DoD Cloud Authorization Process...as part of the FedRAMP process with an additional assessment of...
Transcript of DoD Cloud Authorization Process...as part of the FedRAMP process with an additional assessment of...
UNCLASSIFIED 1
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Cloud Authorization Process
DISA Cloud Assessment DivisionDISA RME/RE2
April 2021
UNCLASSIFIED 2
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Cloud Computing Security Requirements
Table of Contents1 Introduction2 Background3 Information Security
Objectives / Impact Levels4 Risk Assessment of Cloud
Service Offerings5 Security Requirements6 Cyber Defense and Incident
Response
UNCLASSIFIED 3
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Authorization Terminology
• FedRAMP Joint Authorization Board (JAB) Provisional Authorization (P-ATO)• Issued by the JAB to a Cloud Service Provider (CSP) for its Cloud Service Offering (CSO)• CSP’s package is reviewed by JAB Reviewers from three agencies (DoD, DHS, GSA)
• Agency Authorization to Operate (ATO)• Issued by a Federal Agency Authorizing Official (AO) to a CSP for its CSO based on compliance with
FedRAMP requirements and listed on the FedRAMP Marketplace• DoD Provisional Authorization (PA)
• Issued by the DISA Authorizing Official (AO) to a CSP for its CSO based on FedRAMP and additional DoD security requirements (Impact Levels 4/5/6) and primarily issued for enterprise use
• Typically leverages a CSP’s JAB P-ATO or Federal Agency ATO• Reciprocity memo issued at Impact Level 2 for CSOs on the FedRAMP Marketplace• CSP’s package is reviewed by DoD Reviewers from DISA and the DoD Component sponsoring the CSP
• DoD Component ATO• Issued by a DoD Component AO to a Mission Owner for its system/data that makes use of the CSP’s CSO • Must leverage a CSP’s DoD PA
Provisional Authorization – Focuses on CSO RiskGranted by: The FedRAMP JAB and the DISA AO To: A CSP for its CSO
ATO – Focuses on Mission RiskGranted by: A DoD Component’s AO To: A DoD Mission Owner for their system
UNCLASSIFIED 4
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DISA Cloud Assessment Division
• The DISA Cloud Assessment Division provides support to DoD Component Sponsors/Mission Owners through the pre-screening, assessment, validation, authorization, and continuous monitoring of a Cloud Service Offering (CSO).
• They ensure the Cloud Service Provider (CSP) and CSO meet DoD cloud security controls and connection requirements.
• They serve as reviewers on the FedRAMP Joint Authorization Board (JAB).
UNCLASSIFIED 5
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
The Three Paths to a DoD PA
1. CSP CSO with a FedRAMP JAB P-ATO • This is the DoD preferred path to a DoD PA because the DoD CIO and the DISA Security Control
Assessor Representative (SCA-R) (i.e., JAB DoD Reviewers) are involved in FedRAMP JAB assessment and authorization activities as part of the FedRAMP JAB team comprised of DoD, GSA and DHS reviewers.
• For Impact Levels 4 (IL4) and above, DoD leverages the documentation and artifacts produced as part of the FedRAMP process with an additional assessment of the DoD-specific security controls and requirements not addressed by FedRAMP.
• For Impact Level 2 (IL2), DoD does not do any additional assessment and has issued a reciprocity memo for FedRAMP Moderate (MBL) or High Baseline (HBL) authorizations that meet IL2 requirements.
• For IL4 and above, the additional assessment (i.e., FedRAMP+) must be performed by a FedRAMP-approved Third Party Assessment Organization (3PAO). The CSP/3PAO submit documentation (SSP/SAP/SAR/POAM, etc.) to the DISA SCA-R for review and validation by the Joint Validation Team (JVT) toward awarding a DoD PA.
• The validation process will leverage the authorized FedRAMP baseline. The DISA SCA-R will request all baseline documentation and applicable continuous monitoring artifacts.
UNCLASSIFIED 6
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
The Three Paths to a DoD PA
2. CSP CSO with a FedRAMP Agency ATO listed in FedRAMP Marketplace• CSPs with a non-DoD Federal Agency ATO based upon security controls assessed by a
FedRAMP-approved 3PAO can be assessed for a DoD PA if the Federal Agency ATO has been reviewed and accepted by the FedRAMP PMO and placed on the FedRAMP Marketplace as an authorized FedRAMP Agency ATO.
• The minimum baseline for a DOD PA is FedRAMP Moderate. FedRAMP assessments done at the HBL facilitate transition to the DoD Cloud Computing Security Requirements Guide (SRG) Version 1 Release 3.
• For IL4 and above, DoD will leverage the Federal Agency ATO authorized baseline, to include all relevant continuous monitoring documentation, with additional assessment of the DoD-specific controls and requirements.
• A FedRAMP-approved 3PAO must perform the additional assessment.• The CSP and 3PAO submit assessment documentation (SSP/SAP/SAR/POAM, etc.) to the
DISA SCA-R for review and validation toward awarding a DoD PA. • The DISA SCA-R will request all baseline documentation and applicable continuous
monitoring artifacts.
UNCLASSIFIED 7
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
The Three Paths to a DoD PA
3. DoD Component Assessed PA• Without a FedRAMP JAB P-ATO or Agency ATO, a DoD Component assessment of a CSP’s CSO may only be
performed under two circumstances: • If a DoD organization has a validated mission requirement that only the specific CSP’s CSO can fulfill requiring it to
be authorized • If a DoD organization acting as a CSP develops and instantiates a CSO
• The CSP’s CSO is fully assessed by a FedRAMP-approved 3PAO and the DISA Cloud SCA. The CSP’s CSO must be assessed and validated against both the FedRAMP Moderate/High Baseline and DoD’s FedRAMP+ requirements.
• The DoD organization with a need for that CSP’s CSO to be authorized will be required to support resourcing for the full assessment and validation in coordination with the DISA Cloud SCA organization.
• This assessment and validation is from initial start, so it may take up to 5 to 8 months for completion depending on the scope of effort.
• The CSP and 3PAO submit assessment documentation (RAR/SSP/SAP/SAR/POAM, etc.) to the DISA Cloud SCA for review and validation toward awarding a DoD PA.
Note: If a CSP receives a DoD-assessed PA and the offering is desired to be leveraged by other Federal Agencies, the CSP’s assessment package may be shared with FedRAMP and be available through the FedRAMP secure repository as well as the DoD Cloud Services Catalog.
UNCLASSIFIED 8
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Provisional Authorization Memo
• Initial DoD Provisional Authorization (PA)• The DISA AO is the Authorizing Official (AO) for a DoD PA.• Typically, a DoD PA is issued with an expiration date to be leveraged by DoD
Mission Owners until it expires or is revoked.• The PA is issued with general and/or specific conditions for the CSP and usage
considerations for the DoD Mission Owner.• Ongoing Provisional Authorization
• CSPs must comply with all Continuous Monitoring (ConMon) Requirements to maintain the DoD PA.
• Reauthorization• Upon expiration, a CSP’s CSO may be reauthorized if there is continued need
by the DoD community and the CSP has maintained a satisfactory security posture. The DISA AO will issue an updated PA memo.
UNCLASSIFIED 9
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Information Impact Levels & Some Distinguishing Requirements
UNCLASSIFIED 10
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
FedRAMP/FedRAMP+ Security Control Requirements
FedRAMP Moderate Baseline
325325 Controls/Control Enhancements (C/CE)
FedRAMP High
Baseline 97 FedRAMP MBL + 97 additional C/CE = 421 HBL C/CE
DoD Impact Level 4
Baseline325+38
FedRAMP MBL + 38 FedRAMP+ C/CE = 363 IL4 C/CE + 19 DoD General Readiness & DoD Unique Requirements
DoD Impact Level 5
Baseline325+38+9
IL4 + 9 FedRAMP+ C/CE = 372 IL5 C/CE / + 19 DoD General Readiness & DoD Unique Requirements
325
421
363
372
UNCLASSIFIED 11
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Provisional Authorization Process Timeline
Draft AuthorizationRecommendation
and DSAWGBrief. Submit to
DSAWG
AUTHORIZATION & DSAWG PREP
1-3 weeks
DSAWG Review and Comments
DISA SCA-R, JVT and CSP review and
approve SAP
DISA schedules Initial Planning Conference
call
JVT: DISA SCA-R, Sponsor Analysts, CSP & 3PAO
Access to CSP document repository initiated.Initial Review of RAR, SSP, SSP Addendums, & documentation checklist for Readiness. Review and approve SAP.
Validation begins with access to Security Package (SSP/SAR/POAM). CSP/3PAO remediate issues, re-test, updates documents, respond to JVT comments, delivers revised package. POA&M updated.
Authorization Recommendation and DSAWG Brief
finalized and submitted to seniors for review. Forward to DSAWG 2 WEEKS
in advance of DSAWG meeting, which is 2nd
Tuesday of month.
DISA holds process & requirements
strategy meeting
Final AO Review /
PA Sign Off
AO DECISION1-2 weeks
Authorization Recommendation
submitted to DSAWG for
comments then to DISA AO for
authorization decision
DSAWG REVIEW
1-2 weeks
Network Defense
and Monitoring
MONITOR & MANAGE
3PAO conducts assessment. CSP provides
SSP & POA&M; 3PAO provides
SAR. Time varies
depending on FedRAMP baseline.
3PAO and CSP ensure delivery of
documentation. Work parsing begins and Technical Exchange Meeting Schedule
established.
DoD JVT performs validation on security
package (SSP/SAP/SAR/POAM)
Estimated duration (per CSP) is 11 – 17 weeks (not including time for 3PAO Assessment)
ONBOARDING KICKOFF
Prioritization assigned. Sponsor’s technical reviewers’ names and documentation
checklist submitted to DISA. RAR, SAP, SSP, SSP Addendum, Architecture and JVT approval to
proceed with testing.
JVT iterative review of CSO package. Comments to CSP &
3PAO, remediation (if required)
Authorization Rec, items/issues, vulnerability tables & DSAWG Brief
developedReview and Authorization
3PAOASSESSMENT
DoD JVT Review & Remediation
8-10 weeks
Introductions & Team BriefsSponsor - OverviewCSP - Architecture 3PAO – Assessment Schedule & PlanSCCA - CAP NIC – IP & DNS DISA – JVT Brief
Assigns priority and notional schedule.
DoD Sponsor completes “Initial Contact Form” in DCAS. DISA holds an initial phone call with DoD Sponsor and CSP to review the requirements of the sponsor and best path to PA.
DoD Sponsor submits ICF to DCAS
INITIAL CONTACT PHASE
JVTApproval to
Proceed with Assessment
Mission Owners must authorize use of a CSO utilizing the DoD PA MO guidance. After authorization is issued, submit for connection.
Authorize use of CSO;
Submit for Connection
MISSION OWNER
UNCLASSIFIED 12
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Mission Owner AO Responsibility
• Inherit/Leverage – Maximize use of existing body of evidence • Scope of testing adequate? If so, review the 3PAO’s Security Assessment Plan
(SAP)• Review test results: 3PAO’s Security Assessment Report (SAR)• Residual risk: Review POA&Ms, continuous monitoring data, DISA’s
Authorization Recommendation and Provisional Authorization memos• Identify and proceed with any additional testing required (with CSP and 3PAO)
• If risk is acceptable, issue an IATT or ATO• Accept risk and liabilities identified in the DoD PA for the Mission Owner’s
unique system and mission• Impose any conditions deemed necessary for the secure operation of the CSO
in the context of the Mission Owner system requirements, interconnections, and data processed
• Issue ATO to a Mission Owner for a system that makes use of the CSP’s CSO
UNCLASSIFIED 13
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Mission Owner AO Risk Decision
DoD Mission OwnerCSP
CSP
CSP
DoD Mission Owner
DoD Mission Owner
IaaS
PaaS
SaaS
Security ResponsibilityAuthorized by: FedRAMP JAB DISA AO
Authorized by: Mission Owner AO
DoD PA
JAB P-ATO
ATO+
UNCLASSIFIED 14
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
JVT Analysts
• Under the joint technical review process, the CSP’s DoD Sponsor must provide additional resources to participate in the Joint Technical Validation Process. The DISA Cloud Assessment team will provide a Joint Validation Team (JVT) Lead who will function as overall manager of the DoD JVT process with the DoD Sponsor analysts accomplishing most of the validation review work.
• The CSP’s sponsoring agency should commit to the offering, provide a minimum of two qualified technical reviewers (IAM Level II/III) highly familiar with the RMF, and be prepared to attend/champion the DSAWG session for the cloud service offering. The scope of effort is normally 12-14 weeks but may vary depending on conditions unique to each CSP or CSO.
• The CSP and their 3PAO will be expected to collaborate and provide input to information exchange meetings and work with the JVT to establish the schedule and timeline to completion.
UNCLASSIFIED 15
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
JVT Skill Requirements
• The sponsoring agency’s analysts must meet DoD 8570 requirements for IAM Level II/III• Specific skills needed:
• In-depth familiarity with NIST Risk Management Framework (RMF) • Knowledge of DoD RMF • Knowledge of DoD Cloud Computing Security Requirement Guide• Familiarization with FIPS-199, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-37• Familiarization with FedRAMP documentation review processes• Ability to review and analyze CSP artifacts for completeness, consistency, compliance, and due diligence• Knowledge of cryptographic protocols and standards such as FIPS 140, SSH, SSL/TLS, etc.• Knowledge of multifactor authentication methodology and types• Knowledge of network architecture • Ability to review and understand dataflow diagrams• Writing skills for clarity and conciseness in comments• Familiarity with and knowledge of DoD/85XX documents
UNCLASSIFIED 16
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
JVT Review Methodology
• The JVT will perform a technical review/validation of the following CSP/3PAO completed and signed documentation, and any other relevant documents:
• Readiness Assessment Report (RAR)• SSP & IL4/5/6 SSP Addendum for FedRAMP+ controls • Security Assessment Plan (SAP)• Security Assessment Report (SAR)• Plan of Action & Milestones (POA&M)• Architecture/Network Topology• SAR Brief - Review of risk remediation and mitigation plans from the Plan of
Action & Milestones• FedRAMP baseline continuous monitoring artifacts, if applicable• Supporting documentation
UNCLASSIFIED 17
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
JVT Review Methodology– JVT Lead
• Develops a review schedule, typically 12-14 weeks• Prepares a consolidated team review comment spreadsheet for each of
the primary cloud security document under review• Tasks individual team members, tracks items and collects responses per
document• Schedules weekly meetings with JVT and biweekly meetings for all
stakeholders to share progress • Sends comments to CSP/3PAO for adjudication and resolution• Liaises with CSP/3PAO for all matters related to validation of
requirements for DoD PA• Prepares authorization documents
UNCLASSIFIED 18
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
JVT Responsibilities – JVT Members
• Review all documents included in the CSP’s security authorization package• Review documents for completeness and structural thoroughness• Assess/validate compliance of implemented controls• Ensure compelling evidence maps to applicable security controls• Review system architecture for in-depth understanding of authorization boundary• Review architecture for data flows, trusted connections, remote access activities• Provide comments to JVT lead on provided comment sheet• Review response comments from CSP and 3PAO for adjudication• Meet weekly or as needed with JVT Lead and 3PAO/CSP to adjudicate comments• Provide input to stakeholders briefing slides• May attend the DSAWG security briefing for the CSO
UNCLASSIFIED 19
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!UNITED IN SERVICE TO OUR NATION
DoD Provisional Authorization Process - Initiation
Initiation
DISA schedules
Initial Planning Meeting Assignspriority
• DISA schedules initial planning meeting to discuss CSP’s CSO readiness in accordance with DoD’s SRG security requirements
CSP leverages FedRAMP JAB PATO or Agency ATO for DoD PA
•Without FedRAMP authorization, DISA & DoD Sponsor coordinate process with CSP/3PAO
DoD Component sponsors CSP for DoD Impact level 4/5/6
•DISA RME holds Initial Planning meeting
•DoD Sponsor commits resources
DISA assigns priority and JVT Lead
•JVT, CSP, and 3PAO teams coordinate, develop and plan work schedule milestones
CSP completes DoD FedRAMP+ assessment
•DoD RAR, DoD SSP Addendum and any applicable security overlays
Sponsor contacts DISA for
Onboarding
UNCLASSIFIED 20
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Review System Architecture / Authorization Boundary
•Identify major findings or showstoppers
•Determine possible timelines for validation effort to begin
CSP/3PAO submit documentation
•CSP/3PAO submit FedRAMP baseline documentation, SSP Addendum, RAR, and SAP
•DISA SCA-R/JVT conduct quality review of readiness
•Review documentation, including architecture / authorization and network boundary
DISA SCA-R/JVT approve SAP, with Cloud SCA approval
•Approval of the SAP and SSP Addendum
DoD Provisional Authorization Process – Kickoff
• DISA schedules onboarding kickoff meeting to discuss CSO’s system architecture and authorization boundary
• SCCA team presents information on connecting to the DISA CAP• DoD NIC team presents information on options for top level domain, DNS, and IP address space
Kickoff
DISA SCA-R/JVT reviews RAR, SSP Addendum,
SAP, and documentation checklist for readiness. If
not ready SCA-R will push back for resubmission and
restart.
UNCLASSIFIED 21
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Provisional Authorization Process - Validation
Review and Remediation
JVT performs quality review, analysis on
security package (SSP/SAP/SAR/POAM)
DISA SCA-R/JVT verifies quality and completeness of CSP/3PAO artifacts
•JVT validates DOD requirements through review of documentation and discussions
•Schedule JVT weekly meetings
•Schedule stakeholder biweekly updates
•Schedule meetings with CSP/3PAO as needed
DISA SCA-R provides comment sheet to CSP/3PAO for adjudication of findings
•Analyze full package for flaws
•Return package for rework if flawed then restart validation clock upon resubmission
•CSP/3PAO provide written response to all comments as applicable
CSP remediates findings, and 3PAO attests to remediation performed
•Findings should be remediated prior to completion of validation
•3PAO attestation may be required for remediation performed after assessment
•Findings that remain open must be mitigated and have a remediation plan subject to approval
• Prerequisites: • 3PAO Assessment
UNCLASSIFIED 22
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Provisional Authorization Process –Recommendation
Authorization Recommendation & DSAWG Presentation
Draft AuthRec and DSAWG Brief for
Submission
Final Auth Rec and DSAWG
Brief Submitted
• Prerequisites: • DISA SCA-R/JVT validation completed• All comments adjudicated
DISA SCA-R develops Authorization Recommendation and Presentation for the DSAWG
• Updated artifacts/evidence may be requested from CSP/3PAO
• CSP submits required monthly continuous monitoring deliverables throughout authorization process
Cloud SCA Review & Approval
• Updated artifacts/evidence submitted by CSP/3PAO as requested
UNCLASSIFIED 23
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Provisional Authorization Process – DSAWG & AO
• Prerequisites: • Cloud SCA Approval for submission to DSAWG
DSAWG Review
• Updated artifacts/evidence may be requested from CSP/3PAO
AO Decision
• PA Memo signed and posted on DCAS site
DSAWG Feedback to AO
AO Decision
DSAWGReview & AO
Decision
UNCLASSIFIED 24
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Continuous Monitoring
• FedRAMP & DoD Continuous Monitoring requirements apply until the DoD Provisional Authorization is revoked or expires.
• DISA SCA-R schedules monthly meetings between CSP POCs and SCA-R• Visit FedRAMP.gov for training, documents, and templates.• Visit DoD Cyber Exchange for DoD requirements and documents related
to cloud use.• CSPs will have an account in a cloud instance of eMASS.• Mission Owners can inherit security controls in eMASS that are the
responsibility of the CSP or shared between the CSP and the customer.
UNCLASSIFIED 25
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DoD Cloud Authorization Services (DCAS) Site
• Cloud Authorization Process:• Provides Cloud Service Providers (CSPs) with DoD templates and supporting
documentation• Sponsor a CSP/CSO:
• DoD component sponsors will initiate the onboarding process for a CSP/CSO• Current DoD Cloud Service Offerings:
• Provides a catalog of current authorized Cloud services and access to their Provisional Authorization (PA) letter
• Allows request to sponsor an upgrade an existing PA• Current Service Offering Candidates:
• Provides the status of ongoing cloud candidates in the DoD queue• Cloud Support Resources:
• Provides helpful DoD guidance and supporting documentation
UNCLASSIFIED 26
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
Cloud Resources
• DoD Cloud Authorization Process• https://disa.deps.mil/org/RMED/cas• CAC-enabled site. Requires PKI access• Sponsorship Request Form, Authorization Process, Services Catalog
• DoD Cyber Exchange• https://cyber.mil/• Public and CAC-enabled Content• Cloud Computing SRG, Templates, Other documents related to cloud
• DISA Website• https://storefront.disa.mil/kinetic/disa/service-catalog#/category/cloud-computing• DISA Storefront
• Contact Us• [email protected]
UNCLASSIFIED 27
UNCLASSIFIED
TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS!
DEFENSE INFORMATION SYSTEMS AGENCYThe IT Combat Support Agency
/USDISA @USDISAwww.disa.mil