FedRAMP Government Discussion Matt Goodrich, FedRAMP Director



Similar documents
Federal Risk and Authorization Management Program (FedRAMP)

Overview. FedRAMP CONOPS

Esri Managed Cloud Services and FedRAMP

FedRAMP Master Acronym List. Version 1.0

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

Security Authorization Process Guide

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

The role of certification and standards for trusted Cloud solutions

FedRAMP Standard Contract Language

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

Seeing Though the Clouds

December 8, Security Authorization of Information Systems in Cloud Computing Environments

ArcGIS Security Authorization Advancements

Flying Through Federal Thunder Clouds Navigating FedRAMP, DoD Cloud Guidance, & Cloud Cybersecurity Issues

Continuous Monitoring Strategy & Guide

2012 FISMA Executive Summary Report

Security Authorization Process Guide

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Department of Homeland Security

Cloud Security for Federal Agencies

United States Department of Agriculture. Office of Inspector General

Information System Security Officer (ISSO) Guide

Cyber Security Assessment & Management (CSAM) CSAM C&A web

Information Security and Privacy Advisory Board Why Governments Invest in Salesforce.com

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Information System Security Officer (ISSO) Guide

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Identity and Access Management Initiatives in the United States Government

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

Final Audit Report. Report No. 4A-CI-OO

Information Security for Managers

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

DoD Cloud Computing Security Requirements Guide (SRG) Overview

SECURITY ASSESSMENT AND AUTHORIZATION

NIST Cyber Security Activities

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

FedRAMP Package Access Request Form For Review of FedRAMP Security Package

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

Critical Review/Technology Assessment (CR/TA) November Cloud Computing for the Government Sector

AODR Role-Based Training. Name Title Division Name U.S. Department of Energy Office of the Associate CIO for Cyber Security

Final Audit Report -- CAUTION --

Assessment and Authorization

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January PPM Project Type Custom Development

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Status of Cloud Computing Environments within OPM (Report No. 4A-CI )

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Requirements For Computer Security

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Cloud SingularLogic:

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Appendix D-1 to Aproove Saas Contract : Security and solution hosting provider specs.

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

Security Control Standard

Review of the SEC s Systems Certification and Accreditation Process

NOTICE: This publication is available at:

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

International Trade Administration

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

INFORMATION PROCEDURE

Security Controls Assessment for Federal Information Systems

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

HSPD-12 Homeland Security Presidential Directive #12 Overview

Incident Management. Verdis Spearman

5 FAH-8 H-351 CLOUD COMPUTING

Lots of Updates! Where do we start?

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Evaluation of DHS' Information Security Program for Fiscal Year 2015

FITSP-Auditor Candidate Exam Guide

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

The Education Fellowship Finance Centralisation IT Security Strategy

NARA s Information Security Program. OIG Audit Report No October 27, 2014

How To Get A Cloud Security System To Work For You

Security Certification & Accreditation of Federal Information Systems A Tutorial

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

VA Office of Inspector General

Transcription:

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 [classification marking] PAGE

FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December 2012. FedRAMP is the first government-wide security authorization program for FISMA mandatory for all agencies and all cloud services FedRAMP s framework is being modeled in other government security programs (mobile, data) and by other countries (Canada, UK, EU, China) FedRAMP s focus is to ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems, key of which is re-use Conservative cost estimates for FedRAMP is $40M for the govt alone Pre-FedRAMP FedRAMP Model [classification marking] PAGE 1

FedRAMP Overview Current Statistics Authorizations JAB P-ATOs -15 Includes services from IBM, Microsoft, Akamai, HP, Lockheed Martin Agency ATOs -11 Includes Amazon, AINs, USDA, Micropact, Salesforce In Process CSPs JAB P-ATO 15 Includes services from Dell, SecureKey, Oracle, Amazon, Microsoft, IT-CNP, IBM Agency ATOs 23 Includes Microsoft, Google, Adobe, IBM, Oracle, Verizon [classification marking] PAGE 2

Agency ATO Quick Guide [classification marking] PAGE

FedRAMP Security Assessment Framework The agency ATO process should follow the FedRAMP Security Assessment Framework(SAF) The SAF is based on the NIST Risk Management Framework The FedRAMP Security Assessment Frameworkis a available at FedRAMP.gov on the Templates and Key Documents webpage [classification marking] PAGE 4

Timeline for the SAF Document Assess Authorize Monitor ConMon SSP SAP Testing SAR POAM Reports NIST RMF 1, 2, 3 NIST RMF 4 NIST RMF 5 NIST RMF 6 JAB P-ATOs Agency ATOs 9+ mos 5+ mos CSP Supplied 3+ mos [classification marking] 5 PAGE 5

Considerations During SAF TRUSTED INTERNATE CONNECTIONS (TIC) CSPs are required to support agency TIC implementations CSPs do not host TIC components in their environments FEDERAL INFORMATION PROCESSING STANDARD (FIPS) PUB 140-2 CSPs are required to implement only FIPS Pub 140-2 for all cryptographic implementations External interfaces with Federal customers PERSONAL IDENTITY VERIFICATION (PIV) Agencies are required to use PIV for multi-factor authentication CSPs are required to support PIV as a multi-factor solution [classification marking] PAGE 6

ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage We suggest that you use the Test Cases that we released in Excel format for public comment: http://cloud.cio.gov/docume nt/rev-4-test-case-workbook Agency ATO Guide DocumentChecklist Templates Available FIPS 199 FedRAMP Templates Available: Control Implementation Summary (CIS) System Security Plan Information System Security Policy User Guide E-Authentication Template Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) ATO Letter Cert Letter [classification marking] PAGE 7

Document Checklist Docs w/o Templates The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness The documents listed on this slide do not have an FedRAMP template No Template Available: Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA/ MOU) Penetration Test Plan [classification marking] PAGE 8

Granting an ATO GRANTING AN AUTHORITY TO OPERATE (ATO) Once a review is complete, an authorization should be granted and provided to the FedRAMP PMO Authorization for Cloud Providers should not be tied to individual Applications or Platforms CSPs are intended for multiple tenants, use by different customers Authorizations should be viewed as building blocks For Microsoft packages, consuming agencies will need to leverage all of the packages that relate to the service being consumed e.g. GFS, Azure, O365 Customer Agencies will ALWAYS have some responsibility for controls e.g. an agency will always have to enforce 2 factor authentication [classification marking] PAGE 9

Sample ATO and Cert Letter Template Included with the authorization package should be a Certification Letter and ATO Memo detailing your agency s authorization. A sample Certification Letter is attached below: Sample Cert Letter You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpage [classification marking] PAGE 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information