Transcription
Guide to Understanding FedRAMPGuide to Understanding FedRAMPVersion 1.2March 4, 2013
Guide to Understanding FedRAMPExecutive SummaryThis document provides helpful hints and guidance to make it easier to understandFedRAMP’s requirements. The primary purpose of this document is to act as an aid forCloud Service Providers and Third-Party Assessment Organizations (3PAOs) to getthrough the security assessment process quickly. The FedRAMP website can be found atwww.fedramp.gov and information found in this document is consistent with the programdescribed on the website. The FedRAMP program supports the U.S. government’smandate that all U.S. federal information systems comply with the Federal InformationSecurity Management Act of 2002 (FISMA).Page 2
Guide to Understanding FedRAMPDocument Revision ion 1.0FedRAMP OfficeAdded § 3.10.3, 3.10.4, and 3.10.5. (PE-2, PE-3, PE-4)FedRAMP Office10/15/2012pp. 38-3910/26/2012p. 36Table number revisedFedRAMP Office10/26/2012p. 46Table number revisedFedRAMP Office10/26/2012p. 49Table number revisedFedRAMP Office11/14/2012p. 20Added § 3.9, all other sections past §3.9 renumberedFedRAMP Office11/14/2012p. 13§1.5 revisedFedRAMP Office11/14/2012p. 33§3.10.4.2 revisedFedRAMP Office02/04/13p. 40Added §3.11.6, 3.11.7, 3.11.8FedRAMP Office03/04/13p. 14§2.2.4 revised to change 3PAO scans to annualFedRAMP Office03/04/13p. 18§3.7, removed requirement for CTWFedRAMP Office03/04/13p. 13Updated Figure 2-1FedRAMP Office03/04/13p. 38Added new §3.11.3FedRAMP OfficePage 3
Guide to Understanding FedRAMPVersion 1.2, March 4, 2013Table of ContentsAbout this document . 9Who should use this document? . 9How this document is organized . 9Conventions used in this document . 9How to contact us . 101.FedRAMP Introduction. 111.1Applicable Laws and Regulations . 111.2Applicable Standards and Guidance . 111.3FedRAMP governance . 121.4Overview of The FedRAMP Process . 122.Guidelines For Third-Party Assessment Organizations . 132.2.1Security Assessment Plan (SAP) Template . 142.2.2Security Test Procedure Workbooks . 142.2.3Security Assessment Report (SAR) Template . 142.2.4Running Scans . 143.Guidelines For Cloud Service Providers . 153.1Before You Begin . 153.2Initiating the Process. 163.3After Acceptance Into The FedRAMP Program . 163.4FIPS 199 Template . 173.5e-Authentication Template . 173.6Privacy Threshold Analysis & Privacy Impact Assessment . 183.7CTW Template . 183.8CIS Template . 183.9User Guide . 203.10Components, Boundaries, and Architecture . 203.10.1Describing Information System Components (§ 9.2 SSP) . 203.10.2Use Cases . 213.10.4.1Case 1: Simple IaaS. 223.10.4.2Case 2: Simple PaaS. 223.10.4.3Case 3: Simple SaaS . 233.10.4.4Case 4: One Provider, Just SaaS . 23Page 4
Guide to Understanding FedRAMPVersion 1.2, March 4, 20133.10.4.5Case 5: Two Cloud Providers, IaaS and PaaS. 243.10.4.6Case 6: Three Cloud Providers, IaaS, PaaS, and SaaS . 253.10.4.7Case 7: Two Cloud IaaS Providers . 263.10.4.8Case 8: Two Cloud IaaS Providers and a PaaS Provider . 263.10.4.9Case 9: Three Cloud Providers, One IaaS and Two PaaS . 273.10.3Discussing Virtualization . 283.10.4Discussing Boundaries (§ 9.2 in SSP) . 293.10.4.1Discussing Live Migrations . 313.10.4.2Discussing Storage Components . 323.10.53.11Addressing the Data Flow Diagram (§ 10.1.4 in SSP) . 33Describing the Security Controls in the SSP (§ 13 in SSP) . 343.11.1Security Control Summary Information . 363.11.2Security Control AC-7 . 383.11.3Security Control IA-5(3) . 383.11.4Security Control PE-2(a)(b)(c). 393.11.5Security Control PE-3(a)(b)(c)(d)(e)(f)(g). 393.11.6Security Control PE-4 . 393.11.7Security Control PE-5 . 403.11.8Security Control PE-6(a)(b)(c). 403.11.9Security Control PE-6(1) . 403.11.10Security Control PE-13 (1)(2)(3) . 413.11.11Security Control PL (4) . 413.11.12Security Control SA-11(1) . 423.11.13Security Control SC-7 (1) . 423.11.14Security Control SC-13. 443.12IT Contingency Plan (CP-2) . 453.13Business Impact Analysis (BIA) . 453.14Configuration Management Plan (CM-9) . 453.15Incident Response Plan (IR-8) . 483.11.15Security Control IR-2 . 503.11.16Security Control IR-3 . 503.11.17Security Control IR-4 . 503.11.18Security Control IR-4(1) . 513.11.19Security Control IR-5 . 51Page 5
Guide to Understanding FedRAMPVersion 1.2, March 4, 20133.11.20Security Control IR-6 . 523.11.21Security Control IR-6(1) . 533.11.22Security Control IR-7 . 533.11.23Security Control IR-7(1) . 533.11.24Security Control IR-7(2) . 543.164.POA&M Template. 54Instructions for CSPs on Maintaining the Authorization . 544.1 Ongoing Assessment and Continuous Monitoring . 545.General Documentation Information for CSP . 555.1 Formatting and Section Numbers . 555.2 Sensitivity Markings . 555.3 Items That Are Not Applicable . 55Page 6
Guide to Understanding FedRAMPVersion 1.2, March 4, 2013List of TablesTable 3-1. Preparation Checklist. 15Table 3-2. Information Types for IaaS Providers . 17Table 3-3. Example of Security Control Summary Information . 36Table 3-5. Configuration Management Controls . 45Table 3-6. Configuration Management Nomenclature . 46Table 3-7. Incident Response Controls . 48Table 3-8. Agency Points of Contact to Report Incidents . 52Page 7
Guide to Understanding FedRAMPVersion 1.2, March 4, 2013List of FiguresFigure 2-1. FedRAMP Process . 13Figure 3-1. Screenshot from CTW . Error! Bookmark not defined.Figure 3-2. Select the Implementation Status in the CIS . 19Figure 3-3. Select the Control Origination Responsibility . 19Figure 3-4. Example of Components Described by Name. 21Figure 3-5. Example of Components Described by Function . 21Figure 3-6. One IaaS Provider . 22Figure 3-7. One Provider for IaaS and PaaS . 23Figure 3-8. One Provider, IaaS, PaaS, and SaaS . 23Figure 3-9. One Provider, Just SaaS . 24Figure 3-10. Two Providers, One IaaS and One PaaS . 25Figure 3-11. Three Providers, One IaaS, One PaaS, and One SaaS. 25Figure 3-12. Two IaaS Providers . 26Figure 3-13. Two IaaS and One PaaS Provider . 27Figure 3-14. Three Providers, One IaaS and Two PaaS. 28Figure 3-15. Security Controls Fitting Together. 30Figure 3-16. Security Control Gap . 30Figure 3-17. Example of Storage Array Illustration . 33Figure 3-18. Data Flow Diagram Example . 34Figure 3-19. Access Control for System Components . 35Figure 3-20. Two Access Control Mechanisms . 35Figure 3-21. TIC Compliant Architecture . 43Page 8
Guide to Understanding FedRAMPVersion 1.2, March 4, 2013ABOUT THIS DOCUMENTThis document has been developed to provide guidance on how to participate in and understandthe FedRAMP program.WHO SHOULD USE THIS DOCUMENT?This document is intended to be used by service CSPs, 3PAOs, government contractors workingon FedRAMP projects, government employees working on FedRAMP projects, and any outsideorganizations that want to make use of the FedRAMP assessment process.HOW THIS DOCUMENT IS ORGANIZEDThis document is divided into six sections and includes number attachments. Most sectionsinclude subsections.Section 1 provides an introduction and overview of FedRAMP.Section 2 provides instructions for third-party assessment organizations.Section 3 provides instructions for cloud service providers on requirements andSection 4 provides information to cloud service providers on how to maintain their authorization.Section 5 provides general guidance on document formatting.CONVENTIONS USED IN THIS DOCUMENTThis document uses the following typographical conventions:ItalicItalics are used for email addresses, security control assignments parameters, and formaldocument names.Italic blue in a boxItalic blue text in a blue box indicates instructions to the individual filling out the template.Instruction: This is an instruction to the individual filling out of the template.BoldBold text indicates a parameter or an additional requirement.Constant widthConstant width text is used for text that is representative of characters that would show up ona computer screen.Page 9
Guide to Understanding FedRAMPVersion 1.2, March 4, 2013NotesNotes are found between parallel lines and include additional information that may be helpfulto the users of this template.Note: This is a note.Sans SerifSans Serif text is used for tables, table captions, figure captions, and table of contents.Sans Serif GraySans Serif gray text is used for examples.TipsTips include information designed to help simplify the process.Tip: This is a tip.HOW TO CONTACT USIf you have questions about FedRAMP or something in this document, please write to:info@fedramp.govFor more information about the FedRAMP project, please see the website at:http://www.fedramp.gov.Page 10
Guide to Understanding FedRAMPVersion 1.2, March 4, 20131. FEDRAMP INTRODUCTIONThe FedRAMP program supports the U.S. government’s objective to enable U.S. federalagencies to use managed service providers that enable cloud computing capabilities. Theprogram is designed to comply with the Federal Information Security Management Act of 2002(FISMA). This document includes guidance on how cloud service providers can meet FISMArequirements to obtain a FedRAMP Provisional Authorization.1.1 APPLICABLE LAWS AND REGULATIONSThe following laws and regulations are applicable to the FedRAMP program: Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]E-Authentication Guidance for Federal Agencies [OMB M-04-04]Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]Freedom of Information Act As Amended in 2002 [PL 104-232, 5 USC 552]Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMBM-01-05]Homeland Security Presidential Directive-7, Critical Infrastructure Identification,Prioritization, and Protection [HSPD-7]Internal Control Systems [OMB Circular A-123]Management of Federal Information Resources [OMB Circular A-130]Management’s Responsibility for Internal Control [OMB Circular A-123, Revised12/21/2004]Privacy Act of 1974 as amended [5 USC 552a]Protection of Sensitive Agency Information [OMB M-06-16]Records Management by Federal Agencies [44 USC 31]Responsibilities for the Maintenance of Records
A NIST Definition of Cloud Computing [NIST SP 800-145] Computer Security Incident Handling Guide [NIST SP 800—61, Revision 1] Contingency Planning Guide for Federal Information Systems [NIST SP 800-34, Revision 1] Engineering Principles for
