Professional Documents
Culture Documents
Why FedRAMP?
• Ability to sell cloud products to US Government Agencies and suppliers to the US Government
1
FedRAMP Terminology
● Authorization to Operate (ATO) – This is the goal of a FedRAMP certification. This is the
formal approval granted by each agency that used our services
● Joint Authorization Board (JAB) – This is a group with representatives from several
agencied that can issue a provisional ATO (P-ATO) that each agency can accept by issuing
an ATO or demanding additional requirements in addition to the P-ATO
● System Security Plan (SSP) – This is a formal, version-controlled document that explains
in detail how the in-scope systems meet the FedRAMP Security Requirements. Typically in
excess of 500 pages.
● Third Party Assessment Organization (3PAO) – This is the FedRAMP Auditor. Clean
audits must be completed before the initial ATO or P-ATO and each year thereafter to
maintain it.
2
FedRAMP Terminology (2)
3
What does ISCM Require? (High Level)
● Providing actionable communication of security status across all tiers of the organization;
and
4
What does ISCM Require? (Specifics)
● ISCM is most effective when automated mechanisms are employed where possible
for data collection and reporting.
5
FedRAMP High Level Actions
● Hire a FedRAMP Program Manager – An experienced compliance professional to guide Company
through the initial certification process and oversee the on-going program
● Draft System Security Plan – This document will be driven by the PgM but will require considerable
cross-company collaboration
● Implement Security Controls – After designing the security controls that will be applicable to our
authorization boundary, they will be implemented in a segregated environment
● Staffing, Training & Communication Plan – While not specifically required by FedRAMP, this plan
will ensure that we have organizational alignment and the necessary skilled resources to support the
program.
● Implement Continuous Monitoring – After we implement the security controls, we will need to
maintain them and develop the supporting processes
● Identify Sponsor (Optional) – We may identify a sponsor that could allow us to bypass the JAB
● Engage 3PAO – After we are in a compliant state, a 3PAO will attest to that fact. The PgM will
determine the best time to bring in the 3PAO.
6
FedRAMP Authorization Process
7
Company Transformations
● Level of SDLC Process Rigor Will need to Increase (Arch Reviews, Design
Reviews, Code Reviews, Threat Modeling)
● Increased Documentation
8
Questions
● No, just within our Authorization Boundary. Our scope will likely be limited to a few
designated (new) AWS Accounts and the supporting business processes
● Yes. While it is true that our SSP will need to be updated and approved before we
implement any changes within our Authorization Boundary, we will still be able to
innovate rapidly outside that boundary. This may mean that the services and
products inside the Auth Boundary diverge from our normal portfolio.
● It is still very early and all of that will be flushed out in the SSP
9
How does the Federal Government Manage Risk?
Step 1: Categorize the information system based on a FIPS
Publication 199 impact assessment;
Step 2: Select the applicable security control baseline based on the
results of the security categorization and apply tailoring guidance;
Step 3: Implement the security controls and document the design,
development, and implementation details for the controls;
Step 4: Assess the security controls to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security
requirements for the system;
Step 5: Authorize information system operation based on a
determination of risk to organizational operations and assets,
individuals, other organizations, and the Nation resulting from the
operation and use of the information system and the decision that this
risk is acceptable; and
Step 6: Monitor the security controls in the information system and
environment of operation on an ongoing basis to determine control
effectiveness, changes to the system/environment, and compliance to
legislation, Executive Orders, directives, policies, regulations, and
standards.
10
The Assessment & Authorization (A&A) Process
11
What is an Authority to Operate (ATO) and Provisional
Authority to Operate (P-ATO)?
● There are two types of FedRAMP authorizations for cloud services:
- A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB)
- An Agency Authority to Operate (ATO)
● A FedRAMP P-ATO is an initial approval of the CSP authorization package by the
JAB that an Agency can leverage to grant an ATO for the acquisition and use of the
cloud service within their Agency.
● As part of the Agency authorization process, a CSP works directly with the Agency
sponsor who reviews the cloud service’s security package. After completing a
security assessment, the head of an Agency (or their designee) can grant an ATO.
12
What is the Joint Authorization Board (JAB)?
● The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and
GSA, supported by designated technical representatives (TRs) from their respective
member organizations.
● A P-ATO means that the JAB has reviewed the cloud service’s authorization
package and provided a provisional approval for Federal Agencies to leverage when
granting an ATO for a cloud system.
● For a cloud service to enter the JAB process, it must first be prioritized through
FedRAMP Connect.
- Priority is given to those cloud service offerings (CSOs) that are likely to be used by multiple
agencies
13
Does a P-ATO mean that several agencies can use the CSP?
Each agency that uses a CSP with a P-ATO must issue an ATO after
determination that the CSP has meet that agency’s security requirements.
● When additional Statutory or Regulatory requirements apply to a particular business process, those
requirements MUST still be met—even when they are not addressed by minimum FedRAMP
requirements.
● For CMS business process, those requirements typically include additional requirements associated
with HIPAA, HITECH, the Privacy Act, the Federal Records Act, and/or Internal Revenue Code (IRC).
14
What is Continuous Monitoring?
15
Continuous Monitoring Reporting
● Once the FedRAMP Authorization is complete, a CSP must provide monthly continuous
monitoring deliverables to the agencies that are using their service.
● These deliverables typically include, but are not limited to an updated POA&M, scan
results/reports, system change information/requests, as agreed upon between the Agency
and the CSP.
● Each Agency using the service reviews the monthly continuous monitoring deliverables.
● Once a CSP has multiple Agencies using their FedRAMP Authorized service, the PMO
recommends that a vendor host monthly continuous monitoring collaboration calls.
● The CSP must employ a 3PAO to complete an annual security assessment to ensure that
the risk posture of the system is maintained at an acceptable level throughout the lifecycle of
the system. Annual security assessments update a system’s penetration testing results and
perform comprehensive assessment of critical controls.
16
Authorization Boundary
● depict all major software/virtual components (or groups of) within the boundary; and
17
Authorization Boundary Exclusions
● all shared corporate services, with explicit rationale of any that are not within the
boundary, such as a corporate Security Operations Center (SOC) or corporate
security awareness training;
● all other external services with explicit rationale of any that are not within the
boundary (for example, services provided by a leveraged system as described in
Table 3-3); and
18
Data Flow Diagrams
There must be 3PAO-validated data flow diagram(s), and a written description of the
data flows. The diagram(s) must:
● clearly delineate how data comes into and out of the system boundary;
● clearly identify data flows for privileged, non-privileged and customers access; and
● depict how all ports, protocols, and services of all inbound and outbound traffic are
represented and managed.
19
NIST SP 800-53 Security Control Families
Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by
individuals, or automated mechanisms implemented by information systems or devices.
20
The NIST SP 800-53
Trustworthiness
Model
Following core security
principles can result in more
trustworthy systems.
These include:
• simplicity,
• modularity,
• layering,
• domain isolation,
• least privilege,
• least functionality,
• resource isolation, and
• encapsulation.
21
Examples of Assessment Questions (1)
● Does the system uniquely identify and authorize organizational users (or processes acting
on behalf of organizational users) in a manner that cannot be repudiated and which
sufficiently reduces the risk of impersonation? [IA-2, IA-4, IA-4(4)]
● Does the system require multi-factor authentication (MFA) for administrative accounts and
functions? [IA-2, IA-2(1), IA-2(3)]
● Does the system restrict non-privileged users from performing privileged function? [AC-
6(10)]
● Does the system ensure secure separation of customer processing environments? [SC-2,
SC-3]
22
Examples of Assessment Questions (2)
● Does the system restrict access of administrative personnel in a way that limits the capability
of individuals to compromise the security of the information system? [AC-2(7)]
● Does the remote access capability include CSP-defined and implemented usage restrictions,
configuration guidance, and authorization procedure? [AC-17]
● Does the system have the capability to detect, contain, and eradicate malicious software?
[SI-3, SI-3 (1), SI-3 (2), SI-3 (7), MA-3 (2)]
● Does the system store audit data in a tamper-resistant manner which meets chain of custody
and any e-discovery requirements? [AU-7, AU-9]
● Does the CSP have the capability to detect unauthorized or malicious use of the system,
including insider threat and external intrusions? [SI-4, SI-4 (4), SI-7, SI-7 (7)]
● Does the CSP have an Incident Response Plan and a fully developed Incident Response
test plan? [IR-3, IR-8]
23
Examples of Assessment Questions (3)
● Does the CSP have a plan and capability to perform security code analysis and assess code
for security flaws, as well as identify, track and remediate security flaws? [SA-11, SA-11 (1),
SA-11 (8)]
● Does the CSP implement automated mechanisms for incident handling and reporting? [IR-4
(1), IR-6 (1)]
● Does the CSP retain online audit records for at least 90 days to provide support for after-
the-fact investigations of security incidents and offline for at least one year to meet
regulatory and organizational information retention requirements? [AU-7, AU-7 (1), AU-11]
● Does the CSP have the capability to notify customers and regulators of confirmed incidents
in a timeframe consistent with all legal, regulatory, or contractual obligations? [FedRAMP
Incident Communications Procedures]
24
Examples of Assessment Questions (4)
● Does the CSP have the capability to recover the system to a known and functional state following an
outage, breach, DoS attack, or disaster? [CP-2, CP-2 (2), CP-2 (3), CP-9, CP-10]
● Does the CSP have a Contingency Plan and a fully developed Contingency Plan test plan in
accordance with NIST Special Publication 800-34? [CP-2, CP-8]
● Does the CSP maintain a current, complete, and accurate baseline configuration of the information
system? [CM-2]
● Does the CSP maintain a current, complete, and accurate inventory of the information system
software, hardware, and network components? [CM-8]
● Does the CSP follow a formal change control process that includes a security impact assessment?
[CM-3, CM-4]
25
Examples of Assessment Questions (5)
● Does the CSP employ automated mechanisms to detect inventory and configuration changes? [CM-
2(2), CM-6(1), CM-8(3)]
● Does the CSP prevent unauthorized changes to the system? [CM-5, CM-5(1), CM-5(5)]
● Does the CSP establish configuration settings for products employed that reflect the most restrictive
mode consistent with operational requirements? [CM-6]
● Does the CSP ensure that checklists for configuration settings are Security Content Automation
Protocol (SCAP)-validated or SCAP-compatible (if validated checklists are not available)? [CM-6]
● Does the CSP perform authenticated operating system/ infrastructure, web, and database
vulnerability scans at least monthly, as applicable? [RA-5, RA-5(5)]
● Does the CSP demonstrate the capability to remediate High vulnerabilities within 30 days and
Moderate vulnerabilities within 90 days? [RA-5, FedRAMP Continuous Monitoring Guide]
26
Examples of Assessment Questions (6)
● When a High vulnerability is identified as part of ConMon activities, does the CSP consistently check
audit logs for evidence of exploitation? [RA-5(8)]
● Does the CSP’s change management capability include a fully functioning Change Control Board
(CCB)?
● Does the CSP have and use development and/or test environments to verify changes before
implementing them in the production environment?
● Does the system have any dependencies on other vendors such as a leveraged service offering,
hypervisor and operating system patches, physical security and/or software and hardware support?
● Within the system, are all products still actively supported by their respective vendors?
● Does the CSP have a formal agreement with a vendor, such as for maintenance of a leveraged service
offering?
27
Examples of Assessment Questions (7)
● Does the CSP have a lifecycle management plan that ensures products are updated before they reach
the end of their vendor support period?
● Does the CSP have the ability to scan all hosts in the inventory?
● Does the CSP have the ability to provide scan files in a structure data format, such as CSV, XML, or
.nessus files?
● Is the CSP properly maintaining their Plan of Actions and Milestones (POA&M), including timely,
accurate, and complete information entries for new scan findings, vendor check-ins, and closure of
POA&M items?
28