540 likes | 1.38k Views
Federal Risk and Authorization Management Program (FedRAMP). Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination Office lisa.carnahan@nist.gov 301-975-3362. What is FedRAMP?.
E N D
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination Office lisa.carnahan@nist.gov 301-975-3362
What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Why FedRAMP? • Problem: • A duplicative, inconsistent, time consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. • Solution: FedRAMP • Uniform risk management approach • Standard set of approved, minimum security controls (FISMA Low and Moderate Impact) • Consistent assessment process • Provisional ATO
FedRAMP builds upon existing policy, frameworks Agency ATO Agencies leverage FedRAMP process, heads of agencies understand, accept risk and grant ATOs FedRAMP Security Requirements FedRAMP builds upon NIST SPs establishing common cloud computing baseline supporting risk based decisions OMB A-130 NIST SP 800-37, 800-137, 800-53 OMB A-130 provide policy, NIST Special Publications provide risk management framework eGov Act of 2002 includes Federal Information Security Management Act (FISMA) Congress passes FISMA as part of 2002 eGov Act
FedRAMP and the Security Assessment and Authorization Process • Maintains Security Baseline including Controls & Continuous Monitoring Requirements • Maintains Assessment Criteria • Maintains Active Inventory of Approved Systems FedRAMP Independent Assessment Ongoing A&A (Continuous Monitoring) Provisional Authorization Trustworthy & Re-useable Near Real-Time Assurance Consistency and Quality • Joint Authorization Board reviews assessment packages and grants provisional authorizations • Agencies issue ATOs using a risk-based framework • CSP must retain an independent assessor from FedRAMP accredited list of 3PAOs • DHS – CyberScope Data Feeds • DHS – US CERT Incident Response and Threat Notifications • FedRAMP PMO – POA&Ms
FedRAMP 3PAO Accreditation – FedRAMP requires CSPs to use Third Party Assessment Organizations (3PAOs) to independently validate and verify that they meet FedRAMP security requirements Conformity assessment process to accredit 3PAOs based on NIST program Independence and quality management in accordance with ISO standards; and Technical competence through FISMA knowledge testing. • Benefits of leveraging a formal 3PAO approval process: • Consistency in performing security assessments • Ensures 3PAO independence from Cloud Service Providers • Establishes an approved list of 3PAOs for CSPs and Agencies to use Initial list published on fedramp.gov on May 14 2012, assessors are approved ongoing basis.
FedRAMP Major Players JAB (DOD, DHS, GSA) PMO- GSA Technical Advisor – NIST Continuous Monitoring - DHS Federal Agencies Provides Cloud IT Services with a provisional authorization granted by FedRAMP JAB Cloud Service Provider Performs initial and periodic assessment of security and privacy controls deployed in Cloud information systems 3rd Party Assessment Organization
FedRAMP Phases and Timeline Phased evolution towards sustainable operations allows for the management of risks, capture of lessons learned, and incremental rollout of capabilities We Are Here! FY12 Gather Feedback and Incorporate Lessons Learned
Key Benefits • Re-use of existing security assessments across agencies • Savings in cost, time and resources – do once, use many times • Risk based not compliance based • Transparency between government and cloud service providers • Transparency trust, reliability, consistency, and quality of the Federal security authorization process