1: Federal Agencies Need t Include Mre Detailed Clud Cntracting Specificatins Recmmendatin 1: OMB needs t develp guidance defining a minimum set f requirements that Federal agencies must incrprate int a clud cntract when they adpt clud cmputing technlgies Finding 2: Federal Agencies Must Meet FedRAMP Requirements Recmmendatin 2: OMB needs t determine hw best t enfrce FedRAMP cmpliance Recmmendatin 3: OMB needs t establish a prcess and reprting mechanism t ensure Federal agencies require CSPs t meet the FedRAMP authrizatin requirements in a timely manner Finding 3: Federal Agencies Must Develp Accurate Clud System Inventries Recmmendatin 4: OMB needs t incrprate rutine reviews f agency infrmatin system inventries int the cntinuus mnitring prcess 10 Yu can view the IG reprt here: http://www.ignet.gv/randp/clud%20cmputing%20initiative%20reprt.pdf
Agenda FedRAMP Overview and Backgrund FedRAMP Final Package Authrizatin Types and Timeline Cmmn Challenges and Keys t Success Fr mre infrmatin. 11
Cntents f the FedRAMP Final Package CSP JAB/Agency FedRAMP Specific Plans 1.P-ATO Prvisinal Authrity t Operate 2.Risk Acceptance Recmmendatin 1.CIS - Cntrl Implementatin Summary 2.CTW - Cntrl Tailring Wrkbk 3.User Guide 4.E-Authenticatin Guide 5.FIPS 199 Categrizatin 6.RB Rules f Behavir 7.PTA & PIA - Privacy Threshld Analysis and Privacy Impact Assessment 1.SSP - System Security Plan 2.CP - Cntingency Plan 3.CMP - Cnfiguratin Management Plan 4.IRP - Incident Respnse Plan 5.POA&M - Plan f Actin and Milestnes 3PAO Security Tests Plicies 1.Infrmatin Security Plicy addressing all cntrls. Prcedures 1.Infrmatin Security Prcedures addressing all cntrls 1.SAP Security Assessment Plan 2.SAR Security Assessment Reprt 3.SATC Security Assessment Test Cases 4.Penetratin Test 5.Infrastructure Vulnerability Scans 6.Applicatin Vulnerability Scans 7.Database Vulnerability Scans 8.Risk Expsure Table 12
Dwnlad the Templates http://www.fedramp.gv/ 13 13
FedRAMP System Security Plan (SSP) Overview 14 Detailed descriptin f Cntrl Implementatin, based n NIST SP 800-53, r4 Glbal view f hw the system is structured Identifies persnnel in the rganizatin that are respnsible fr system security Delineates cntrl respnsibility between the custmer and vendr The SSP is the key dcument t mving the FedRAMP assessment prcess frward Putting tgether a well dcumented SSP can save lt f time in mving thrugh the prcess
Cre Dcumentatin User Guide Describes hw leveraging agencies use the system Rules f Behavir Defines the rules that describe the system user's respnsibilities and expected behavir with regard t infrmatin and infrmatin system usage and access Privacy Threshld Analysis/Privacy Impact Assessment (PTA/PIA) This questinnaire is used t help determine if a Privacy Impact Assessment is required. This dcument assesses what Persnally Identifiable Infrmatin (PII) is captured and if it is being prperly safeguarded. This deliverable is nt always necessary Plicy and Prcedure Describe the CSP s Infrmatin Security Plicy that gverns the system described in the SSP Cntrl Implementatin Summary (CIS) Includes cntrl implementatin respnsibility and implementatin status f cntrls 15
Required Plans Cnfiguratin Management Plan This plan describes hw changes t the system are managed and tracked The Cnfiguratin Management Plan shuld be cnsistent with NIST SP 800-128 Incident Respnse Plan This plan dcuments hw incidents are detected, reprted, and escalated and shuld include timeframes, pints f cntact, and hw incidents are handled and remediated The Incident Respnse Plan shuld be cnsistent with NIST Special Publicatin 800-61 IT Cntingency Plan This dcument is used t define and test interim measures t recver infrmatin system services after a disruptin The ability t prve that system data can be rutinely backed up and restred within agency specified parameters is necessary t limit the effects f any disaster and the subsequent recvery effrts 16
Agenda FedRAMP Overview and Backgrund FedRAMP Final Package Authrizatin Types and Timeline Cmmn Challenges and Keys t Success Fr mre infrmatin. 17
FedRAMP Timeline CSP Cntrlled Timeline Federal Cntrlled Timeline FedRAMP Package Creatin SSP with supprting Plicy, Prcess, and Plans Penetratin testing Finalize fr delivery t JAB 6-12 weeks 2 weeks 2 weeks FedRAMP submissin JAB P-ATOs 9 mnths + Agency ATOs 4 mnths + CSP Supplied 6 weeks + 18
Authrizatin Prcess JAB and Agencies 9 mnths + JAB P-ATO System Security Plan Security Assessment Plan Testing SAR & POA&M Review ISSO & CSP Review SSP JAB Review CSP Addresses JAB Cncerns 3PAO Creates SAP/ ISSO Reviews SAP JAB Review CSP Addresses JAB Cncerns 3PAO Tests & Creates SAR ISSO / CSP Reviews SAR JAB Review CSP Addresses Jab Cncerns Creates POA&M Authrize Final JAB Review / P-ATO Sign Off Quality f dcumentatin will determine length f time and pssible cycles thrughut the entire prcess System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authrize Agency ATO CSP Implement Cntrl Delta Agency Review CSP Addresses Agency Cncerns Agency Review SAP Address Agency Ntes 3PAO Tests & Creates SAR Agency Reviews SAR CSP Addresses Cncerns CSP Creates POA&M Final Agency ATO Sign Off 4 mnths + 19 Original presentatin by Matt Gdrich, FedRAMP PMO in December 2013.
JAB Prvisinal ATO vs Agency ATO Timeframe JAB 25+ weeks minimum Agency 14+ weeks minimum Level / Depth f Review JAB: Fur sets f eyes (PMO, DD, DHS, GSA) Agency: Spnsring agency review Risk Acceptance Level JAB: Lw risk tlerance level, security fr security Agency: Varying levels f risk acceptance, business needs can justify mre risk as can individual agency plicies Cntinuus Mnitring JAB: JAB/PMO will maintain, agencies need t review Agency: Agency must wrk with CSP t cmplete 20
Agenda FedRAMP Overview and Backgrund FedRAMP Final Package Authrizatin Types and Timeline Cmmn Challenges and Keys t Success Fr mre infrmatin. 21
System Security and Cntrls Cmmn Issues and Lessns Learned frm early adpters # Cntrl Descriptin 1 SSP SSP lacks sufficient detail. Statements are generic and d nt have enugh technical breadth r depth 2 SC-7 Accreditatin Bundary is nt defined 3 CM-8 Asset list is nt defined 4 RA-5 Technical Testing nt being perfrmed (Vulnerability Scanning, Database Scanning, etc.) 5 CM-2 Baseline cnfiguratins nt established fr all assets 6 IA-2 Tw-Factr Authenticatin nt fully implemented 7 IA-7/SC-13 FIPS 140-2 Validated cryptgraphy mdules nt in place 8 PS-3 Backgrund checks nt perfrmed n all staff 9 SI-2 Flaws are nt remediated in a timely fashin (30 days) 10 AU-2 Lgging is nt enabled r sending t a centralized lg server 22
Keys t Success Dcument with explicit detail Use diagrams t illustrate the system bundary, dedicated and shared systems, access pints and data flw Include a cmplete and accurate system inventry Hardware Sftware Identify cntrl wners and technlgy wners Owners shuld be familiar with assessment bjectives and requirements Owners shuld be respnsible fr respnding t assessr requests fr dcumentatin and evidence and managing interview respnses Perfrm technical testing early and ften Vulnerability Scanning Credentialed Cnfiguratin Scanning Hardened Baseline Penetratin Testing Multiple Attack Scenaris Establish and manage yur Cntinuus Mnitring Prgram POA&M management is ften a challenge if intrduced as a new cncept during the FedRAMP prcess Clean vulnerability scans are rare, s it is imprtant t remain disciplined in yur remediatin effrts 23
Agenda FedRAMP Overview and Backgrund FedRAMP Final Package Authrizatin Types and Timeline Cmmn Challenges and Keys t Success Fr mre infrmatin. 24
Fr mre infrmatin. Visit us at FedRAMP Central: www.fedrampcentral.cm Learn: Calfire prvides updated educatinal tls, templates, news and supprt t help rganizatins address clud security requirements Build: Calfire prvides supprt in develping dcumentatin, prcesses and prcedures t build a secure clud Authrize: Calfire prvides independent assessment supprt, helping CSPs achieve authrizatin quickly and maintain an nging authrizatin 25
Questins? Visit us at bth #331 Abel Sussman Directr, Technlgy Advisry & Assessment Services 7927 Jnes Branch Drive, Suite 2250 McLean, VA 22102 Tel (O): 703-720-7717 Tel (M): 703-855-9097 Abel.sussman@calfire.cm Justin Orcutt Directr f Sales 450 7th Ave, Suite 1401 New Yrk, NY 10123 Tel (O): 646-459-7314 Tel (M): 203-233-1747 Justin.Orcutt@calfire.cm 26 26