Federal Risk and Authorization Management Program (FedRAMP) – From the FedRAMP PMO, CSP, and 3PAO Perspective
Matt Goodrich – FedRAMP PMO James Bowman – Autonomic Resources (CSP) Michael Carter – Veris Group (3PAO) April 18, 2013
What is FedRAMP?
2
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Why FedRAMP?
3
Problem: • A duplicative, inconsistent, time
consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.
Solution: FedRAMP • Uniform risk management approach • Standard set of approved, minimum
security controls (FISMA Low and Moderate Impact)
• Consistent assessment process • Provisional ATO
Key Benefits
• Re-use of existing security assessments across agencies
• Savings in cost, time and resources – do once, use many times
• Risk-based, not compliance-based
• Transparency between government and cloud service providers
• Transparency trust, reliability, consistency, and quality of the Federal security authorization process
4
FedRAMP Timeline
5
March 2009
Cloud Computing Program Launched Executive Steering Committee Established
April 2009
Cloud Computing Program Management Office Established
October 2009
Security Working Group Established
December 2010
Federal Cloud Computing Strategy Published
Feb – Mar 2011
Government Tiger Teams Review Comments
December 2011
FedRAMP Policy signed
February 2012
FedRAMP CONOPS Published
Q1 09 Q2 09 Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Q4 10 Q1 11 Q2 11 Q3 11 Q4 11 Q1 12 Q2 12 Q3 12 Q4 12 Q1 13
February 2010
FedRAMP Concept Announced
June 2010
FedRAMP Drafts Initial Baseline
July – Sept. 2010
FedRAMP Concept Vetted with Industry & Government
November 2010
FedRAMP Concept, Controls, & Templates Released
January 2011
Over 1,200 public comments received
Apr – June 2011
Executive Team Solidifies Tiger Team Recommendations
July – Sept. 2011
3PAO Concept Planned
May 2012
3PAOs Accredited
June 2012
FedRAMP Launches Initial Operational Capability
January 2013
JAB Grants 2nd Provisional Authorization
December 2012
JAB Grants 1st Provisional Authorization
FedRAMP Policy Memo
6
OMB Policy Memo December 8, 2011
• Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014
• Establishes Joint Authorization Board
• CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements
• Establishes PMO
• Maintained at GSA • Establishes FedRAMP processes for
agency compliance • Maintains 3PAO program
FedRAMP Policy Framework
7
eGov Act of 2002 includes Federal Information Security Management Act
(FISMA)
FedRAMP Security Requirements
Agency ATO
Congress passes FISMA
as part of 2002 eGov Act
OMB A-130 NIST SP 800-37, 800-137, 800-53
OMB A-130 provide policy,
NIST Special Publications
provide risk management
framework
FedRAMP builds upon NIST SPs
establishing common cloud
computing baseline supporting
risk based decisions
Agencies leverage FedRAMP process,
heads of agencies understand, accept
risk and grant ATOs
Complying with FedRAMP Policy
8
Agency use of cloud services must meet FedRAMP requirements:
1. Baseline security controls
2. FedRAMP templates
3. Submission of security packages to FedRAMP
• All assessments do not require a provisional ATO granted by the JAB
• Agencies can continue to grant their own ATOs without JAB sign-off
• CSPs can submit FedRAMP compliant packages to agencies requesting an ATO
Agencies must leverage existing FedRAMP ATOs
found in the FedRAMP repository
June 2014 All Cloud Projects Must Meet
FedRAMP Requirements
FedRAMP and NIST RMF 800-37
9
NIST Risk
Management
Framework
Agency
CSP
CSP and 3PAO
Agency
JAB / Agency
CSP -Low Impact -Moderate Impact
-FedRAMP Low or Moderate Baseline
-Describe in SSP
-FedRAMP Accredited 3PAO
-Provisional Auth. -Agency ATO
- Continuous Monitoring
6. Monitor Security Controls
5. Authorize Information
System
4. Assess the Security Controls
3. Implement Security Controls
2. Select the Controls
1. Categorize the Information System
FedRAMP Standardizes RMF for Cloud
NIST SP 800-37 Step FedRAMP Standard
1. Categorize System Low and Moderate Impact Levels
2. Select Controls Control Baselines for Low and Moderate Impact Levels
3. Implement Security Controls Document control implementations using the FedRAMP templates
4. Assess the Security Controls FedRAMP accredited 3PAOs use standard process, templates
5. Authorize the System Joint Authorization Board or Agency AO authorize the system
6. Continuous Monitoring CSPs conduct monitoring in accordance with Continuous Monitoring Strategy and Guide
10
FedRAMP Key Stakeholders
11
Cloud Service
Provider
• Implement and Document Security
• Use Independent Assessor
• Monitor Security • Provide Artifacts
Federal
FedRAMP
3PAOs Third Party Assessment
Organizations
• Contract with Cloud Service Provider
• Leverage ATO or use FedRAMP Process when authorizing
• Implement Consumer Controls
• Establish Processes and Standards for Security Authorizations
• Maintain Secure Repository of Available Security Packages
• Provisionally Authorize Systems That Have Greatest Ability to be Leveraged Government-wide • Cloud auditor, maintains
independence from CSP • Performs initial and
periodic assessment of FedRAMP controls
• Does NOT assist in creation of control documentation
Agencies
PMO & JAB
PMO and JAB Responsibilities
12
• Program Management Office (PMO) ‒ Liaise with Federal agencies to understand and meet FedRAMP
requirements
‒ Work with CSPs for JAB provisional authorizations
‒ Establish and maintain 3PAO accreditation program
‒ Create and maintain all documentation needed for FedRAMP compliance
‒ Maintain FedRAMP repository
‒ All information maintained publicly at FedRAMP.gov
‒ Answer all questions that come to [email protected]
• Joint Authorization Board (JAB) ‒ CIOs from DHS, DOD, GSA
‒ Establish FedRAMP requirements: baseline controls and processes
‒ Provisionally authorize CSPs that have greatest ability to be leveraged government-wide
Agency Responsibilities
• All new cloud projects must use FedRAMP baseline controls and templates for initiating, reviewing, granting, and revoking security authorizations
• All existing cloud projects (implemented or in the acquisition process) must meet FedRAMP requirements by June 2014
• All cloud projects – Establish and implement continuous monitoring plans through
incident response and mitigation capabilities
– Require cloud services providers to meet FedRAMP requirements via contractual provisions
– Use FedRAMP repository as ATOs are granted by JAB
• Agencies must report to OMB annually cloud services that cannot meet FedRAMP requirements (First Report due May 15, 2013)
13
Cloud Service Providers
• Cloud Service Provider (CSP)
– Commercial or government entity that has a cloud offering/service (IaaS, PaaS or SaaS)
• CSP Responsibilities
– Implement FedRAMP security controls
– Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls
– Create submit and maintain authorization packages
– Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies
• Status
– Two (2) Provisionally Authorized Providers on fedramp.gov
14
3rd Party Assessment Organization (3PAO)
• 3PAO – Cloud Auditor: performs initial and periodic security assessment of
cloud systems
• Responsibilities – Conduct Assessment of CSP Security Control Implementation
– Generate Security Assessment Reports and associated evidence
– Cannot prepare documents for a CSP that they will assess
• FedRAMP Accredited 3PAOs – Accredited according to (1) ISO 17020 for quality management and
independence and (2) FISMA knowledge
– Currently privatizing accreditation process: bit.ly/3PAOAB
– Applications should be accepted again beginning in Fall 2013
• Status – Current 17 accredited 3PAOs
15
Do Once, Use Many Times
16
• FedRAMP standardizes the security authorization process for industry and government through requirements, process and format
• FedRAMP requirements can be met three ways, and any security package that meets the FedRAMP requirements will be listed in the repository for leveraging.
JAB Provisional Authorization
Agency Authorization
CSP Supplied Package
Secure Repository
CSP
CSP
CSP
Regardless of the path,
standards promote
leveraging by agencies
Type of Cloud Deployment Models
• Public – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them
• Community – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns
• Private – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers
• Hybrid – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public)
Reference NIST SP 800-145
17
Types of Cloud Service Models
• IaaS – The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
• PaaS – The capability provided to the consumer is to deploy consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.
• SaaS – The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure.
Reference NIST SP 800-145
18
Cloud Service Models
Reference FedRAMP
CONOPS 19
FedRAMP CONOPS
Page 35
Figure 7-2. Security Control Responsibilities
After reviewing the security assessment package and the accompanying Provisional
Authorization, Agencies can then grant an ATO under their own authority.
7.1. FedRAMP Secure Repository
The FedRAMP PMO maintains a secure repository of security assessment packages that Federal
agencies can leverage. The repository will hold assessment packages in four different categories
and will includes information about how to review current versions of the security assessment
package as described in Table 7-1.
Table 7-1. Security Assessment Package Categories
Category Name Category ID Assessed by Authorizing Authority
CSP Supplied C Accredited 3PAO N/A
Agency ATO* A Any 3PAO* Agency
Agency ATO with FedRAMP 3PAO W Accredited 3PAO Agency
FedRAMP Provisional Authorization P Accredited 3PAO JAB (+ Agency)
*Not eligible for JAB review and Provisional Authorization
The different categories of assessment packages offer flexibility for Federal agencies and CSPs
to allow for unique leveraging of security assessments. When reviewing security assessment
packages, agencies will come to understand the level of review the security assessment package
has received, as well as the risk exposure associated with the cloud service.
7.1.1. CSP Supplied
The CSP will self-supply a security assessment package using the FedRAMP process. The CSP
will follow the FedRAMP security assessment process utilizing internal ISSOs and an accredited
FedRAMP Provisional Authorization Timeframe Overview
FedRAMP Action
FedRAMP / CSP Action
FedRAMP JAB Action
Key
CSP Action FedRAMP / 3PAO Action
FedRAMP / 3PAO / CSP Action
Quality of SSP and responsiveness and ability of
CSP to resolve ISSO comments can create
iterations in this process
Quality of SAP and responsiveness and ability of
CSP to resolve ISSO comments can create
iterations in this process
Quality of SAR as well as number and types of
risks can create iterations in this process
Assign ISSO
-- Kick Off
ISSO / 3PAO /
CSP review
SAR
Address
JAB Notes
JAB Review
ISSO / CSP
review SSP
ISSO / 3PAO
Review SAP
JAB Review
Address
JAB Notes
JAB Review
Address JAB
Notes
Final Review P-ATO Signoff
SSP Ready
Review
Testing
SSP Finalization 10-15 weeks
SAP Finalization 3-4 weeks
SAR / POA&M Review 6 weeks
Testing 6 weeks
6 months +
SSP Review and Approval Timeframe K
icko
ff
SSP Approved
Remediate
SSP comments 1-3 Weeks
ISSO Review 1 Week
JAB Review 2 Weeks
Deliver SSP to JAB
Finalize
SSP 1-2
Weeks
CSP Respond to Comments 4-6 Weeks
ISSO Review & Comments 3-4 Weeks
Delivery of SSP and supporting docs in FedRAMP template
1 week
2-3 weeks
10 – 15+ weeks
CSP Action
ISSO Action
ISSO / CSP Action
JAB Action
Key
Iterations in this stage depend on quality of documentation and responsiveness and thoroughness of CSP to ISSO comments.
Architectural Briefing to JAB
SAP Review and Approval Timeframe
Delivery of SAP
SAP Approved
Review 1 Day
JAB TR Review 1 week
Deliver SAP to JAB TRs
Finalize
SAP 1-2 Days
CSP Respond to Comments
2 Days
ISSO Review & Comments
2 Days
3 – 3 ½ Weeks
Remediate
SAP comments 1-2 Days
ISSO Action
ISSO / 3PAO Action
JAB TR Action
Key
3PAO Action
Iterations in this stage depend on quality of documentation and
responsiveness and thoroughness of CSP to ISSO comments.
SAR and POA&M Review and Approval Timeframe
SAR Approved
Review 1 Day
JAB TR Review 1 Week
Delivery of SAR & POA&M to
JAB TRs
Review & Comments
2 Weeks
Delivery of SAR & POA&M
12 Weeks
Working Session -Review
Sampling of Results
1 Day
Final Review 2 days
ISSO Action
ISSO / 3PAO Action
JAB TR Action
Key
3PAO Action
Respond to Comments
1 Week
SAR Preview to JAB
TRs 1 Day
Working Session w/ JAB
TRs 1 Day
Remediate Comments
1 Week
Assessment 6 Weeks
Iterations in this stage depend on quality of SAR, responsiveness of 3PAO to ISSO comments and number and type of risks and if anything has to be remediated.
CSP Continuous Monitoring Responsibilities
• Monthly
– Operating System Scans
• Quarterly
– Operating System, Database, Web Application Scans
– Plan of Actions and Milestones (POA&M) Update
• Annually
– Review and Update Information Security Policy and Procedures
– Provide Basic Security Awareness Training
– Review and Re-certify User Accounts/Physical Access
– Review and Update Baseline Configuration
– Review and Update CM, CP, IRP, SSP, System Inventory
– Complete IR and CP Training and Exercises
– Test System Backups
24
CSP Continuous Monitoring Responsibilities
• Every Three Years
– Provide Role Based Security Training
– Review and Update Position Categorizations
– System Reauthorization
25
Benefits of FedRAMP for CSPs
26
Streamline and accelerate the security accreditation process.
“Do once, use many times” model
Standard baseline of security control requirements
FedRAMP Authorized CSPs
• As of April 16th, the FedRAMP Joint Authorization Board has issued two Provisional ATOs.
– Autonomic Resources | ARC-P | IaaS | December 26th, 2012
– CGI Federal | CGI IaaS Cloud | IaaS | January 31, 2013
Reference FedRAMP.gov
27
ATO Package Review
28
Page 1 of 2
FedRAMP Package Access Request Form
For Review of FedRAMP Security Package
INSTRUCTIONS:
1. Please complete this form, then print and sign. 2. Distribute to your Government Supervisor for review and signature. 3. Please email your signed Request Form to [email protected].
User Information
Date of Request: Agency or Department:
First Name: Bureau:
Last Name: Office:
E-Mail Address:
Phone:
Select one:
□□
Federal Employee
Federal Contractor – If yes, what organization?:
If you are a Federal contractor, please also review Attachment A: Federal Contractor Non Disclosure Agreement for FedRAMP, sign and attach to this request.
Requested Package
Name of Package Requested:
What is the Package ID (located on the CSP listing on FedRAMP.gov)?
Do you have a current contract with this CSP?
Contract Number Name of CSP Contact: Phone: Email:
If you are not a current customer, access is granted for 30 days in order to properly ensure a high level of access control and maintain proper security over the security authorization packages.
Access Authorization
All reviewers are required to use multi-factor authentication via PIV (Personal Identity Verification) card to obtain access to the FedRAMP secure repository on the OMB MAX system.
In order to gain access to the FedRAMP secure repository, the FedRAMP PMO requires approval from an Authorized FedRAMP Approver. This is your agency CISO or someone they have designated. If you are unsure of who your FedRAMP approver is, please email the FedRAMP PMO at [email protected]. Authorized FedRAMP Approver:
First Name: Title:
Last Name: Agency / Department:
Phone: Bureau:
Email: Office:
1. Complete the FedRAMP request form to
gain access to the FedRAMP repository.
2. Send completed form to
[email protected] with the title
"signed form requesting access to MAX"
3. Form must be signed by an agency CISO
4. If you are not a Federal employee you
must also sign the FedRAMP NDA
5. List the ARC-P FedRAMP package
ID F1206141381
What is a 3PAO?
29
• Third-Party Assessment Organization
• Independently accredited assessment organization
• Demonstrated technical competency to test security implementations and collect representative evidence
• Based on concept of conformity assessment, as defined in ISO/IEC 17020
• Classification Type
– Type A: Provide Assessment Services Only
– Type C: Provide Consulting and Assessment Services, just not to the same customer and with a clear organizational separation within the company
• As of April 16th, 17 companies have been accredited as a 3PAO
Role of a 3PAO
30
• Perform the independent FedRAMP assessment to determine the state of compliance with FedRAMP requirements
• Only an accredited 3PAO may perform the initial and on-going periodic assessments – Non-3PAOs can provide consulting support in preparation of a
FedRAMP assessment, they just cannot perform the actual FedRAMP assessment
– A Type C 3PAO may perform the FedRAMP assessment or provide consulting support, just not both for the same customer
• Contracted on behalf of the CSP, not the Government
Steps to an Assessment
31
• Develop a Security Assessment Plan – Scope of the Assessment
– Assessment Boundary
– Schedule
• Conduct Control Assessment – Roughly 300 Controls/Enhancements; 1900 Test Cases
– Component Level Testing; # Components Increases # of Test Cases
– Customized ‘Test’ Test Cases
– Complete Associated FedRAMP Test Case Workbooks
• Conduct Source Code Review – Perform Scan Using Common Tool (CSP Responsibility)
– Review Scan Tool Output
– Identify Source Code Weaknesses
Steps to an Assessment
32
• Conduct Vulnerability Scans – Fully Credentialed
– All OS/Network, Database, Web Components
• Conduct Penetration Test – Business Logic
– Combination of Automated and Manual Checks
• Develop Security Assessment Report – Summarizes all Findings
– Outlines Level of Risk Associated with the Solution
– Provide Recommendations for Remediation
3PAO Continuous Monitoring Responsibilities
33
• Annual Requirements – Conduct Fully Credentialed OS/Network, Database, Web Component
Vulnerability Scans
– Perform Unannounced Penetration Test
– Assess a Subset of Security Controls
• Ad-Hoc Testing – New Components, Releases
– Agency-specific Required Controls Outside of FedRAMP Baseline
Lessons Learned
• FedRAMP PMO – Is there a FedRAMP bottleneck?
• Timeframe for authorizations and vendors’ ability to meet FedRAMP requirements
• Agency authorizations is a viable path – JAB authorization not required
• Autonomic Resources – What is difficult for CSPs going through the FedRAMP process?
– FedRAMP ISSO – Your advocate and representative to the JAB
– Open and transparent
• Veris Group – Common Assessment Issues
– Authenticated Scans
– Configuration/Patch Management – Use of automated mechanisms to remediate scan findings
34
Question and Answers
35
• Questions?
• Contact Information – FedRAMP PMO (Matt Goodrich): [email protected]
– Autonomic Resources (James Bowman): [email protected]
– Veris Group (Michael Carter): [email protected]
Top Related