130 likes | 364 Views
Federal Risk and Authorization Management Program (FedRAMP). FIT Cloud Event. July 18, 2012. What is FedRAMP?. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
E N D
Federal Risk and Authorization Management Program (FedRAMP) FIT Cloud Event July 18, 2012
What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Why FedRAMP? • Problem: • A duplicative, inconsistent, time consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. • Solution: FedRAMP • Uniform risk management approach • Standard set of approved, minimum security controls (FISMA Low and Moderate Impact) • Consistent assessment process • Provisional ATO
FedRAMP Scope of Services: A High-Level Summary • Cloud Security Requirements • Templates and Control Baselines • Assessment and Authorization • Joint Authorization Board reviewed and approved CSPs • Accredited 3rd Party Assessment Organizations (3PAO) • Demonstrated independence and technical competency • Ongoing Assessment and Authorization • Oversight of continuous monitoring, change control, incident reporting • Data Repository of Authorizations • Provisional Authorizations and agency authorization available
Compliance with FedRAMP Agencies • Use the FedRAMP set of controls • Use the FedRAMP templates • Send ATO documentation to FedRAMP PMO for inclusion in the secure repository Cloud Service Providers • Submit application for FedRAMP authorization • Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls • Create submit and maintain authorization packages • Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies Third Party Assessors • Conduct Assessment of CSP Security Control Implementation • Generate Security Assessment Reports and associated evidence
FedRAMP CONOPS: Process Areas Security Assessment 1.0 Leverage ATO 2.0 Ongoing Assessment & Authorization 3.0
FedRAMP Phases and Timeline Phased evolution towards sustainable operations allows for the management of risks, capture of lessons learned, and incremental rollout of capabilities We Are Here! FY12 Gather Feedback and Incorporate Lessons Learned
FedRAMP Concept of Operations – Overview Cloud Service Provider (CSP) Govt. Agency FedRAMP Agencies may sponsor a CSP Logs and Queues Request 1.1 Initiate Request Initiation Request Form Sponsor CSP for FedRAMP 1.2 Document Security Controls Agency may request to add controls or specific implementation criteria Tailor Controls Notifies Start of Process Sys Security Plan (SSP) Approves or Provides Feedback on SSP 1.0 Security Assessment 1.3 Perform Security Testing Security Assessment Results (SAR) Approves or Provides Feedback on SAR 3PAO Audit / Testing 1.4 Finalize Security Assessment Grants Govt.-wide Provisional ATO and Store Data in Repository Security Package Reviews Security Package Assesses impact and negotiates contract with CSP 2.1 Review of ATOand Security Package FedRAMP Data Repository 2.0 Leverage ATO 2.2 Grant Agency-Level ATO Grants Agency Specific ATO 3.1 Perform POAM / Annual Self Attestation Updates/ Self Attestation Maintains ATO / Update Repository Ensure POAM / Updates meet Agency ATO requirements 3.0 On Going Authorization (Continuous Monitoring) Coordinates Incident Response Handling Notify Events / Incidents Respond to Incident Resolution Notifications Analyze Data Feeds / Perform Risk Mgmt Provide Continuous Monitoring Data Feeds Collects and Analyzes Data Feeds Data Feeds
For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP @ FederalCloud