Flying Through Federal Thunder Clouds Navigating FedRAMP, DoD Cloud Guidance, & Cloud Cybersecurity Issues

Flying Through Federal Thunder Clouds Navigating FedRAMP, DoD Cloud Guidance, & Cloud Cybersecurity Issues M. Peter Adler (SRA International, Inc.) David Z. Bodenheimer (Crowell & Moring LLP) Annejanette Heckman Pickens (General Dynamics Advanced Information Systems) WMACCA Government Contractors Forum April 23, 2014 12:30 2 pm 2014 Crowell & Moring LLP

Overview Annejanette Heckman Pickens is Assistant General Counsel for General Dynamics Advanced Information Systems where she supports the Cyber and Intelligence Solutions Division, and serves as lead counsel for General Dynamics FidelisCybersecurity Solutions, which provides network defense and digital forensics products and services to commercial enterprise and government customers. Before joining General Dynamics, Ms. Pickens served as Senior Counsel for the U.S. Public Sector region of Hewlett-Packard Company, the world s largest technology company. Ms. Pickens is a Council Member of the American Bar Association Public Contract Law Section, and the founding Chair of the Section s Cybersecurity, Privacy and Data Protection Committee. 2

Overview M. Peter Adler is a Vice President at SRA International, Inc., where he serves as the company s Chief Privacy Officer, Senior Counsel, Cybersecurity and Health, and leads the Government Affairs Office. In these capacities, he advises the company on compliance with legal and contractual requirements under privacy and cybersecurity laws, regulations and standards. Peter has responsibility for corporate policies, procedures and compliance for data privacy and cybersecurity. He is also the lead attorney for the SRA s Health Group, and guides the company concerning legislative and regulatory trends and developments. Peter previously served as a partner in various law firms located in Washington DC, where he advised clients on U.S. and international cybersecurity and privacy law and regulations. Immediately prior to joining SRA, Peter was the Chief Privacy Officer for UnitedHealth Group. 3

Overview David Z. Bodenheimer is Partner at Crowell & Moring LLP in Washington, DC. where he litigates Government Contracts disputes, including defective pricing, protests, and fraud matters. See, e.g., Supreme Foodservice GmbH v. United States, 109 Fed. Cl. 369 (2013) (won stay on $8 billion contract award); Wynne v. UTC, 463 F.3d 1261 (Fed. Cir. 2006) (defeated $299 million defective pricing claim). He has advised, trained, and defended Fortune 500 clients on public sector cybersecurity, data breach, and privacy issues (e.g., FISMA, NIST, FedRAMP, DoD) and written and lectured extensively on cloud computing and cybersecurity (www.crowell.com). For the American Bar Association (ABA), he serves as Division Co-Chair (Security, Privacy & Information Law), Committee Co-Chair (Cybersecurity), and a member of the ABA President s Cybersecurity Legal Task Force. 4

Overview Cloud Computing Overview Defining the Cloud Definitions & Characteristics Service & Deployment Models Driving the Cloud IT Spending & Cost Savings Federal Cloud First Policy Other Cloud Issues Export Controls (ITAR) Global Privacy ediscovery Electronic Records & Archives Securing the Cloud NIST Standards FedRAMP DoD Cloud Guidance Acquiring the Cloud Security Issues Acquisition Challenges 5

Defining the Cloud Federal Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 6

Defining the Cloud Cloud Essentials On-Demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service NIST/GAO 7

Defining the Cloud Service Models Cloud Software as a Service Platform as a Service Infrastructure as a Service NIST/GAO 8

Defining the Cloud Deployment Models Private Community Public Hybrid NIST/GAO Risk vs. Cost: Private vs. Public Cloud 9

Controlling the Cloud Environment Dedicated IT Hosting Provider Public IaaS Public PaaS Public SaaS Data App VM Server Storage Network Data App VM Server Storage Network Data App VM Server Storage Network Data App VM Server Storage Network Data App VM Server Storage Network Organization has Control Legend Organization and Cloud Provider Share Control Cloud Provider Has Control 10

Driving the Cloud Key Cloud Drivers IT Spending Trends Federal Cloud First Policy IT Spending & Cost Savings IT Spending: $45B to $79B (FY2001 to 2012) $20 Billion Federal Cloud Budget Pressures Federal pressure on IT spending 25-90% cost savings 11

Driving the Cloud Commerciality Drivers FASA of 1994 Agency duty to acquire commercial items to maximum extent practicable 10 U.S.C. 2377(b) FAR Maximizing the use of commercial products and services in federal acquisitions. FAR 1.102(b)(1)(i) FAR Part 12 Limited list of required clauses T&Cs governed by standard commercial practices Commercial Trends Similarly, a McKinsey survey of 250 chief information officers (CIOs) of large companies across different industries found that they expect over two-thirds of corporate applications to be virtualized by 2014. Virtualization cuts the cost of computing by up to 50 percent with savings gains from lower infrastructure operational costs. Not only are legacy applications being virtualized, new IT investments are predominantly in cloud computing. IDC estimates that 80 percent of new commercial applications deployed this year will be on cloud computing platforms. 2012 House Judiciary Comm. Hearings (Castro) 12

Securing the Cloud Overview of Cybersecurity Threats 1. Cloud Security Threats 2. Federal Cloud Security Standards 3. FedRAMP Program 4. DoD Cloud Security Guidance 13

Securing the Cloud (Threats) Security Concerns 22 of 24 major federal agencies reported that they were either concerned or very concerned about the potential information security risks associated with cloud computing. Epsilon Breach Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.... The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures. [Privacy Rights Clearinghouse, Data Breaches, Apr. 16, 2012). 14

Securing the Cloud (Threats) Red Cloud Rising Chinese industry analysis projects that China s cloud computing industry will continue to grow, with the overall value chain reaching between 750 billion and 1 trillion renminbi(rmb) ($122 to $163 billion USD) by 2015. Key Security Risks Surveillance. China s primary foreign intelligence collection organization... has taken an oversight role in projects for Chinese cloud computing. Security. International joint ventures may jeopardize the foreign firms information security arrangements. Offensive Operations. Chinese cloud computing infrastructure could be used for offensive cyber operations... 15

Securing the Cloud OMB Security Factors Carefully define security & privacy requirements Determine extent to which negotiated service agreements are required to satisfy security Assess the extent to which the server and client-side computing environment meets security needs Continue to maintain security management practices, controls, and accountability OMB Security Policy The Federal Government will create a transparent security environment between cloud providers and cloud consumers. The environment will move us to a level where the Federal Government s understanding and ability to assess its security posture will be superior to what is provided within agencies today. 16

Securing the Cloud NIST Key Security Issues NIST Security Governance Compliance Data Location Trust Architecture Identity & Access Management Data Protection Availability Incident Response NIST SP 800-144,Guidelines on Security and Privacy in Public Cloud Computing (Dec. 2011) 17

Securing the Cloud FedRAMP Cloud Security FedRAMP Program Government-wide cloud program Standardized authorization process Purpose: approve once and use often Avoid inconsistent agency standards FedRAMP Responsibilities GSA Lead Responsibility FedRAMP Program & Definition Agency Responsibilities Agency-Level Implementation Continuous Monitoring Configuration mgmt. Change analysis Periodic monitoring Security Controls NIST 800-53 FIPS 199 18

Securing the Cloud FedRAMP Templates Initial Documentation System Security Plan (SSP) Template Contingency Plan Template FIPS 199 Template Privacy Threshold Analysis & Privacy Impact Control Implementation Summary Template Control Tailoring Workbook (CTW) Template e-authentication Template Rules of Behavior (RoB) Template SAP/SAR Security Assessment Plan (SAP) Template Security Assessment Test Cases Security Assessment Report (SAR) Template Continuous Monitoring Security Assessment Plan (Annual Assessment) Annual Security Assessment Report (SAR) Self-Attestation Template http://cloud.cio.gov/fedramp/templates FedRAMP Key Documents Branding Guidance Cloud Best Practices White Paper Concept of Operations (CONOPS) Continuous Monitoring Strategy Guide Control Quick Guide Control-Specific Contract Clauses Guide to Understanding FedRAMP Incident Communications Procedure JAB Charter Package Request Form Policy Memo (OMB) Security Controls Significant Change Form Standard Contract Clauses 19

Securing the Cloud FedRAMP Security Process Security Control Selection NIST 800-53, Rev. 3 NIST 800-53, Rev. 4 (soon) Security Control Implementation System Security Plan (SSP) Security Assessment Plan (SAP) Security Assessment Report (SAR) Third Party Assessments (3PAO) Independent verification/validation List of approved 3PAOs Contract Clauses Standard clauses Special clauses (data location, audit, encryption, incident reporting, etc.) FedRAMP Process 20

Securing the Cloud FedRAMP Security Controls (Part 1) 21

Securing the Cloud FedRAMP Security Controls (Part 2) 22

Securing the Cloud FedRAMP 2.0 Security Controls Low & Moderate impact only Not High impact (only 20% = high) Changes Add additional security controls Update to NIST 800-53, Rev. 4 Federal Agencies & FedRAMP DoD adding controls Other agencies not adding controls FedRAMP Changes The General Services Administration is updating governmentwide standards for securing cloud solutions and expects to release those changes within the next three months. The 298 security controls under FedRAMP are based on National Institute of Standards and Technology guidelines, which govern how agencies should secure their information technology systems. NIST updated those guidelines last year. GSA will release plans in the coming weeks for cloud providers under FedRAMP to transition to the new standards, said Matt Goodrich, program manager for FedRAMP. GSA to Update Federal Cloud Standards, Federal Times (Apr. 2, 2014) 23

Securing the Cloud FedRAMPATOs AINS, Inc. SaaS ecasessaas Amazon Web Services IaaS AWS East/West Public Cloud Amazon Web Services IaaS AWS Gov. Community Cloud U.S. Dept. of Agriculture IaaS USDA Na. Information Technology Center IaaS FedRAMP Website: Cloud Service Provider Authority to Operate (3/31/14) Provisional ATOs Akamai (Iaas) AT&T (Iaas) Autonomic Resources LLC (IaaS) CGI Federal (IaaS) Concurrent Technologies (SaaS) Hewlett Packard (Iaas) IBM (IaaS) Lockheed Martin (IaaS) Microsoft (IaaS & PaaS) Oracle (PaaS) 24

Securing the Cloud DoD Cloud Controls Summary of DoD Controls 25

Securing the Public Cloud DoD Cloud Controls DoD Policy Memo Centralized Control DISA as Cloud Service Broker Scope Commercial Cloud Services Low Impact only DISN GIG Flag panel (Moderate) Security Controls Over & above FedRAMP Matrix List of controls 26

Securing the Public Cloud DoD Cloud Matrix Physical Access DoD IG access to CSP data center Personnel Access U.S. citizens only Nondisclosure Agreements NDAs for all CSP personnel Data Breach Notification to DoD within 60 minutes Indemnification CSPs indemnify DoD Insurance CSPs must have cyber insurance Acquisition Issues Commercial Items Standard commercial practices Competition Unduly restrictive specifications FedRAMP Government-wide program Executive Order Harmonization of standards Public Notice & Comment APAstandards 27

Acquiring the Cloud Key Acquisition Issues Selection: Service/Deployment Model Provider/End-User Agreement Service-Level Agreement Roles & Responsibilities Standards (e.g., NIST) Security Privacy e-discovery FOIA e-records (e.g., Federal Records Act) Acquisition Challenges Obtaining guidance: Existing federal guidance for using cloud services may be insufficient or incomplete. Agencies cited a number of areas where additional guidance is needed such as purchasing commodity IT and assessing Federal Information Security Management Act security levels.... Acquiring knowledge and expertise: Agencies may not have the necessary tools or resources, such as expertise among staff, to implement cloud solutions. DHS officials explained that delivering cloud services without direct knowledge of the technologies has been difficult. Similarly, an HHS official stated that teaching their staff an entirely new set of processes and tools such as monitoring performance in the cloud environment has been a challenge. Ensuring data portability and interoperability: To preserve their ability to change vendors in the future, agencies may attempt to avoid platforms or technologies that lock customers into a particular product. For example, a Treasury official explained that it is challenging to separate from a vendor, in part due to a lack of visibility into the vendor s infrastructure and data. [GAO-12-756] 28

Acquiring the Cloud Best Practice Topics Acquisition Best Practices 29

Acquiring the Cloud Security Questions Privacy Questions 30

Acquiring the Cloud Other Acquisition Issues Security Restrictions for Particular Countries o Trade Agreement Countries Okay (Yemen, Somalia, Afghanistan) o Non-Trade Agreement Countries Barred (e.g., Brazil, India) Security Restrictions for Cloud Type o Government Community Cloud o Greater security upheld Sample RFP Problems Insufficient Federal Cloud Guidance (GAO Report 12-756, 2012) Organizational Conflicts of Interest (Cloud Services vs. Oversight) Solicitation Ambiguities (e.g., DOI) Technosource Info Sys., B-405296, 2011 CPD 220 31

Governing the Cloud Data Governance Approach to Managing Risks in the Cloud Moving from an Operational to a Governance View 32

Governing the Cloud Trend Toward Shared Responsibility Cloud services necessitate a move from taking direct control to setting organizational objectives and requirements Trust but verify Metrics and measures and key performance indicators and some degrees of monitoring Verify what is going on a regular basis Meet this as a joint responsibility Requires some shared responsibilities between the CSP and Customer Work with CSP to help them understand mission and goals Tell CSP they cannot indemnify themselves from every liability FFIEC, FedRAMP, EU Opinion all acknowledge or suggest shared responsibilities for compliance in the cloud 33

Shared Approach: Trust but Verify Plan Learn as much as possible about the entire IT environment for data being placed into the cloud Identify and document compliance requirements Create roadmap of controls with clear roles and responsibilities for the organization and cloud provider (and include in contract) Implement Implement controls to meet enterprise compliance requirements Identify and document controls owned by cloud provider Include additional requirements in Service Level Agreements Verify Verify that all control objectives are met Verify that all key controls are designed and operating effectively 34

Data Governance Model Applied to the Cloud Organizational Roles p Data Stakeholders q Data Governance Office (DGO) r Data Stewards Rules of Engagement and Control j MISSION Shared Responsibility Focus Areas k Compliance Metrics/Success Factors Verification Decision Rights m Accountabilities Controls n o Processes To achieve Develop a value statement Prepare a Roadmap l Data Rules and Definitions Plan and fund Design the program Deploy the Program Govern the Data Montor, measure, report s Data Governance Processes Business/IT processes that touch data Rules of Engagement 1. Mission (Org) 2. Goals, governance, metrics and success measures and verification (Org/CSP) 3. Data Rules and Definitions (Org/CSP) 4. Decisions Rights (Org/CSP) 5. Accountabilities (Org/CSP) 6. Controls (Org/CSP) People and Organizational Bodies 7. Data Stakeholders (Org) 8. Data Governance Office (Org) 9. Data Stewards (Org/CSP) Processes 10. Proactive, reactive and continuous data governance processes (Org) Source: Data Governance Institute 35

Negotiating Cloud Provider Contract Terms under a Data Governance Model Service Contract Due Diligence Service Level Agreements Moving toward Shared Responsibility 36

Due Diligence Transparency Old Way CSP s were wary about providing information on how information is protected inside the cloud What controls are being used? What standards are being followed and how are they being met? What documentation will you share? Claimed that they couldn t give tremendous transparency because it may affect other customers Adversaries may use the information against other customers Emerging Way Cloud providers are providing documentation of controls and compliance based on third party validation e.g., Amazon Web Services: Risk and Compliance White Paper, November 2013, CarpathiaHosting Other cloud providers will work with their customers to satisfy their customers additional needs for additional cost 37

Contract Terms and Difficult Areas Key Contract Terms Scope of Information Protected Definition of Security Restrictions on Use and Disclosure Audit Rights Security Breach/Incident Repose Access to Information Return and Disposal Business Continuity/Disaster Recovery Indemnification Insurance Limitations of Liability Compliance Difficult Areas Data Location Identity and the use of subcontractors The absence of meaningful penalties Data retention or data disposal Portability 38

Contract Negotiations Start with the premise of shared responsibility The CSP s standard contract terms may need to changes to support a model of shared responsibility Include operational metrics, security metrics in dashboard reports and in more detail upon request Don t only list these in their terms of service of what you are purchasing, because the CSP unilaterally can change them. Include them in the contract and reference their inclusion in later SLAs Maintain these terms for the life of the agreement unless modifications are agreed in writing by both parties Keep these terms at the operational or governing level so that governance is made part of the contract Incorporate by reference written representations of compliance 39

Service Level Agreements Service Level Agreements (SLAs) are agreements under the overall cloud computing contract between a CSP and Customer SLAs define acceptable service levels to be provided by the CSP to its customers in measurable terms SLA performance clauses should be consistent with the performance clauses within the contract. As a best practice, SLAs should: clearly define how performance is guaranteed (such as response time resolution/mitigation time, availability, etc.) require CSPs to monitor and periodically report their service levels Provide a dashboard where customer can continuously verify that service levels are being met provide timely notification of a failure to meet the SLAs provide documented evidence that problems have been resolved or mitigated include rights and remedies for nonperformance 40

Encryption: Extend it to the Cloud In transit, at rest. Just encrypt If they are providing storage only, then it makes sense, but planning is necessary Key management Have a key escrow Archive keys Crypto at rest Evaluate against a standard such as NIST 140-2 41

Practical Lessons Learned Practical Tips for the Federal Cloud 1. Prepare for the Cloud It s coming. 2. Think commercial first. 3. Define agency needs. 4. Scrub the requirements. 5. Build in security. 6. Use available guidance (OMB, NIST, FedRAMP). 7. Prepare for lessons learned. 42

Questions? David Z. Bodenheimer M. Peter Adler Crowell & Moring LLP SRA International, Inc. (202) 624-2713 (703) 502-1270 dbodenheimer@ crowell.com peter_adler@sra.com 27351313 43