FedRAMP – How the Feds Plan to Manage Cloud - Hacker Halted

How the Feds Plan to Manage Cloud Risks
Steven F. Fox, CISSP
U.S. Department of the Treasury

AGENDA
• What is Cloud Computing?
• Federal Risk and Authorization Management Program (FedRAMP)
• Vision for the Private Sector
This session does not represent the views of the U.S. Dept. of Treasury

“Organizations that look at the
Cloud solely through the lens of
technology will be left behind.”
Mike Pearl, U.S. Cloud Computing Leader at PricewaterhouseCoopers

Lack of control and transparency
Mismatched goals and priorities
Provider assessment costs

29% of consumers
performed a security
review of their provider

SERVICE LEVEL AGREEMENT (SLA)
• Defines terms and conditions of
service
• Defines responsibilities of consumer
and provider
• Includes privacy and acceptable use
policies, and the terms of use

SCOPE AND CONTROL AMONG SERVICE
MODELS
NIST SP 800-144

FedRAMP
• Ensure cloud-based services have
adequate information security
• Eliminate duplication of provider
assessment effort
• Enable cost-effective procurement of
information systems / services

FedRAMP
• FedRAMP is mandatory for Federal
Agency cloud deployments at low and
moderate risk impact levels
• Single organization, private cloud
deployments implemented fully within
Federal facilities are the only
exception

IMPLEMENTATION STAGES
• Prelaunch – completed
• Initial operating capability (June 2012)
• Limited service scope and Cloud Service Providers
• Establish benchmarks
• Full Operations (FY2013 Q2)
• Full service scope
• Measure benchmarks
• Sustaining Operations (FY2014)
• Scale to steady state operations

Governance

Office of Management and Budget Policy
Cloud-first initiative
Define key FedRAMP components
Define acquisition requirements

Joint Authorization Board
Issues Provisional Authorization to Operate (PATO)

Program Management Office
Operations Management
Maintain PATO Repository
Contract Templates

Cross-agency communication
Vet controls and requirements from the JAB
Publish all FedRAMP documents

Develop Conformity Assessment Program
Advise JAB on compliance requirements

Data feed criteria
Threat notification coordination
Incident response

KEY ORGANIZATIONS
• Third Party Assessment Organizations (3PAO)
• Verify and validate security controls deployed by Cloud Service Providers
• Ten in operation currently

KEY ORGANIZATIONS
• CSP
• Implement security controls to
meet FedRAMP requirements
• Federal Agencies
• Use FedRAMP processes
• Conduct risk assessments
• Security authorizations
• Grant an ATO to a CSP

CSP PREPARATION FOR FEDRAMP
• Able to process eDiscovery and litigation holds
• Able to define and describe system boundaries
• Able to identify customer responsibilities and what they must do to implement controls
• Provide identification and 2-factor authentication for network and local access
• Able to perform code analysis for in-house applications
• Provides boundary protections with logical and physical isolation of assets
• Ability to remediate high risk issues within 30 day, medium risks within 90 days
• Able to provide an inventory and configuration build standard for all devices
• Has safeguards to prevent unauthorized information transfer via shared resources
• Cryptographic safeguards for data during transmission

SECURITY ASSESSMENT
• Based on FISMA guidance for Low and
Moderate level impact
• Assess CSP’s compliance with
FedRAMP baseline controls
• Grant provisional authorization

SECURITY AUTHORIZATION PROCESS
CSP
completes
initial
assessment
3PAO
completes
assessment
JAB reviews
assessment
& issues
PATO
CSP
completes
initial
assessment
CSP and
3PAO draft
required
deliverables
Federal
agency
issues ATO
CSP
• Security System Plan
• Security Assessment Plan
• Plan of Action and Milestones
• Supplier’s Declaration of Conformity
3PAO
• Security Assessment Report

3PAO ACCREDITATION
• Accredit Third Party Assessors for independence/competencies
• Publish and maintain list of accredited 3PAOs for CSPs to choose
• BrightLine
• Coalfire Systems
• Homeland Security Consultants
• SRA International, Inc

AGENCY RESOURCES
• Security controls matrix based on
NIST 800-53
• Risk / Security management document
templates
• Contingency planning
• Security assessment plan
• Standard contract / SLA clause
templates
• General
• Control specific

PRIVATE-SECTOR CHALLENGES
• Market-driven assessments
• No common assessment standard
• No central governance organization

PRIVATE-SECTOR EFFORTS
• Cloud Security Alliance Open Security
Framework
• CSA Security, Trust & Assurance
Registry (STAR)
• Provide standards by which providers
can be assessed
• Not mandatory

FedRAMP is being watched by providers and consumers

CRITICAL CONSIDERATIONS
• Ultimately, the consumer is accountable for the outsourced service
• Business cases should focus on the benefits of cloud computing, not cost savings
• It is essential that the consumer oversee how the provider maintains its environment and
ensures data security

RESOURCES
• Cloud Computing Overview
• NIST SP800-144, SP800-145, SP500-292, SP500-293
• Security considerations
• Cloudsecurityalliance.org
• FedRAMP
• www.gsa.gov/portal/category/102371
• www.cio.gov/fedramp
• Federal Cloud Solutions
• www.apps.gov

Questions?
Contact email: sfox@securelexicon.com
Follow me on Twitter: @securelexicon