1. Federal Risk and Authorization
Management Program
(FedRAMP)
FedRAMP Security Authorization Package
September 2012

2. Agenda
• Objectives
• FedRAMP Process
• Document Overview
• Package Review Process
• Control Examples
2

3. Federal CIO Memorandum: FedRAMP Goals
• Cost-effective, risk-based approach to cloud
adoption
• Standardize security requirements
• Consistent, independent, third-party assessment
• Leverage security experts from DHS, DOD, and GSA
to conduct a joint authorization
• Standardize contract language
• Repository of authorization packages
Source: VanRoekel, Steven. Federal CIO memorandum titled “Security Authorization
of Information Systems in Cloud Computing Environments” (Dec 8, 2011).
3

4. Objectives
• Understand federal security assessment
documentation
• Clarify what makes a bad, good, or great
description of a security control implementation
• Provide lessons learned in applying a risk-based
approach to security control selection
• Ensure Cloud Service Providers (CSPs) have the
knowledge to successfully implement FedRAMP
4

5. FedRAMP Process (CSP Perspective)
• Initiation
– Request FedRAMP Authorization
– Define and agree on scope
• Security Assessment
– Document security controls
– 3PAO assess security controls
• Continuous Monitoring
– Weakness Remediation
– On-going control monitoring
– Incident management
– Data Feed Reporting
Source: Guide to Understanding FedRAMP,
Figure 2.1: FedRAMP Process
5

6. Initiation: Starting the Process
http://www.fedramp.gov
6

7. Initiation: Defining the Scope
FIPS 199 Categorization Control Tailoring Workbook Control Implementation Summary
• Define information types • Define the security control • Control implementation status
• Established security baseline • In place
categorization baseline • Document unique control • Planned
• Confidentiality settings • Somewhere in between
• Integrity • Discuss exceptions and • Clarify control implementation
• Availability compensating controls roles and responsibilities
• Risk-based adjustments • Cloud service provider
• Customer
• Hybrid
• Inherited
Alternative Implementations: Enable innovation
and flexibility in addressing security controls.
7

8. FIPS 199
NIST SP 800-60 Volume 1
• How do you intend for the cloud
solution to be utilized?
Risk-based
Justification for NIST SP 800-60 Volume 2
deviating from
recommendations
CSP Selection
Availability Recommendation
Integrity Recommendation
Confidentiality Recommendation
Information Type(s)
8

9. Control Tailoring Workbook (CTW)
NIST SP 800-53 Revision 3
• Based on FIPS 199 Security Categorization
(Low or Moderate)
• CSP intention in meeting or exceeding
FedRAMP parameter settings
• CSP intention to deviate from control
baseline
• Unique and/or innovative control
tailoring
FedRAMP Control Reference (Tri-Fold)
• Exceptions and associated
compensating control decisions
Encouraging innovation by meeting the intent of
a control if not the specific language.
9

10. Control Implementation Summary (CIS)
Control Origination Definition Example
• Who is doing what? Service Provider
Corporate
A control that originates from the CSP
corporate network.
DNS from the corporate network
provides address resolution
• CSP services for the information
system and the service offering.
• Customer Service Provider A control specific to a particular A unique host based intrusion
• Hybrid System Specific system at the CSP and the control is
not part of the service provider
detection system (HIDs) is
available on the service offering
corporate controls. platform but is not available on the
corporate network.
• CSP responsibilities Service Provider Hybrid A control that makes use of both Scans of the corporate network
should be clearly corporate controls and additional infrastructure; scans of databases
controls specific to a particular and web based application are
described in the System system at the CSP. system specific.
Security Plan (SSP) and Configured by A control where the customer needs User profiles, policy/audit
Customer to apply a configuration in order to configurations, enabling/disabling
supporting plans and meet the control requirement. key switches (e.g., enable/disable
http or https, etc.), entering an IP
procedures range specific to their organization
are configurable by the customer.
Provided by Customer A control where the customer needs The customer provides a SAML
• Customer to provide additional hardware or SSO solution to implement two-
software in order to meet the control factor authentication.
responsibilities should requirement.
be clearly described in Shared A control that is managed and Security awareness training must
implemented partially by the CSP and be conducted by both the CSP and
the User Guide (SSP, partially by the customer. the customer.
Appendix 2) Inherited from pre- A control that is inherited from A PaaS or SaaS provider inherits PE
existing Provisional another CSP system that has already controls from an IaaS provider.
Authorization received a Security Authorization.
10

11. Control Implementation Summary (CIS)
• Current implementation
status Implementation Status Definition Example
• Elaborated on in the Implemented Control is implemented and The control clearly states who,
SSP operating as intended. what, when and how a control
is implemented.
Partially Some elements of the control are Not all elements of a control
Implemented implemented and operating as are met however compensating
intended. controls are in place and a plan
of action and milestone is in
place to address the gap.
Planned Control is scheduled for A new operating system will be
implementation. available in 6 months which
may provide additional
functionality.
Alternative Control may not be implemented The CSP describes a solution
implementation as stated by NIST and FedRAMP, which they believes meets or
however, the CSP believes the exceeds the control
intent of the control is meant. requirement.
Not applicable The control is not implemented Wireless controls may not be
based on the cloud design. applicable for a system that
does not use wireless
technology.
11

12. Kick-off Meeting
• Establish points of
contact/roles
• Clarify
Communication
• Readiness Discussion
• Process and Template
Overview
• Target Timeline
Define the Boundary/Scope of the Solution
12

13. Kick-off Meeting: Boundary Definition
System Boundary
Internet
Protection
Boundary
Outside System Boundary
Protection
Boundary
Legend The boundary visual is important for putting
System
your security controls in context
Not System
13

14. Document Marking
Guide to Understanding FedRAMP, Section 5.2
Ensure that all documents have sensitivity markings on at least the cover
page and the footer of each document. You may change the existing
sensitivity marking on any template to match your official company
sensitivity nomenclature if it is different than what is on the template.
Optionally, you may also put your sensitivity markings on the headers or
footers of any documents and on any other places in the documents where
you feel sensitivity markings should be placed.
14

15. Initiation: Deliverable Summary
Deliverable Description
FedRAMP Initiation Request The FedRAMP request form is used by Federal agencies and CSPs to
(online link) request initiation of the FedRAMP security assessment process.
FIPS 199 Categorization The FIPS 199 Security categorization is used to determine the
(template available) impact level to be supported by the cloud information
system/service. The provider categorizes their system based on the
data types currently stored and not leveraging agency data.
Control Tailoring Workbook This document is used by CSP to document their control
(template available) implementation and define their implementation settings for
FedRAMP defined parameters and any compensating controls.
Control Implementation This document summarizes the control ownership and indicates
Summary which controls are owned and managed by the CSP and which
(template available) controls are owned and managed by the leveraging agency.
Source: FedRAMP Concept of Operations (CONOPS), Table 6-1.
15

16. Security Assessment: Overview
FedRAMP System Security Plan Security Assessment Plan Security Assessment Report
• Document what you are doing • Test plan and procedures • Test Results
• Optional: Document what you • Tailored to cloud solution • Statement of outstanding
intend to do • Developed by 3PAO in vulnerabilities and risk
• Completed by the CSP collaboration CSP
Third-party Assessment Organization (3PAO)
Deliverables
Not Covered in this training
16

17. System Security Plan (SSP)
• Provides the big picture view
• Links the security
implementation into a
cohesive solution
• Clearly and consistently
documents security control
implementation
• Resource for the “boots on the
ground”
• Provides continuity for staff in
management of security
controls
17

18. Why 352 Page SSP Template?
• Eliminate variability in responses
• Easier to document
• Easier to read
• Faster to evaluate
• Encourage federal-wide adoption
• Leverage NIST standards
• Existing federal education
• Maximize re-use
• Eliminate common mistakes
• Structure responses
• Allow for detailed responses
Document what you are already doing.
Identify gaps in what you may have overlooked.
18

19. SSP Overview
Grouped into three (3) main areas
Scope Controls Appendices
• System • 18 Control • Policies
Description Families • Supporting plans
• Points of Contact • Risk-based and procedures
• Boundary control selection • Rules of
Definition • Control tailoring Behavior
• Interconnections
Note: Based on NIST Special Publication SP) 800-18 Rev. 1, Guide for Developing
Security Plans for Federal Information Systems
19

20. SSP Scope
Initiation Deliverables Policies
• FIPS 199 • Supporting Policies
• Control Implementation
Summary (CIS) Leveraging existing vendor
• Control Tailoring Workbook policies and procedures
(CTW) whenever possible.
System
Security Plan
(SSP)
New Deliverables
Supporting Plans and Procedures
• e-Authentication Worksheet (e-Auth)
• Continuous Monitoring Plan and
• Draft Privacy Threshold Analysis
Strategy
(PTA)
• Configuration Management Plan
• Draft Privacy Impact Assessment
• Contingency Plan
(PIA)
• Incident Response Plan
• Rules of Behavior (RoB)
• User Guide
20

21. E-Authentication Worksheet
NIST SP 800-63
• Determine if e-Authentication
requirements apply
• Determine applicable level of e-
Authentication
Level 1: Little or no confidence in the asserted identity’s validity
Level 2: Some confidence in the asserted identity’s validity
Level 3: High confidence in the asserted identity’s validity
Level 4: Very high confidence in asserted identity’s validity
OMB M-04-04
21

22. E-Authentication Worksheet
OMB M-04-04, Table 1: Maximum Potential Impacts for Each Assurance Level
Assurance Level Impact Profile
Potential Impact Categories for Authentication 1 2 3 4
Errors
Inconvenience, distress or damage to standing or Low Low Mod High
reputation
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low Mod, High
Civil or criminal violations N/A Low Mod High
Where does it affect
the SSP?
• Section 2.3
• Section 17
• IA-2
• IA-5
• IA-8 NIST SP 800-63
22

23. SSP Points of Contact
• Information System Owner (ISO)
• Information System Security Officer (ISSO)
• Authorizing Official (AO)
• Others (depending on CSP approach)
• Architect
• Engineer
• Manager
• Technical
23

24. SSP Descriptors
• Type of Cloud Implementation
• Leveraging any other Security Authorization Packages
(inheriting controls)
• System Function/Purpose
• Ensure alignment with the information types previously
defined
• Types of Users
• Be consistent with the roles defined in Section 9.3 and
used throughout the SSP and supporting documents
• Boundary Discussion
• Be consistent and complete in describing to ensure
alignment throughout the SSP
• If you can’t describe it, why should anyone believe you can
protect it.
• Should align to any diagrams presented previously 24

25. Describing the Boundary
System Boundary
Internet
Network
Inventory
Ports,
Protocols
and Services
Network
Architecture Outside System Boundary
Hardware Software
Inventory Inventory
System Interconnections
• Understand where users fit within the boundary – e.g., end users,
administrators, security operations, and remote maintenance.
25

26. Review Standards
• Each document is verified for compliance with FedRAMP
policy and consistency with other package documents
• Review expects responses to be:
• Unambiguous
• Specific
• Complete
• Comprehensible
• The SSP Template is designed to help achieve expected results
26

27. Grading Standard (Notional)
• Pass (P):
– All applicable document criteria are satisfied
• Fail (F):
– Only some (or zero) applicable document criteria are satisfied
• Pass with Comments (PC):
– Document criteria are satisfied in principle, but additional detail would
yield a more complete response
– Reviewer will specify the additional information to be included
• Not Applicable (N/A)
– Requirement does not apply based on system characteristics and
accreditation boundary (e.g., some requirements of AC-18 are N/A for
non-wireless systems)
27

28. Structure of a Good Response
Reviewer assesses submission content in the context of four (4) criteria :
1. What is the documented solution?
2. Who is the responsible party for solution management?
3. When is the solution reviewed or monitored for effectiveness?
4. How does the solution meet applicable security requirements?
Reference applicable documentation
• Policy, SOPs, Rules of Behavior, common control catalogs, waivers,
exceptions, etc.
• Any referenced documentation should be appended to the SSP, with a
rationale for their inclusion also clearly stated in the control implementation
paragraph, ensure that the control language aligns with any referenced
internal policies, procedures, and/or standards.
28

29. References
Internal References to another part of the same document are
acceptable provided that each reference:
• Includes section number
• Is relevant to the referring section of the document
External References to other documents are acceptable provided that
each reference:
• Includes the full title, current version number, and release date
of the referenced document
• Briefly explains the rationale for the reference
Note: If the reference does not pertain to the referring section, the
corresponding checklist item will be graded “Fail”
29

30. CONTROL EXAMPLES
Please do not copy these examples into your system
security plans verbatim. Copying these examples as
written is an early indicator that the proper due diligence
wasn’t applied in the analyzing and documenting security
controls.
30

31. AC-1: Access Control Policy and Procedures
The organization develops, disseminates, and reviews/updates [Assignment:
org-defined frequency]:
a. A formal, documented access control policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the
access control policy and associated controls.
31

32. AC-1: Poor Response
Implementation:
System XX has an access control policy that is consistent with applicable federal laws,
directives, policies, regulations, standards, and guidance. It is updated annually.
The System Administrators and <CSP> management team personnel post notes and send
e-mail notifications to System XX users. System XX User and Administrator Guides are
periodically updated as new versions are released.
32

33. AC-1 : Good Response
Implementation:
(a) System XX’s Access Control Policy is listed in <CSP> Document ABC and includes
definitions of the purpose, scope, roles, responsibilities, and compliance requirements
for all <CSP> employees. Section 5.2 of Document ABC presents the <CSP> access
control policy. Section 5.2 of <CSP> handbook addresses roles and responsibilities.
Section 5.2 of Document ABC addresses the management commitment, coordination
among customer entities, and compliance related to access control.
The access control policy is consistent with the organization’s mission and functions
and with applicable laws, directives, policies, regulations, standards, and guidance.
The access control policy is reviewed and updated, when necessary, by the XX ISSO at
least annually.
33

34. AC-1: Good Response (continued)
(b) The access control procedures for System X are documented in organization
Document ABC, organization Document XYZ, and User Guide B; and are consistent with
applicable laws, Executive Orders, directives, policies, regulations, standards, and
guidance.
The access control procedures address all areas identified in the access control policy and
address achieving policy-compliance implementations of all associated controls. The
access control procedures are reviewed and updated, when necessary, by the XX ISSO at
least annually.
Access control policy and procedure documents are maintained on the <CSP> internal
SharePoint site, and are available for review up on request.
34

35. AC-7: Unsuccessful Login Attempts
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive
invalid login attempts by a user during a [Assignment: organization-defined time
period]; and
b. Automatically [Selection: locks the account/node for an [Assignment:
organization-defined time period]; locks the account/node until released by an
administrator; delays next login prompt according to [Assignment: organization-
defined delay algorithm]] when the maximum number of unsuccessful attempts
is exceeded. The control applies regardless of whether the login occurs via a
local or network connection.
35

36. AC-7: Poor Response
Implementation:
(a)(b) This control is partially inherited from the Data Center. Please see 'Appendix
A: Data Center Declaration of Controls' for implementation detail.
(a)(b) The XXX System Owner and ISSO ensures XXX system allows no more than
three (3) consecutive invalid access attempts by a user within a 24 hour time
period; and that the system automatically locks the account/node for 20 minutes
when the maximum number of unsuccessful attempts is exceeded.
The XXX ISSO is responsible for ensuring that the XXX system servers will
be configured in accordance with the Hardening Guidelines and lockout policy.
36

37. AC-7: Good Response
Data Center Implementation:
(a)(b) The <CSP> Data Center Application Team works with the <CSP> YYY System
Owner and YYY ISSO to determine acceptable configuration settings for the
implementation of this control on system servers/operating systems. The YYY
System Owner and YYY ISSO must provide the Data Center Application Team with
the following configuration setting requirements so they can be incorporated into
the final configuration for system servers: number of consecutive unsuccessful
login attempts before lockout, unsuccessful login count windows duration, and
unsuccessful login attempt lockout action type (with associated parameters).
Systems must provide required configuration settings in the form of a Group Policy
Object (GPO).
37

38. AC-7: Good Response (continued)
System Implementation:
(a)(b) The YYY default group policy limits unsuccessful login attempts to 3
unsuccessful login attempts in 120 minutes. When this limit is reached the
user is locked out for 20 minutes. The YYY System Owner is responsible for
provided these configuration requirements to the datacenter. The YYY
Administrators (YYY Software Services Team) are responsible for verifying
implementation. The GPO is implemented by the <CSP> Data Center
Application Team though Active Directory, and the GPO is applied to all
VMs within the domain. Group policy is maintained under configuration
control and any changes to this control are reviewed by the YYY ISSO. The
YYY ISSO reviews this control at least annually to ensure that it is
operating as intended by performing GPO review and testing.
38

39. CM-7: Least Functionality
The organization configures the information system to provide only essential
capabilities and specifically prohibits or restricts the use of the following
functions, ports, protocols, and/or services: [Assignment: org-defined list of
prohibited or restricted functions, ports, protocols, and/or services]
(1) The organization reviews the information system [Assignment: org-defined
frequency] to identify and eliminate unnecessary functions, ports,
protocols, and/or services.
39

40. CM-7: Poor Response
The ISSO ensures annually that only those ports, protocols, and services
necessary for system mission are enabled.
40

41. CM-7: Good Response
CM-7: Only the features and port traffic required by System W are configured and
enabled. Unnecessary features, services, protocols, or capabilities are disabled or
removed. The list of prohibited protocols and services can be found in the secure
baseline configurations followed by System W, most notably the <CSP> Windows Server
2003/Vista/XP Secure Baseline Configuration Guide.
The ISSO is responsible for ensuring that the configuration settings for System W are in
compliance with <CSP> hardening guidance; the ISSO verifies configuration settings
weekly. Please refer to table 10-4 of this SSP for permitted ports and protocols. The list of
permitted ports and protocols is reviewed annually by the ISSO.
CM-7(1): Organization M IA Division conducts monthly Nessus scans of Organization M
systems for compliance with Agency hardening guidelines. These scans identify all
unnecessary functions, ports, protocols, and services. The IT Security Audit Team
conducts monthly audits where the prohibited ports and services are identified to ensure
no future use. Monthly Audits Reports are archived and are available upon request.
41

42. MA-3: Maintenance Tools
The organization approves, controls, monitors the use of, and maintains on an
ongoing basis, information system maintenance tools
Enhancement 1: The organization inspects all maintenance tools carried into a facility
by maintenance personnel for obvious improper modifications
Enhancement 2: The organization checks all media containing diagnostic and test
programs for malicious code before the media are used in the information system
Enhancement 3: The organization prevents the unauthorized removal of
maintenance equipment by one of the following: (i) verifying that there is no
organizational information contained on the equipment; (ii) sanitizing or destroying
the equipment; (iii) retaining the equipment within the facility; or (iv) obtaining an
exemption from a designated organization official explicitly authorizing removal of
the equipment from the facility.
42

43. MA-3: Poor Response
The System Administrator and the ISSO check all media containing diagnostic
and test programs for malicious code before the media are used within the
system. The SysAdmin checks all maintenance equipment with the capability of
retaining information so that no organizational information is written on the
equipment or the equipment is appropriately sanitized before release. If the
equipment cannot be sanitized, the equipment remains within the facility.
All tools approved for use on System Y are approved software according to the
Technical Reference Manual. Only individuals authorized to use these tools are
granted the necessary permissions. In the event an outside vendor is required
to perform maintenance activities, he or she is escorted at all times and all
equipment inspected.
43

44. MA-3: Good Response
The System Administrator has ultimate responsibility for all maintenance tools used within System
XX. Tools are selected from a predetermined tool set as documented in the Technical Reference
Manual. This list is updated and released annually by the XX system administrator. All system
maintenance activities follow standardized procedures, and all activities are pre-approved by the
system administrator. Tools must be signed out for a specified period of time prior to use and
signed back in upon completion. More detailed procedures may be found in Appendix D of this
document, “System XX Maintenance Procedures.”
(1) The facility housing System XX is guarded 24/7 by armed security guards. All visitors, including
maintenance personnel, are subjected to x-ray screening prior to being granted access. Once
through the initial entrance, maintenance personnel are sent to a separate room where all
materials are inspected by Person Y.
(2) System XX maintenance procedures include provisions for testing all media containing
diagnostic and test programs in a virtual environment prior to system use. This testing is performed
by the System Administrator.
(3) All maintenance equipment is contained within the facility at all times, and individuals are
subjected to bag search before leaving the premises. Property passes are required to remove
equipment from the building and security checks serial numbers on property passes each time
someone leaves the building.
44

45. SA-12: Supply Chain Protection
The organization protects against supply chain threats by employing
[FedRAMP Parameter: List of measures to be approved by JAB but
determined by CSP] as part of a comprehensive, defense-in-breadth
information security strategy.
45

46. SA-12: Poor Response
System XX uses due diligence to ensure supply chain protection by
employing the following measures by making sure all users are aware
of the rules. The System Owner verifies this control implementation at
least annually.
46

47. SA-12: Good Response
System XX uses due diligence to ensure supply chain protection by employing the
following measures:
• Ensuring that all vendors have a positive performance record
• Ensuring that all vendors are in a secure financial position
• Reviewing suppliers and vendors to verify they are organizationally stable and have
contingency plans in place
• Maintaining spares of critical information system components at two back-up sites
• Ensuring that all acquisitions are made through a federally approved contract
process
<CSP> checks to ensure that all suppliers are financially secure by performing a credit
check through Dun & Bradstreet. <CSP> puts the following contract clause in all supplier
contracts to ensure that suppliers and vendors have a stable operating environment
“Supplier must have an IT Contingency Plan in place that is available to <CSP> upon
request.” The System Owner, no less than annually, performs a review of all vendor
performance records, vendor financials, and vendor stability in accordance with the
organization’s vendor review policy. The System Owner also reviews the acquisition
process to ensure compliance with federal requirements. Additionally, the System Owner
performs inventory of critical information system components at back-up sites to ensure
all redundancy requirements are met.
47

48. SC-9: Transmission Confidentiality
The information system protects the confidentiality of transmitted information.
Enhancement 1: The organization employs cryptographic mechanisms to prevent
unauthorized disclosure of information during transmission unless otherwise
protected by [FedRAMP Parameter: a hardened or alarmed carrier Protective
Distribution System (PDS)]
48

49. SC-9: Poor Response
The organization employs cryptographic mechanisms to prevent
unauthorized disclosure of information during transmission by
employing FIPS 140-2 compliant cryptographic modules.
49

50. SC-9: Good Response
System A’s transmission/session confidentiality is provided during remote
administration of the system via SSH with [third-party vendor] two-factor
authentication. System transmission/session confidentiality for portal access to
the system is accomplished via SSL with [third-party vendor] two-factor
authentication. All internal communication is on the private network and is not
accessible from outside the boundary. Please refer to control IA-2 for a detailed
description of access to all System A devices and protections in place to protect
system integrity and confidentiality.
50

51. SC-9: Good Response(continued)
SC-9 (1) All communications with System A occur over two-factor authenticated
encrypted SSL or SSH channel. System A uses [third-party vendor] two-factor
authentication to authenticate to the FIPS 140-2 certified SSH and SSL cryptographic
modules deployed within the system. All system servers run a [custom] operating
system and use the [third-party vendor’s product] for OpenSSH and OpenSSL (OpenSSL
0.9.8e-fips-rhel5 and OpenSSH 5.2p1). The OpenSSL module is a software only, security
level 1 cryptographic module, running on a multi-chip standalone platform. The module
supplies cryptographic support for the SSH protocol or the [vendor] Linux user space.
The [vendor product] version for the validated module is 5.2p1. All cryptographic
operations and the module integrity check are performed by the [third-party vendor]
Linux OpenSSL Cryptographic Module for the OpenSSH module. [Third-party vendor]
authentication uses a time-synchronous solution that automatically changes the user’s
password every 60 seconds. All portals are built on these [third-party vendor] and
<CSP> systems; thus, they utilize the same FIPS 140-2 certified cryptographic modules.
51

52. SC-13: Use of Cryptography
The information system implements required cryptographic protections using
cryptographic modules that comply with applicable federal laws, Executive
Orders, directives, policies, regulations, standards, and guidance.
Enhancement 1: The organization employs, at a minimum, FIPS-validated
cryptography to protect unclassified information.
52

53. SC-13: Poor Response
System 15 currently uses [vendor] Java Cryptography Extension, which is
not FIPS-compliant. This is currently being rectified.
53

54. SC-13: Good Response
The <CSP> system is protected by various cryptographic modules that are embedded into
network devices that are part of the <CSP> network infrastructure. Since the <CSP> system
resides on the <CSP> infrastructure, the <CSP> system indirectly makes use of these
cryptographic modules. The <CSP> network devices that use cryptography are:
• F5 load balancers
• Cisco PIX firewalls
• Cisco VPN concentrator
The F5 load balancers use the Nitrox II security processor made by Cavium Networks. The
Nitrox II security processor is embedded in the F5 box and comes bundled with as part of the
F5 product. The FIPS 140-2 validation certificates are in the name of Cavium Networks are
shown below:
54

55. SC-13: Good Response (continued)
Cisco PIX firewalls are installed on the WAI network perimeter and protect the <CSP> system
by providing separation between the Web, application, and database layers. A FIPS 140-2
validation certificate for the PIX firewalls is shown below:
(1) All encryption within the <CSP> system is implemented using AES-256, which is FIPS 140-2
compliant. All certificates are issued by the Agency Certificate Authority and reviewed by the
ISSO on an annual basis.
55

56. IR-4: Incident Handling
The organization:
a. Implements an incident handling capability for security incidents that includes
preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities;
and
c. Incorporates lessons learned from ongoing incident handling activities into
incident response procedures, training, and testing/exercises, and implements
the resulting changes accordingly.
Enhancement 1: The organization employs automated mechanisms to support the
incident handling process.
Requirement: The service provider ensures that individuals conducting incident
handling meet personnel security requirements commensurate with the
criticality/sensitivity of the information being processed, stored, and
transmitted by the information system.
56

57. IR-4: Poor Response
The organization:
a. System Y incident response handling is based on the System Y Incident Response
Plan developed for reporting incidents. System security engineers facilitate access to
the system’s infrastructure logs and devices and agency security incident
investigators in the event of an incident. The system’s Incident Response Plan is
adjusted annually based on operational experience and includes incident detection,
team invocation, analysis, containment, forensic capture, eradication, and recovery
phases.
b. The Incident Response Plan was created in tandem with the system Contingency
Plan. Both documents can be found appended to this SSP.
c. System documentation is currently not updated, due to personnel restrictions.
(1) The ABC tool monitors System Y and detects any anomalous activities. The Help
Desk monitors the system 24/7 to immediately respond to any suspected incidents.
The ABC tool is administered by the System Administrator.
57

58. IR-4: Good Response
More detailed procedures may be found in the Incident Response Plan attached to this
document. All members of the Incident Response Team maintain clearances
commensurate with the sensitivity and criticality level of information they are
permitted to handle. Records of these cleared individuals are maintained by the
Security Office.
a. System Y incident response handling is based on the System Y Incident Response
Plan developed for reporting incidents. System security engineers facilitate access to
the system’s infrastructure logs and devices and agency security incident investigators in
the event of an incident. The system’s Incident Response Plan is adjusted annually
based on operational experience and includes incident detection, team invocation,
analysis, containment, forensic capture, eradication, and recovery phases. The system
ISSO is responsible for incident response plan maintenance.
58

59. IR-4: Good Response (continued)
b. Incident handling activities are coordinated with contingency planning activities. Both
plans are developed, tested, and updated in tandem every year. The ISSO, in conjunction
with <CSP> incident response and contingency planning teams, coordinates specific
activities for the information system.
c. Incident response activities, policies, and procedures are revised annually by the Incident
Response Team to incorporate lessons learned, testing and training results, and system
alterations. As new procedures are developed or existing plan procedures edited, the
incident response team lead updates the incident response plan, distributes to team
members, and upcoming training is tailored to include exercises designed to test the
updated or new material. Incident response support documentation is stored on the <CSP>
internal SharePoint site and is available for review upon request.
59

60. IR-4: Good Response(continued)
(1) The ABC tool monitors System Y and detects any anomalous activities. The Help
Desk monitors the system 24/7 to immediately respond to any suspected
incidents. The ABC tool is administered by the System Administrator.
60

61. CA-7: Continuous Monitoring
The organization establishes a continuous monitoring strategy and implements a
continuous monitoring program that includes:
a. A configuration management process for the information system and its constituent
components;
b. A determination of the security impact of changes to the information system and
environment of operation;
c. Ongoing security control assessments in accordance with the organizational
continuous monitoring strategy; and
d. Reporting the security state of the information system to appropriate organizational
officials [FedRAMP Parameter: monthly].
61

62. CA-7: Poor Response
Security controls protecting the ABC system are reviewed and monitored on an
ongoing basis. These activities include configuration management and control of
information system components, security impact analyses of changes to the system,
ongoing assessment of security controls, and status reporting on a weekly basis.
Selection criteria have been established for control monitoring and subsequently, a
subset of the security controls employed within ABC have been selected for the
purpose of continuous monitoring.
62

63. CA-7: Good Response
Under the guidance of the CISO, <CSP> has developed a Continuous Monitoring
Program that applies to System W. A copy of <CSP>’s Continuous Monitoring
Strategy may be requested from the <CSP> CISO.
a. More information about the configuration management process for System W may
be found in the CM-3 control response, found in section 7.5.2 of this document.
b. Any change requests dealing with System W must be approved by the Change
Control Board, with a recommendation by the system ISSO, prior to
implementation.
c. A specific subset of controls, determined by the ISSO at the end of the previous fiscal
year, is assessed each year by the technical team. By the end of the three-year ATO
cycle, each control has been assessed at least once.
d. The status of relevant POA&Ms are reported by the ISSO to the System Owner on a
monthly basis, and the ISSO provides the System Owner with a verbal daily system
summary report as well as a written weekly report. If necessary, the System Owner
chooses to escalate any report to his or her manager.
63

64. CM-6: Configuration Settings
The organization:
a. Establishes and documents mandatory configuration settings for information technology
products employed within the information system using [FedRAMP Parameter: USGCB or CIS
Level 1 or personal configuration settings if USGCB unavailable] that reflect the most
restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves exceptions from the mandatory configuration settings for
individual components within the information system based on explicit operational requirements;
and
d. Monitors and controls changes to the configuration settings in accordance with organizational
policies and procedures.
Enhancement 1: The organization employs automated mechanisms to centrally manage, apply,
and verify configuration settings.
Enhancement 3: The organization incorporates detection of unauthorized, security-relevant
configuration changes into the organization’s incident response capability to ensure that such
detected events are tracked monitored, corrected, and available for historical purposes.
64

65. CM-6: Poor Response
Security settings of information technology products used with the XX
system are set to the most restrictive mode consistent with information
system operational requirements. From NIST Special Publication 800-70,
guidance was received on necessary configuration settings for information
technology products.
65

66. CM-6: Good Response
A. All servers, databases, and workstations are configured according to the Center for Internet
Security (Level 1) guidelines. <CSP> maintains a internal repository of standard configurations
settings for all products deployed. These baselines include required minimum settings as well as
recommended settings.
B. Configuration settings are implemented and verified/updated weekly by the System
Administrator.
C. No system component is exempt from mandatory minimum settings established in <CSP>
baselines. Specific exemptions to recommended settigns may be submitted through the
configuration exceptions process documented in <CSP>’s configuration management SOP.
Exceptions are tracked and approved using <CSP>’s proprietary configuration tracking tool.
D. Team X monitors and controls changes to configuration settings by using ZZZ monitoring system.
Any and all changes must go through the official change request process.
More information may be found in the Configuration Management Standard Operating Procedures
(SOP) appended to this document.
(1) In addition to controlling changes, ZZZ monitoring system is enabled to detect unauthorized
system changes.
(3) Upon detection of an unauthorized change or setting, a notice is automatically sent to the
Organization Y SOC to report and track the incident.
66

67. POA&Ms
• All information security weaknesses which you intend to resolve must be
documented in Plan of Action and Milestones (POA&Ms) and referenced in
the appropriate sections. The POA&M indicates:
• CSP is aware of the associated risk
• CSP has a plan for mitigating
• CSP is managing the weakness to closure
• Security controls identified as “planned”
• As part of minimum security baseline require a POA&M
• Enhancement above the baseline do not require a POA&M
• Security weaknesses which you do not intend to resolve reflect accepted
risk.
• CSP is only making a recommendation of accepted risk, the Joint
Authorization Board (JAB) will determine if the level of risk is acceptable
for issuing a Provisional Authorization.
67

68. Compensating Controls
• When a security control cannot be achieved as written, a compensating
control may be sufficient for achieving the intent of the requirement.
• A compensating control may include additional management, technical or
operational controls. For example,
• Additional manual inspections may assist when a technical solution
would be prohibitively expensive or not practical.
• Additional technical monitoring may be an option if existing standard
operating procedures an not being implemented properly.
• Apply professional judgment. You must understand the security control in
the context of your solution. Remember to address the intent of the control
if you cannot meet the specifics of the control.
68

69. System Changes
• CA-6(c) define “Significant Change”
• List the types of changes which will require
notification versus updated documentation and/or
reauthorization. Change examples,
• Points of Contact
• Risk posture
• Boundary
• Managed change is fine. Unmanaged change is not.
69

70. SSP Documents
Deliverable Description
System Security Plan This document describes how the controls are implemented within
(template available) the cloud information system and its environment of operation. The
SSP is also used to describe the system boundaries.
Information Security Policies This document describes the CSP’s Information Security Policy that
governs the system described in the SSP.
User Guide This document describes how leveraging agencies use the system
Rules of Behavior This document is used to define the rules that describe the system
(sample available) user's responsibilities and expected behavior with regard to
information and information system usage and access.
IT Contingency Plan This document is used to define and test interim measures to
(template available) recover information system services after a disruption. The ability to
prove that system data can be routinely backed up and restored
within agency specified parameters is necessary to limit the effects
of any disaster and the subsequent recovery efforts.
Configuration Management Plan This plan describes how changes to the system are managed and
(template available) tracked. The Configuration Management Plan should be consistent
with NIST SP 800-128.
Source: FedRAMP Concept of Operations (CONOPS), Table 6-2.
70

71. SSP Documents (continued)
Deliverable Description
Incident Response Plan This plan documents how incidents are detected, reported, and
escalated and should include timeframes, points of contact, and
how incidents are handled and remediated. The Incident Response
Plan should be consistent with NIST Special Publication 800-61.
E-Authentication Workbook This template will be used to indicate if E-Authentication will be
(template available) used in the cloud system and defines the required authentication
level (1-4) in terms of the consequences of the authentication
errors and misuse of credentials. Authentication technology is
selected based on the required assurance level.
Privacy Threshold Analysis This questionnaire is used to help determine if a Privacy Impact
(template available) Assessment is required.
Privacy Impact Assessment This document assesses what Personally Identifiable Information
(template available) (PII) is captured and if it is being properly safeguarded. This
deliverable is not always necessary.
Source: FedRAMP Concept of Operations (CONOPS), Table 6-2.
71

72. Tips
Avoid easy mistakes:
• Incorrect document references
• Non-applicable controls described as though implemented
• Restating the control as the control implementation language
• Lazily copied-and-pasted text
• Misaligned expiration dates
• Muddled POA&M numbering
• Ensure all 4 questions are answered in a way that is clear to the reader
which question you are answering.
Follow the structure of the control statement to ensure a complete response
• A NIST base control typically enumerates several specific requirements, as
well as one or more enhancements
• Individually address each requirement and enhancement in the
implementation response
72

73. Common Mistakes
• Maintenance (MA-2, MA-4):
– Onsite
– Offsite
– Non-Local
• Flaw Remediation (SI-2):
– Application/Database Level
– Operating System Level
– Network Infrastructure Level
73

74. Common Mistakes
• Information Flow (AC-4, SC-7):
– Internal Boundary vs. Perimeter
– Mechanisms (VLAN, DMZ, RBAC)
• Encryption (SC-8, SC-9, SC-13, SC-28):
– FIPS 140-2 / 197 Compliance
– At-Rest vs. In-Motion
– Transmission Confidentiality vs. Transmission Integrity
• Remote Access (AC-17):
– Remote vs. Local
– Virtual Private Network (VPN) Tunneling
74

75. For more information, please contact us or
visit us at any of the following websites:
http://FedRAMP.gov
http://gsa.gov/FedRAMP
@FederalCloud