FedRAMP – How the Feds Plan to Manage Cloud - Hacker Halted
FedRAMP – How the Feds Plan to Manage Cloud - Hacker Halted
FedRAMP – How the Feds Plan to Manage Cloud - Hacker Halted
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>How</strong> <strong>the</strong> <strong>Feds</strong> <strong>Plan</strong> <strong>to</strong> <strong>Manage</strong> <strong>Cloud</strong> Risks<br />
Steven F. Fox, CISSP<br />
U.S. Department of <strong>the</strong> Treasury
AGENDA<br />
• What is <strong>Cloud</strong> Computing?<br />
• Federal Risk and Authorization <strong>Manage</strong>ment Program (<strong>FedRAMP</strong>)<br />
• Vision for <strong>the</strong> Private Sec<strong>to</strong>r<br />
This session does not represent <strong>the</strong> views of <strong>the</strong> U.S. Dept. of Treasury
“Organizations that look at <strong>the</strong><br />
<strong>Cloud</strong> solely through <strong>the</strong> lens of<br />
technology will be left behind.”<br />
Mike Pearl, U.S. <strong>Cloud</strong> Computing Leader at PricewaterhouseCoopers
Lack of control and transparency<br />
Mismatched goals and priorities<br />
Provider assessment costs
29% of consumers<br />
performed a security<br />
review of <strong>the</strong>ir provider
SERVICE LEVEL AGREEMENT (SLA)<br />
• Defines terms and conditions of<br />
service<br />
• Defines responsibilities of consumer<br />
and provider<br />
• Includes privacy and acceptable use<br />
policies, and <strong>the</strong> terms of use
SCOPE AND CONTROL AMONG SERVICE<br />
MODELS<br />
NIST SP 800-144
<strong>FedRAMP</strong><br />
• Ensure cloud-based services have<br />
adequate information security<br />
• Eliminate duplication of provider<br />
assessment effort<br />
• Enable cost-effective procurement of<br />
information systems / services
<strong>FedRAMP</strong><br />
• <strong>FedRAMP</strong> is manda<strong>to</strong>ry for Federal<br />
Agency cloud deployments at low and<br />
moderate risk impact levels<br />
• Single organization, private cloud<br />
deployments implemented fully within<br />
Federal facilities are <strong>the</strong> only<br />
exception
IMPLEMENTATION STAGES<br />
• Prelaunch <strong>–</strong> completed<br />
• Initial operating capability (June 2012)<br />
• Limited service scope and <strong>Cloud</strong> Service Providers<br />
• Establish benchmarks<br />
• Full Operations (FY2013 Q2)<br />
• Full service scope<br />
• Measure benchmarks<br />
• Sustaining Operations (FY2014)<br />
• Scale <strong>to</strong> steady state operations
Governance
Office of <strong>Manage</strong>ment and Budget Policy<br />
<strong>Cloud</strong>-first initiative<br />
Define key <strong>FedRAMP</strong> components<br />
Define acquisition requirements
Joint Authorization Board<br />
Issues Provisional Authorization <strong>to</strong> Operate (PATO)
Program <strong>Manage</strong>ment Office<br />
Operations <strong>Manage</strong>ment<br />
Maintain PATO Reposi<strong>to</strong>ry<br />
Contract Templates
Cross-agency communication<br />
Vet controls and requirements from <strong>the</strong> JAB<br />
Publish all <strong>FedRAMP</strong> documents
Develop Conformity Assessment Program<br />
Advise JAB on compliance requirements
Data feed criteria<br />
Threat notification coordination<br />
Incident response
KEY ORGANIZATIONS<br />
• Third Party Assessment Organizations (3PAO)<br />
• Verify and validate security controls deployed by <strong>Cloud</strong> Service Providers<br />
• Ten in operation currently
KEY ORGANIZATIONS<br />
• CSP<br />
• Implement security controls <strong>to</strong><br />
meet <strong>FedRAMP</strong> requirements<br />
• Federal Agencies<br />
• Use <strong>FedRAMP</strong> processes<br />
• Conduct risk assessments<br />
• Security authorizations<br />
• Grant an ATO <strong>to</strong> a CSP
CSP PREPARATION FOR FEDRAMP<br />
• Able <strong>to</strong> process eDiscovery and litigation holds<br />
• Able <strong>to</strong> define and describe system boundaries<br />
• Able <strong>to</strong> identify cus<strong>to</strong>mer responsibilities and what <strong>the</strong>y must do <strong>to</strong> implement controls<br />
• Provide identification and 2-fac<strong>to</strong>r au<strong>the</strong>ntication for network and local access<br />
• Able <strong>to</strong> perform code analysis for in-house applications<br />
• Provides boundary protections with logical and physical isolation of assets<br />
• Ability <strong>to</strong> remediate high risk issues within 30 day, medium risks within 90 days<br />
• Able <strong>to</strong> provide an inven<strong>to</strong>ry and configuration build standard for all devices<br />
• Has safeguards <strong>to</strong> prevent unauthorized information transfer via shared resources<br />
• Cryp<strong>to</strong>graphic safeguards for data during transmission
SECURITY ASSESSMENT<br />
• Based on FISMA guidance for Low and<br />
Moderate level impact<br />
• Assess CSP’s compliance with<br />
<strong>FedRAMP</strong> baseline controls<br />
• Grant provisional authorization
SECURITY AUTHORIZATION PROCESS<br />
CSP<br />
completes<br />
initial<br />
assessment<br />
3PAO<br />
completes<br />
assessment<br />
JAB reviews<br />
assessment<br />
& issues<br />
PATO<br />
CSP<br />
completes<br />
initial<br />
assessment<br />
CSP and<br />
3PAO draft<br />
required<br />
deliverables<br />
Federal<br />
agency<br />
issues ATO<br />
CSP<br />
• Security System <strong>Plan</strong><br />
• Security Assessment <strong>Plan</strong><br />
• <strong>Plan</strong> of Action and Miles<strong>to</strong>nes<br />
• Supplier’s Declaration of Conformity<br />
3PAO<br />
• Security Assessment Report
3PAO ACCREDITATION<br />
• Accredit Third Party Assessors for independence/competencies<br />
• Publish and maintain list of accredited 3PAOs for CSPs <strong>to</strong> choose<br />
• BrightLine<br />
• Coalfire Systems<br />
• Homeland Security Consultants<br />
• SRA International, Inc
AGENCY RESOURCES<br />
• Security controls matrix based on<br />
NIST 800-53<br />
• Risk / Security management document<br />
templates<br />
• Contingency planning<br />
• Security assessment plan<br />
• Standard contract / SLA clause<br />
templates<br />
• General<br />
• Control specific
PRIVATE-SECTOR CHALLENGES<br />
• Market-driven assessments<br />
• No common assessment standard<br />
• No central governance organization
PRIVATE-SECTOR EFFORTS<br />
• <strong>Cloud</strong> Security Alliance Open Security<br />
Framework<br />
• CSA Security, Trust & Assurance<br />
Registry (STAR)<br />
• Provide standards by which providers<br />
can be assessed<br />
• Not manda<strong>to</strong>ry
<strong>FedRAMP</strong> is being watched by providers and consumers
CRITICAL CONSIDERATIONS<br />
• Ultimately, <strong>the</strong> consumer is accountable for <strong>the</strong> outsourced service<br />
• Business cases should focus on <strong>the</strong> benefits of cloud computing, not cost savings<br />
• It is essential that <strong>the</strong> consumer oversee how <strong>the</strong> provider maintains its environment and<br />
ensures data security
RESOURCES<br />
• <strong>Cloud</strong> Computing Overview<br />
• NIST SP800-144, SP800-145, SP500-292, SP500-293<br />
• Security considerations<br />
• <strong>Cloud</strong>securityalliance.org<br />
• <strong>FedRAMP</strong><br />
• www.gsa.gov/portal/category/102371<br />
• www.cio.gov/fedramp<br />
• Federal <strong>Cloud</strong> Solutions<br />
• www.apps.gov
Questions?<br />
Contact email: sfox@securelexicon.com<br />
Follow me on Twitter: @securelexicon