1 / 10

Federal Risk and Authorization Management Program (FedRAMP)

Federal Risk and Authorization Management Program (FedRAMP). FIT Cloud Event. July 18, 2012. What is FedRAMP?. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

sahkyo
Download Presentation

Federal Risk and Authorization Management Program (FedRAMP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federal Risk and Authorization Management Program (FedRAMP) FIT Cloud Event July 18, 2012

  2. What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.

  3. Why FedRAMP? • Problem: • A duplicative, inconsistent, time consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. • Solution: FedRAMP • Uniform risk management approach • Standard set of approved, minimum security controls (FISMA Low and Moderate Impact) • Consistent assessment process • Provisional ATO

  4. Executive Sponsors

  5. FedRAMP Scope of Services: A High-Level Summary • Cloud Security Requirements • Templates and Control Baselines • Assessment and Authorization • Joint Authorization Board reviewed and approved CSPs • Accredited 3rd Party Assessment Organizations (3PAO) • Demonstrated independence and technical competency • Ongoing Assessment and Authorization • Oversight of continuous monitoring, change control, incident reporting • Data Repository of Authorizations • Provisional Authorizations and agency authorization available

  6. Compliance with FedRAMP Agencies • Use the FedRAMP set of controls • Use the FedRAMP templates • Send ATO documentation to FedRAMP PMO for inclusion in the secure repository Cloud Service Providers • Submit application for FedRAMP authorization • Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls • Create submit and maintain authorization packages • Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies Third Party Assessors • Conduct Assessment of CSP Security Control Implementation • Generate Security Assessment Reports and associated evidence

  7. FedRAMP CONOPS: Process Areas Security Assessment 1.0 Leverage ATO 2.0 Ongoing Assessment & Authorization 3.0

  8. FedRAMP Phases and Timeline Phased evolution towards sustainable operations allows for the management of risks, capture of lessons learned, and incremental rollout of capabilities We Are Here! FY12 Gather Feedback and Incorporate Lessons Learned

  9. FedRAMP Concept of Operations – Overview Cloud Service Provider (CSP) Govt. Agency FedRAMP Agencies may sponsor a CSP Logs and Queues Request 1.1 Initiate Request Initiation Request Form Sponsor CSP for FedRAMP 1.2 Document Security Controls Agency may request to add controls or specific implementation criteria Tailor Controls Notifies Start of Process Sys Security Plan (SSP) Approves or Provides Feedback on SSP 1.0 Security Assessment 1.3 Perform Security Testing Security Assessment Results (SAR) Approves or Provides Feedback on SAR 3PAO Audit / Testing 1.4 Finalize Security Assessment Grants Govt.-wide Provisional ATO and Store Data in Repository Security Package Reviews Security Package Assesses impact and negotiates contract with CSP 2.1 Review of ATOand Security Package FedRAMP Data Repository 2.0 Leverage ATO 2.2 Grant Agency-Level ATO Grants Agency Specific ATO 3.1 Perform POAM / Annual Self Attestation Updates/ Self Attestation Maintains ATO / Update Repository Ensure POAM / Updates meet Agency ATO requirements 3.0 On Going Authorization (Continuous Monitoring) Coordinates Incident Response Handling Notify Events / Incidents Respond to Incident Resolution Notifications Analyze Data Feeds / Perform Risk Mgmt Provide Continuous Monitoring Data Feeds Collects and Analyzes Data Feeds Data Feeds

  10. For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP @ FederalCloud

More Related