Achieving FISMA Compliance with Acquia Cloud
-
Upload
acquia -
Category
Technology
-
view
1.918 -
download
6
Transcript of Achieving FISMA Compliance with Acquia Cloud
Presenter
Michael Lemire Director of Information Security [email protected]
Agenda
• Drupal in the Federal government
• Current Federal compliance landscape
• Overview of FISMA Compliance process • Achieving Compliance in Acquia Managed Cloud
• The Shared Responsibility Model
• Designing Drupal for Compliance
• Acquia Managed Cloud System Security Plan
• Risk Assessment
• Follow up
Drupal in the Federal Government Governments are expanding use of Drupal
• Drupal is open source • Cost effective vs proprietary licensed software • Proven secure – used by hundreds of thousands of sites
• Drupal facilitates shared development between agencies • Intranet and Internet sites
• www.whitehouse.gov • www.house.gov • www.ready.gov (FEMA) • www.investor.gov (SEC) • www.teach.gov • www.ed.gov • www.energy.gov • www.neh.gov
Current US Government Compliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment,
authorization, and continuous monitoring for information systems utilized by the Federal government.
FISMA - Federal Information Security Management Act of 2002. Applicable to non-
DoD agencies. DIACAP – Department of Defense Information Assurance Certification and Accreditation
Process. Applicable to DoD related agencies. With both FISMA and DIACAP each information system must be documented, reviewed
by independent third party assessor and authorized by authorizing officials. Can be time consuming, expensive FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a
government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services
FISMA, DIACAP and FedRAMP Process
Federal Compliance - High Level Process 1. Categorize the System – FIPS 199
Confidentiality, Integrity, Availability
2. Select the controls – NIST 800-53
3. Implement the controls and document them
-System Security Plan -Privacy Impact Assessment
4. Assess – Contract with Third Party
Assessor -3PAO reviews SSP and creates STE &
POA&M
5. Authorize – This package of documents submitted to the
Authorizing Official who reviews, comments, asks for revisions.
-grants IATC and/or ATO
6.Monitor – Continuous update to SSP , continuous mitigation of items
identified in STE and POA&M
FedRAMP - Federal Risk and Authorization Management Program
• Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products.
• FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012.
• Based on the same NIST publications as FISMA with added controls pertinent to the cloud
• Acquia Managed Cloud Controls and Documentation are “future proof as they include all the FedRAMP controls
Coming Soon - FedRAMP
Step 1: Categorize the system –FIPS 199
Establish the “high water mark”- Low/Moderate or High http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
NIST 800-‐53 Revision 3
Annex 1 – low “high water mark” Annex 2 – moderate “high water mark” Annex 3 – high “high water mark”
Note: 800-‐53 rev 4 *coming soon*
Step 2: Select the controls
Step 3: Implement and document the controls The System Security Plan (SSP) -a narrative description of the system -define the “accreditation boundary” – what is it that is being authorized -describes the system and the environment where it resides
.. And the controls, divided into control families: Risk Assessment (RA)
Planning (PL)
System and Service Acquisition (SA) Access Control (AC)
Certification and Authorization (CA) Audit and Accountability (AU)
Personnel Security (PS) System and Communication Protection (SC)
Physical and Environmental Security (PE)
Continuity Planning (CP)
Configuration Management (CM)
Maintenance (MA)
System and Information Integrity (SI)
Media Protection (MP)
Incident Response (IR)
Awareness and Training (AT)
Identification and Authentication (IA)
Step 4: Assess The Controls (Audit) The assessment is a validation by an independent auditor that “you do what
you say you do”. Guided by NIST 800-53a
The third party assessor (3PAO) is tasked with reviewing the SSP and validating are those control in place. *May or may not be required, check with your AO*
3PAO creates Security Test & Evaluation Plan (ST&E) and the System
Assessment Report (SAR) which documents the evidencing activities and results. -documents what is non-compliant
Plan of Action Milestone (POA&M) – Lists controls which are not in place and the plan to implement those controls
Step 5: Authorize the System Finally the FISMA C&A Package is submitted to the Authorizing Official The package contains:
• The SSP • Relevant Policies and Procedures • The FIPS 199 categorization
• The SAR and ST&E • The POA&M
Authorizing Official once satisfied with the controls issues Authority to Operate
(ATO)
Step 6: Monitor and Update • Update the SSP as things change • Resolve issues and follow plan per POA&M
• Continuous monitoring of risks • Re-authorize system every 3 years
Achieving FISMA Compliance in Acquia Cloud Acquia Managed Cloud is a Shared Responsibility Model: PaaS (AMC) built on IaaS (Amazon AWS) Three primary layers in the shared responsibility model: • Application Layer (Drupal) • OS Stack Layer (Linux, Windows, Database, etc) • Infrastructure Layer (Datacenter, network)
*Each entity must document the controls for which they are responsible for.*
Acquia Cloud Customers inherit the controls from Acquia Managed Cloud and Amazon AWS
Achieving FISMA Compliance in Acquia Cloud
Designing Drupal for FISMA Compliance Drupal Layer Relevant Controls for a FISMA Moderate System which require customization of Drupal Access Control Controls AC-7 • Automatically lock user accounts after 3 consecutive failed login attempts within 24 hour period • Provide ability for help desk to unlock accounts • Automatically lock user accounts after 5 consecutive failed login attempts AC-8 Provide ability to add a warning banner at login page if applicable AC-9 Login notice – show date and time of last login and number of unsuccessful login attempts since last login AC-10 Limit the number of concurrent sessions AC-11 Session inactivity – automatically log user out after 20 minutes of inactivity Information Assurance Controls IA-4 Disable account after 90 days of inactivity (FISMA low) or 45 days (FISMA moderate/high) IA-5 • Password complexity requirements: min 8 characters, require upper/low case, numbers and special characters • Prevent re-use of previous 6 passwords
System Integrity Controls SI-3 Scan files before storing in system
How to achieve these controls?
Option 1: Drupal 7 + contributed modules Password Policy http://drupal.org/project/password_policy
• Specify password complexity requirements
Session expire http://drupal.org/project/session_expire
• Expire sessions after X amount of time
Antivirus http://drupal.org/project/antivirus
ClamAV http://drupal.org/project/clamav
• Scan files for malware as they are uploaded
Designing Drupal for FISMA Compliance
Designing Drupal for FISMA Compliance
How to achieve these controls?
Option 2: Use the OpenPublic Drupal Distribution
• OpenPublic is an open-‐source, content management system (CMS)
built with Drupal and tailored to the needs of government.
• Acquia has worked with Phase2 Technologies to ensure the Phase2 distribution has controls necessitated by FISMA (moderate)
http://openpublicapp.com/
Putting it together – Control Mapping Acquia’s control mapping shows what controls agency customers inherit and what they are responsible for. Customer configured – Acquia or Drupal provides means to accomplish; customer configuration required. Customer provided – Agency policies and procedures
Example SSP control description: Control: (from 800-53) Control Type: Agency/Common/Hybrid Control Status: Implemented/Planned/Not Applicable Application Layer: Responsibility: Customer (Agency) Implementation Detail: Describe how the control is the responsibility of the agency. LAMP Stack Layer: Responsibility: Acquia Implementation Detail: Describe how the control is implemented Infrastructure: Responsibility: Amazon Implementation Detail: Refer to hosting provider’s SSP Acquia documents its control responsibilities in its SSP Amazon documents its control responsibilities in its SSP
Acquia Managed Cloud SSP
Risk Assessment
FISMA Compliance also requires security vulnerability scans to be run and reports included with the C&A package as part of the “Risk Assessment”.
Agencies may use their own tools or Acquia can do these on your behalf. Acquia utilizes Qualys, a leading vulnerability assessment platform. Scans are conducted from Qualys SaaS platform via the internet.
Acquia has a dedicated Federal Sales team
Contact Sean Burns [email protected]
Acquia can provide agencies existing FISMA System Security Plans (Acquia and Amazon).
Both require signed NDA with respective organizations.
Follow up with Acquia