FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO



Similar documents
Federal Risk and Authorization Management Program (FedRAMP)

Overview. FedRAMP CONOPS

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

FedRAMP Penetration Test Guidance. Version 1.0.1

Security Authorization Process Guide

Continuous Monitoring Strategy & Guide

Esri Managed Cloud Services and FedRAMP

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

FedRAMP Standard Contract Language

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

FedRAMP Master Acronym List. Version 1.0

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Cloud Security for Federal Agencies

Taking Information Security Risk Management Beyond Smoke & Mirrors

Review of the SEC s Systems Certification and Accreditation Process

Hosted by Lunarline: School of Cyber Security

United States Patent and Trademark Office

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Security Control Standard

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Information Security for Managers

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

Cyber Security Assessment & Management (CSAM) CSAM C&A web

Final Audit Report -- CAUTION --

Seeing Though the Clouds

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Security Control Standard

Information System Contingency Plan Template. <Vendor> <Information System Name> Version x.x

SECURITY ASSESSMENT AND AUTHORIZATION

CTR System Report FISMA

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Presented by Evan Sylvester, CISSP

International Trade Administration

ArcGIS Security Authorization Advancements

NOTICE: This publication is available at:

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

CMS Information Security Risk Assessment (RA) Methodology

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

FINAL Version 1.0 June 25, 2014

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

2015 Security Training Schedule

NOTICE: This publication is available at:

From Chaos to Clarity: Embedding Security into the SDLC

Payment Card Industry (PCI) Penetration Testing Standard

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

NOTICE: This publication is available at:

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Plan of Action and Milestones (POA&M) Training Session

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

Security Controls Assessment for Federal Information Systems

2012 FISMA Executive Summary Report

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

STATE OF NEW JERSEY IT CIRCULAR

FREQUENTLY ASKED QUESTIONS

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

Information System Security Officer (ISSO) Guide

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified

Office of Inspector General

Checklist for Vulnerability Assessment

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

2014 Audit of the Board s Information Security Program

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Lots of Updates! Where do we start?

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Close-Up on Cloud Security Audit

Cybersecurity The role of Internal Audit

CONTINUOUS MONITORING

Requirements For Computer Security

Assessment and Authorization

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL

John Essner, CISO Office of Information Technology State of New Jersey

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

HSIN R3 User Accounts: Manual Identity Proofing Process

How To Improve Nasa'S Security

FITSP-M. Lab Activity Guide

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Transcription:

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov 1

Today s Training Welcome to Part Four of the FedRAMP Training Series: 1. Introduction to the Federal Risk and Authorization Program (FedRAMP) 100A 2. FedRAMP System Security Plan (SSP) Required Documents 200A 3. FedRAMP Review and Approve (R&A) Process 201A 4. Security Assessment Plan (SAP) Overview 200B 5. Security Assessment Report (SAR) Overview 200C 6. How to Write to a Control 7. Continuous Monitoring Overview The goal of the FedRAMP Training Series is to provide a deeper understanding of the FedRAMP program and how to successfully complete a FedRAMP Authorization Package assessment. www.fedramp.gov 2

Training Objectives At the conclusion of this training session you should understand: The relationship between the SAP and the FedRAMP Security Assessment Framework (SAF) The role of a 3PAO in the assessment process How to write specific sections of the SAP Specific assessment methods What the FedRAMP PMO is looking for when reviewing a SAP www.fedramp.gov 3

FedRAMP Security Assessment Framework(SAF) and NIST RMF (Risk Management Framework) www.fedramp.gov 4

Role of a 3PAO Accreditation Process Governed by A2LA 3PAO meets FedRAMP requirements for technical FISMA competence FedRAMP Security Assessment Process CSP works with accredited 3PAO 3PAO determines the effectiveness of the security control implementation. www.fedramp.gov 5

Role of a 3PAO Perform initial and periodic assessments of a CSP s security controls Audit control implementation Vulnerability scanning and penetration testing Validate and attest to a CSP s compliance with FedRAMP and FISMA requirements Create a SAP including a plan for penetration testing Create a Security Assessment Report (SAR) including all artifacts and evidence collected Provide a consistently high level of rigor in their assessments Maintain compliance with FedRAMP 3PAO requirements for independence and technical competence Does not assist in the creation of control documentation www.fedramp.gov 6

SAP Template The SAP does the following: Identifies activities planned for an assessment Identifies rules and boundaries for assessors Identifies the systems and networks being assessed, type and level of testing permitted, logistical details, and data handling requirements Identifies all the assets within the scope of the assessment, including components such as hardware, software, and physical facilities Provides a roadmap and methodology for execution of the tests Indicates that the 3PAO will use the FedRAMP associated security test cases that are provided www.fedramp.gov 7

Scope and Assumptions Section Focus Further identify the cloud system Detail key system attributes Set up the testing parameters 3PAO Action Solidify the testing scope, control selection, and system boundary Be clear and consistent in naming conventions for system identifiers www.fedramp.gov 8

Scope and Assumptions Scope Identification Physical locations of all the different components IP addresses, and network ranges, of the system Web based applications and the logins Databases Functions and roles Assumptions Dependencies on resources Appropriate login account information / credentials Access to hardware, software, systems, and networks Process for testing security controls that have been identified as Not Applicable Situational testing of significant upgrades or changes to the infrastructure and components of the system www.fedramp.gov 9

Methodology Section Focus Provide a documented methodology to describe the process for testing the security controls 3PAO Action Use FedRAMP supplied test procedures to evaluate the security controls Record test results in the Rev 4 Test Case Workbook Test selected baseline controls per required test procedures and document any control deficiencies and findings. www.fedramp.gov 10

Methodology Examine Reviewing, inspecting, observing, studying, or analyzing one or more assessment objective Gain an understanding, clarification, or evidence Interview Holding discussions Gain an understanding, clarification, or evidence Test Exercising objects under specified conditions To compare actual with expected behavior www.fedramp.gov 11

Test Plan Section Focus Execution of testing 3PAO Actions Obtain at least three points of contact Describe what tools will be used for testing security controls Describe what technical tests will be performed through manual methods without the use of automated tools Insert the security assessment testing schedule Indicate what sampling will be implemented for both technical controls and management controls www.fedramp.gov 12

Rules of Engagement Section Focus Describes proper notifications and disclosures between the owner of a tested systems and an independent assessor Includes information about targets of automated scans and IP address origination information of automated scans (and other testing tools) 3PAO Action Edit and modify the disclosures of this section as necessary Identify specific activities included and not included in the testing of each unique system www.fedramp.gov 13

Appendix General references, definitions, terms, and acronyms Test case scenarios Penetration testing guidelines Testing of all the attack vectors Approach, constraints, and methodologies for each planned attack Test schedule Technical POC Reference documentation Penetration testing rules of engagement Penetration testing methodology Sampling methodology www.fedramp.gov 14

Key Documentation Checks Initial and Detailed Reviews Completeness Showstoppers Common Problems Critical Controls www.fedramp.gov 15

Key Documentation Checks Table 2-1: Does the information in this document match Table 1-1 in the SSP? Table 2-2: Does information include all locations listed in the SSP? Table 2-3: Does this table include IP addresses for the complete inventory? Table 2-4: Does this table include all web applications (URLs) for the complete inventory? Table 2-5: Does this table include all database applications for the complete inventory? Table 2-6: Are functions for each of the roles defined in enough detail to determine the testing that will be done? Section 3: Have any assumptions been changed, deleted, or added. Table 5-1: Does the role description provide information about what the tester will actually be doing, for example, penetration testing, vulnerability scanning? Table 5-2: Does the role description provide information about what the CSP POC will be doing for these tests? Table 5-3: Does the list of tools include a detailed description of what the tools will be used to test within the system? Table 5-4: Does this table include manual tests that may be required for items that cannot be tested using automated tools? Table 5-5: Does the schedule match the ISSO project schedule? www.fedramp.gov 16

For more information, please contact us or visit us at any of the following websites: http://fedramp.gov http://gsa.gov/fedramp @FederalCloud www.fedramp.gov 17 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information