Transcription
Federal Risk and AuthorizationManagement Program (FedRAMP)NISTJune 5, 2013Matt Goodrich, JDFedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA
What is FedRAMP?FedRAMP is a government-wide program that providesa standardized approach to security assessment,authorization, and continuous monitoring for cloudproducts and services. This approach uses a “do once, usemany times” framework that will savecost, time, and staff required toconduct redundant agency securityassessments.2
Why FedRAMP?Problem: A duplicative, inconsistent, timeconsuming, costly, and inefficientcloud security risk managementapproach with little incentive toleverage existing Authorizations toOperate (ATOs) among agencies.Solution: FedRAMP Uniform risk management approach Standard set of approved, minimumsecurity controls (FISMA Low andModerate Impact) Consistent assessment process Provisional ATO3
FedRAMP Policy MemoOMB Policy MemoDecember 8, 2011 Mandates FedRAMP compliance for allcloud services used by the Federalgovernment All new services acquired after June 2012 All existing services by June 2014 Establishes Joint Authorization Board CIOs from DOD, DHS, GSA Creates the FedRAMP requirements Establishes PMO Maintained at GSA Establishes FedRAMP processes foragency compliance Maintains 3PAO program4
FedRAMP Policy FrameworkAgencyATOAgencies leverage FedRAMP process,heads of agencies understand, acceptrisk and grant ATOsFedRAMP SecurityRequirementsOMB A-130NIST SP 800-37, 800-137, 800-53eGov Act of 2002 includesFederal Information Security Management Act(FISMA)FedRAMP builds upon NIST SPsestablishing common cloudcomputing baseline supportingrisk based decisionsOMB A-130 provide policy,NIST Special Publicationsprovide risk managementframeworkCongress passes FISMAas part of 2002 eGov Act5
FedRAMP and NIST RMF 800-37AgencyCSP6. Monitor SecurityControls- ContinuousMonitoringJAB / Agency5. AuthorizeInformationSystem-Provisional Auth.-Agency ATO1. Categorize theInformation System-Low Impact-Moderate ImpactNIST RiskManagementFrameworkCSP and 3PAOAgency2. Select theControls-FedRAMP Low orModerate BaselineCSP3. ImplementSecurity Controls-Describe in SSP4. Assess theSecurity Controls-FedRAMPAccredited 3PAO6
FedRAMP Standardizes RMF for CloudNIST SP 800-37 StepFedRAMP Standard1. Categorize SystemLow and Moderate Impact Levels2. Select ControlsControl Baselines for Low and ModerateImpact Levels3. Implement Security ControlsDocument control implementations usingthe FedRAMP templatesImplementation Guidance in “Guide toUnderstanding FedRAMP”4. Assess the Security ControlsFedRAMP accredits 3PAOs3PAOs use standard process, templates5. Authorize the SystemJoint Authorization Board or Agency AOauthorize the system that can be leverageddue to increased trust6. Continuous MonitoringCSPs conduct monitoring in accordance withContinuous Monitoring Strategy and Guide7
FedRAMP Key Stakeholders & ResponsibilitiesFederalAgencies Contract with Cloud ServiceProvider Leverage ATO or useFedRAMP Process whenauthorizing Third PartyAssessmentOrganizationsFedRAMPPMO & JAB Implement andDocument Security Use IndependentAssessor Monitor Security Provide Artifacts Cloud auditor, maintainsindependence from CSP Performs initial andperiodic assessment ofFedRAMP controls Does NOT assist in creationof control documentation Establish Processes andStandards for SecurityAuthorizations Maintain Secure Repositoryof Available SecurityPackages Provisionally AuthorizeSystems That Have GreatestAbility to be LeveragedGovernment-wide8
Mythbusting FedRAMPLots of Confusion Still about FedRAMP, need to address topareas of concern: Who defines cloud?Control responsibility between vendors and stacking of authorizationsPerception of delays in authorizationsAbility of vendor to meet Federal requirementsDifference between Agency ATO’s and JAB Provisional ATOs3PAO Privatization efforts – impact on the program
What is the Definition of Cloud?Cloud First Policy Agencies must default to cloud based products and services whenspending any new money on IT– New services, recompetes, additional services Agencies must justify to OMB when a cloud provider is NOT selectedWhen a cloud service provider is selected, FedRAMPgoverns the security authorization process.Cloud Definition FedRAMP is not arbiter of what is and what is not cloud. We will authorize anything that is “cloud” esque If any agency submits a FedRAMP package for a system they deem cloud,FedRAMP will review that system as cloud – we will not interfere with ornegate an agency determination of cloud.10
Vendor Abilities to Meet Federal RequirementsMany cloud vendors arenew to FISMA and ittakes time to meetingFederal Requirements Clearly Defined BoundariesFIPS 140-2 EncryptionAuthenticated ScansRemediation ofVulnerabilities Multi-Factor Authentication11
Delays in AuthorizationsFedRAMP is a rigorous process,with increased scrutiny on meetingsecurity requirements Currently 2 JAB provisional ATO’s: CGI Federal,Autonomic ResourcesCurrently 2 Agency ATOs: Amazon’s USEast/West, and Amazon’s GovCloud FISMA process takes timeDifference between efficient and expedientTransparencyNew process for many vendorsUpdated CONOPs and standardization oftimelines AGENCY ATO’S AND JAB PROVISIONAL ATO’S12
FedRAMP Provisional AuthorizationTimeframe Overview6 months SSPReadyReviewAssignISSO-KickOffSSP FinalizationTestingSAR / POA&M Review3-4 weeks6 weeks6 weeks10-15 weeksISSO /CSPreviewSSPJABReviewAddressJABNotesQuality of SSP andresponsiveness and ability ofCSP to resolve ISSOcomments can createiterations in this processKeySAP FinalizationISSO /3PAOReviewSAPJABReviewAddressJABNotesQuality of SAP andresponsiveness and ability ofCSP to resolve ISSOcomments can createiterations in this processTestingISSO /3PAO /CSPreviewSARJABReviewQuality of SAR as well asnumber and types ofrisks can createiterations in this processCSP ActionFedRAMP / CSP ActionFedRAMP / 3PAO ActionFedRAMP ActionFedRAMP JAB ActionFedRAMP / 3PAO / CSP ActionAddressJABNotesFinalReviewP-ATOSignoff
JAB Provisional ATO vs Agency ATOTimeframe– JAB 25 weeks minimum– Agency 14 weeks minimumLevel / Depth of Review– JAB: Four sets of eyes (PMO, DoD, DHS, GSA)– Agency: One set of eyes (agency)Risk Acceptance Level– JAB: Low risk tolerance level, security for security– Agency: Varying levels of risk acceptance, business needs can justifymore risk as can individual agency policiesContinuous Monitoring– JAB: JAB will maintain, agencies need to review– Agency: Agency must work with CSP to complete14
Why should Agencies do Agency ATOs?Mandatory to meet FedRAMP Requirements––OMB Policy Memo - Reporting to OMB through PortfolioStatNot new process – current NIST / FISMA authorization process standardizedTimeframe––If business needs exist to use a service now, agency doesn’t have to wait on JABCan complete an authorization faster than the JABNot ALL cloud providers will receive a JAB ATO––JAB will only authorize those systems they see as being leveraged the most government-wideJAB will not authorize systems that do not meet certain capabilities and Federal requirementsAcceptance risk level is flexible–HHS can vary acceptable risk levels based on many factors JAB doesn’t consider (e.g. flexiblebaseline, types of data, business need, cost, ROI, etc.)More Influence over CSP––Contract with CSP allows agency to enforce capabilitiesFedRAMP does not have contracts with CSPs15
Control Responsibility and Stacking AuthorizationsProvider/Consumer responsibilities and how they interact There is no distinct line of where I/P/S offerings begin and end. The differencesbetween vendors is part of what defines offerings as well as gives vendorsadvantages over competitors.However, I/P/S offerings create unique boundaries that “sit on top” of each other,and the consumer/agency responsibility is above all of these.Authorizations can be stacked on top of each other to create a singular authorizationfor a type of service.
3PAO Privatization3PAO Privatization is designedto keep rigor of 3PAO programand free government resources Same process that was done forHealth IT, NAVLAP, UL, etc. FedRAMP will maintain ownership ofaccreditation list and is final source ofaccreditation decision Privatization is for accreditationreviews of applicants ONLY Privatization will also allow forincreased surveillance postaccreditation17
Privatization TimeframeMarch 25thOctober 1(projected)May 15thCutoff forGovernmentReviewAB ApplicationClosedApril 15thAB ApplicationOpenAB Stood UpSummer(projected)Selection of ABTentative Timeline for 3PAO Privatization Currently reviewing AB applications We are evaluating all possibilities and approaches for transition of currentlyaccredited 3PAOs to privatized accreditation review CSPs and Federal agencies will not be impacted due to privatization efforts –SARs will be accepted from anyone who is on the accredited list18
For more information, please contact us orvisit us the following website:www.FedRAMP.govEmail: info@fedramp.gov@ FederalCloud19
FedRAMP and NIST RMF 800-37 6 NIST Risk Management Framework Agency CSP CSP and 3PAO Agency JAB / Agency CSP -Low Impact -Moderate Impact -FedRAMP Low or Moderate Baseline -Describe in SSP -FedRAMP Accredited 3PAO -Provisional Auth. -Agency ATO - Continuous Monitoring 6. Monitor Security Controls 5. Authorize Information System 4. Assess the
