Federal Agencies & Cloud Service Providers meeting FISMA requirements via FedRAMP
This presentation covers Federal Risk Authorization Management Program with FISMA, SCAP and Federal Data Center Consolidation Initiative to clarify how US government agencies purchase cloud services need to meet Federal Information Security Management Act (FISMA) requirements.
January 2013 - The FedRAMP Joint Authorization Board has granted its first provisional authorization to Autonomic Resources, who used Veris Group as their FedRAMP accredited 3PAO.
ICT role in 21st century education and its challenges
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
1. ISACA Research Triangle Chapter
February, 2012
(final update May2013)
Valdez Ladd
MBA, MS ISM, CISA, CISSP
U.S. Government Cloud Services:
Federal Risk and Authorization
Management Program
(FedRAMP)
3. ISACA Research Triangle Chapter
Overview:
• Fed CIO 25 point plan to reform Federal IT
• FDCCI
• Security - Conflicting Agency processes for vendors, cloud service providers
• FedRAMP Overview - http://www.fedramp.gov
• Process and Benefits
• Phased Implementation
•
• Third Party Assessment Organizations (3PAO) Overview
• Requirements
• Application
•
• FedRAMP Security Controls
• NIST Special Publication 800-53, Rev. 3
• Selection of Controls
• FISMA Approval/Review Process
• 3PAO
• Continuous Monitoring
• ISAP, SCAP, CyberScope
• Tools:
• * Cloud Security Alliance GRC Stack & FedRAMP Baseline Security Controls
4. ISACA Research Triangle Chapter
FedRAMP
TIMELINE
• Dec. 8, 2011 Fed CIO Steve VanRoekel launches FedRAMP
program
• Dec. 16, 2011 Industry Day on 3PAO Application Process
• Dec. 23, 2011 Deadline for questions for first round of 3PAO
applications
• Jan. 6, 2012 FedRAMP publishes responses to December 23
questions
• Jan. 9, 2012 First day for acceptance of FedRAMP applications for
first round
• Jan. 20, 2012 Last day for acceptance of FedRAMP applications for
first round
• March, 2012 ( estimated) First group of 3PAOs announced on
– www.fedramp.gov
–
May 21, 2013- Amazon.com's AWS GovCloud (US) Achieves a
FedRAMP Compliant Agency ATO (Authorized to Operate)℠
3rd
company awarded ATO
6. ISACA Research Triangle Chapter
• 25 POINT IMPLEMENTATION PLAN TO REFORM FEDERAL IT MANAGEMENT
• Vivek Kundra U.S. Chief Information Officer DECEMBER 9, 2010
• ACHIEVING OPERATIONAL EFFICIENCY .
• - Apply Light Technology and Shared Solutions . . . . . . . . . . . .
. . . . . . . .
• * plans to consolidate at least 800 data centers by 2015 (Cloud First Strategy)
• EFFECTIVELY MANAGING LARGE-SCALE IT PROGRAMS .
• Streamline Governance and Improve Accountability .
•
• Strengthen Program Management . . . . . . . . . . . . . . . .
. . . . . . .
• Align the Acquisition Process and Budget Process with the Technology Life Cycle
. .
• Increase Engagement with Industry . . . . . . . . . . . . .
• http://www.cio.gov/documents/25-point-implementation-plan-to-reform-federal
%20it.pdf
7. ISACA Research Triangle Chapter
Federal IT Shared Services Strategy
• Shared Services Strategy
• Implement a Shared First Plan – Each agency will develop a
shared services plan that includes, at minimum, two commodity IT
areas for migration to a shared environment by December 31, 2012,
with an initial focus on consolidation at the intra-agency level.
• Assess & Benchmark Existing Lines of Business – Each
existing LoB will assess current services and develop benchmark
metrics to measure quality and uptake of services provided;
• Develop Roadmaps for Modernization & Improvement of
Existing Services – Each Managing Partner will develop a
roadmap for improvement of existing services. Agencies and OMB
will work together to monitor progress toward these goals
throughout the year.
9. ISACA Research Triangle Chapter
Federal Data Center Consolidation Initiative (FDCCI)
• GOALS:
• Reduce Costs / Reduce Energy Use
• Limit Long-term Capital Investments (CAPEX)
• Improve Efficiency & Service Levels via Automation
• Guarantee Performance: Redundancy, Load Balancing, COOP
(continuity of operations )
• Enhance Business Agility & Effectively Manage Change
• Maintain Security: CIA (Availability, Integrity, Confidentiality)
• Implement ITSM Best Practices – ITIL, CMMI-Svc
• Implement SDLC Best Practices – CMMI-Dev, CMMI-Acquisition
10. ISACA Research Triangle Chapter
• The Federal Data Center Consolidation
Initiative (FDCCI) February 26, 2010
•
• ISSUES:
- High data center redundancy
- High costs, inefficiency, unsustainable and enormous
energy consumption
• December 21, 2011
• The federal government is on pace to close at
least 1,200 of its 3,100 data centers by the end
of 2015, per Federal CIO Steven VanRoekel
11. ISACA Research Triangle Chapter
FDCC Initiative
• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf
12. ISACA Research Triangle Chapter
FDCC Initiative
IT Security Management to improve FISMA compliance.
Uses functional architecture that helps augment data center security and
improve compliance:
• Identity Lifecycle Management
• Provides an integrated identity administration solution that serves
• As the foundation for automated user provisioning, self-service requests, and
• identity governance—the centralized control of users, roles, and policies.
• • Information Protection and Access Control
• Enforces policies relating to access to systems, web applications, and
• information. It also provides management of privileged users to limit improper
• administrator actions.
• Together = Content Aware Identity and Access Management
• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf
14. ISACA Research Triangle Chapter
FDCC Initiative
Reality: Confusion!
Too many
• - Agencies (State Dept., FDA, SEC, FTC, Agriculture, etc.,)
• - Different processes & interpretations
• - Separate FISMA implementations
• *image courtesy nlm.nih.gov
• FedRAMP to the Rescue!
15. ISACA Research Triangle Chapter
FedRAMP
Purpose ("Do Once, Use Many Times" )
• Establishes Federal policy for the protection of Federal
information in cloud services
• Describes the key components and its operational capabilities
• Defines Executive department and agency responsibilities in
developing, implementing, operating, and maintaining the
program
• Defines the requirements for Executive departments and
agencies using the program in the acquisition of cloud services
• www.fedramp.net
16. ISACA Research Triangle Chapter
FedRAMP
• The FedRAMP security controls are based on NIST SP 800-53 R3 / 53
A, controls
Low and moderate impact US systems that address cloud computing.
• The program will deliver a cost-effective, risk-based approach for the
adoption and use of cloud services.
• Operating under a “do once, use many times” framework, federal
officials believe that FedRAMP will save cost, time and staff required to
conduct security assessments for federal departments to make the jump to
the cloud.
• The program is also designed to foster better relationships between
agencies and cloud security providers (Shared Services Strategy)
• Standardized security requirements for the authorization and ongoing
cyber security operation of cloud services for selected information
system impact levels.
17. ISACA Research Triangle Chapter
FedRAMP
• A conformity assessment program capable of producing consistent
independent, third-party assessments of security controls
implemented by cloud security providers;
• •
• Authorization packages of cloud services reviewed by a Joint
Authorization Board (JAB) consisting of security experts from the
Department of Homeland Security (DHS), Department of Defense
(DoD) and General Services Administration (GSA);
• •
• Standardized contract language to help executive departments and
agencies integrate FedRAMP requirements and best practices into
acquisition; and
• •
• A repository of authorization packages for cloud services that can
be leveraged government wide.
• •
18. ISACA Research Triangle Chapter
FedRAMP
• How will cloud services be prioritized for FedRAMP review?
Joint Authorization Board (JAB) priority:
•
• “FedRAMP will prioritize the review of cloud systems with the
objective to assess and authorize cloud systems that can be
leveraged government-wide.
• In order to accomplish this, FedRAMP will prioritize Secure
Infrastructure as a Service (IaaS) solutions, contract vehicles for
commodity services, and shared services
• (1) Cloud systems with existing Federal agency’s
• authority-to-operates (ATOs) get first priority
• (2) Cloud systems without an existing Federal agency ATO get
second priority
20. ISACA Research Triangle Chapter
Federal Information Security
Management Act (FISMA) 2002
• Created by OMB authorization and National Institute of Standards and
Technology (NIST) implementation guidance.
• NIST Special Publication 800-53 Revision 3: 2009 Security Controls for
Federal Information Systems and Organizations.
• NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life
Cycle Approach
• Compliance framework defined by FISMA and supporting standards
• 1. Inventory of information systems
• 2. Categorize information and information systems according to risk
level
• 3. Security controls
• 4. Risk assessment
• 5. System security plan
• 6. Certification and accreditation
• 7. Continuous monitoring (new)
21. ISACA Research Triangle Chapter
FISMA
• FedRAMP – Authorization deliverables for Cloud
computing service providers (CSP).
• ( *297 controls, 604 pages document)
• A. Develop Plan of Action & Milestones: (POAM)
• B. Assemble Security authorization Package
(SAP)
• C. Determine Risk
• D. Determine the Acceptability of Risk
• E. Obtain Security Authorization Decision
(yes/no)
22. ISACA Research Triangle Chapter
FedRAMP
• Third Party Assessment Organizations (3PAOs)
Required:
• As a part of the FedRAMP process, cloud service providers
(CSPs) must use a FedRAMP approved third party assessor to
independently validate and verify that they meet the FedRAMP
requirements.
• Per NIST, FedRAMP implemented a conformity assessment
process to qualify 3PAOs. This conformity assessment process
qualifies 3PAOs according to two requirements:
• Independence and quality management in accordance
with ISO standards Technical competence through
FISMA knowledge testing
23. ISACA Research Triangle Chapter
FedRAMP
• Third Party Assessment Organizations (3PAOs)
• Controls:
• Perform initial and periodic assessment of CSP systems per
FedRAMP requirements, provide evidence of compliance, and play
an on-going role in ensuring cloud service providers (CSPs) meet
requirements.
• FedRAMP provisional authorizations must include an assessment
by an accredited 3PAO to ensure a consistent assessment process.
• Independent assessors of whether a cloud service provider has met
the 297 agreed upon FedRAMP security controls (604 pages) so
they can get an authority to operate (ATO).
• Companies cannot be 3PAOs and cloud service providers (CSP) at
the same time for same contracts (MOU, etc.,)
25. ISACA Research Triangle Chapter
FedRAMP
Summary:
• FedRAMP – Authorization deliverables for Cloud computing
service providers (CSP).
• (*297 controls, 604 pages document – Requires 3PAO)
• A. Develop Plan of Action & Milestones: (POAM)
• B. Assemble Security authorization Package (SAP)
• C. Determine Risk
• D. Determine the Acceptability of Risk
• E. Obtain Security Authorization Decision
• Goals: Reduce Costs, time, and increase shared services &
cyber security, etc., throughout Federal Agencies
26. ISACA Research Triangle Chapter
FISMA
Continuous Monitoring
(FISMA) requires agencies to report quarterly and annually
• based on performance measures (and security metrics) defined
by the Office of Management of Budget (OMB).
• FISMA guidance from OMB involves a four tiered approach:
•
1. Data feeds directly from security management tools
2. Government-wide benchmarking on security posture
3. Agency-specific interviews
4. Office of Inspector (OIG) reviews
• Data Feeds pulled from Security Management Tools
- CyberScope & CyberStats
27. ISACA Research Triangle Chapter
FISMA
Pre - Continuous Monitoring
• Agencies were spending an estimated 10
percent of their information technology budgets
to comply with FISMA.
• $8 billion annual investment.
• U,S. State Department Chief Information
Security Officer John Streufert achieved
significant results in moving from the paperwork
of compliance to real-time operational security:
28. ISACA Research Triangle Chapter
FISMA
Pre - Continuous Monitoring
High-risk security vulnerabilities was reduced
by 90 % from July 2008 to July 2009
Cost of certifying and accrediting IT systems
required under FISMA was cut by 62 % by
continuously updating security data.
* 2010 Wikileaks & US Army Private Bradley Manning – Insider Threat
29. ISACA Research Triangle Chapter
FISMA
1st
Continuous Monitoring program: US State Department
Policies put responsibility for security status in the hands of local officials
Who have direct control of systems and applying scanning tools that use the
Consensus Audit Guidelines of critical security controls.
• Perform scans every two to 15 days rather than every three years
• By scoring each site and making local administrators responsible for security
status,
• Each of the department’s 260 embassies and 40 domestic offices are regularly
scored on their security posture and assigned a grade ,
• every 36 hours on a scale of A+ to F-.
• .
• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1
30. ISACA Research Triangle Chapter
FISMA
Continuous Monitoring
• NIST SP 800-137, Information Security Continuous Monitoring for Federal
Information Systems and Organizations
• - Manages risk consistently throughout the organization.
• - Ensures continued effectiveness of all security controls.
• - Verifies legislation, directives, regulations, policies and
standards/guidelines.
• - Is informed by all organizational IT assets and helps to maintain
visibility into the security of the assets.
• - Ensures knowledge and control of changes to organizational
• systems and environments of operation.
• - Maintains awareness of threats and vulnerabilities
• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1
32. ISACA Research Triangle Chapter
FISMA
Continuous Monitoring
The CyberScope system
- A web-based application used to collect data from each
federal agency through live data feeds and data entry by
agency personnel.
• - The expectation is that most Departments will be able
to leverage their internal security information
management systems to supply the data required.
• ** Unfunded Mandate **
33. ISACA Research Triangle Chapter
FISMA
The CyberScope System: data feeds
• NIST initiated the Information Security Automation Program (ISAP)
• This capability is achieved through the Information Security Automation
Program (ISAP). It is a U.S. government multi-agency initiative to enable
automation and standardization of technical security operations.
• Standards based automation of security checking and remediation as well
as automation of technical compliance activities (e.g. FISMA).
• The NIST Security Content Automation Protocol (SCAP) that support and
complement the approach for achieving consistent, cost-effective security
control assessments.
• http://nvd.nist.gov/scap/docs/ISAP.doc
34. ISACA Research Triangle Chapter
FISMA
Security Content Automation Protocol (SCAP)
A methodology for using specific standards to enable automated
vulnerability management, measurement, and policy compliance
evaluation (e.g., FISMA) compliance).
The National Vulnerability Database (NVD) is the U.S. government content
repository for SCAP
http://nvd.nist.gov/scap/docs/ISAP.doc
35. ISACA Research Triangle Chapter
FISMA
Security Content Automation Protocol (SCAP)
• SP 800-126 Revision 2, The Technical Specification for the
Security Content Automation Protocol: SCAP Version 1.2.
•
• SCAP - standardizing the format and nomenclature in which
software flaw and security configuration information is
communicated, to machines and humans.
• SP 800-126 defines and explains SCAP version 1.2, including the
basics of the SCAP component specifications and their
interrelationships, the characteristics of SCAP content and the
SCAP requirements not defined in the individual component
specifications.
• http://nvd.nist.gov/scap/docs/ISAP.doc
36. ISACA Research Triangle Chapter
FISMA
SCAP Components
• Common Vulnerabilities and Exposures (CVE)
• Common Configuration Enumeration (CCE)
• Common Platform Enumeration (CPE)
• Common Vulnerability Scoring System (CVSS)
• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)
• Open Checklist Interactive Language (OCIL) Version 2.0
• Asset Identification
• Asset Reporting Format (ARF)
• Common Configuration Scoring System (CCSS)
• Trust Model for Security Automation Data (TMSAD)
• Mitre "Making Security Measurable" web site
• http://makingsecuritymeasurable.mitre.org/index.html
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
37. ISACA Research Triangle Chapter
FISMA
SCAP Checklists
Standardize and enable automation of
the linkage between computer security configurations
and the NIST SP 800-53 A controls framework.
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
checklists.nist.gov/
38. ISACA Research Triangle Chapter
FISMA
SCAP Validation Program
NIST focus on working with government and industry to establish more
secure systems and networks:
- security assessment tools, techniques, services, and supporting
programs for testing, evaluation and validation;
- Security metrics, security evaluation criteria and evaluation
methodologies, tests and test methods;
- security-specific criteria for laboratory accreditation; guidance on the
use of evaluated and tested products; research methodologies;
- security protocol validation activities; with voluntary industry
standards bodies and other assessment regimes.
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
39. ISACA Research Triangle Chapter
FISMA
SCAP
Independent Third Party Testing
-Assures the customer/user that the product meets the NIST specifications.
- The SCAP standards can be complex and several configurations must be tested
for each component and capability to ensure that the product meets the
requirements.
- A third-party lab (accredited by National Voluntary Laboratory Accreditation
Program (NVLAP)) provides assurance that the product has been thoroughly
tested and has been found to meet all of the requirements.
- A vendor seeking validation of a product should contact an NVLAP accredited
SCAP validation laboratory for assistance in the validation process.
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
47. Cloud Security Alliance Guidance v3.0
• Security Guidance for Critical Areas of Focus in Cloud Computing
• Section I. Cloud Architecture
•
Domain 1: Cloud Computing Architectural Framework
Section ll. Governing in the Cloud
Domain 2: Governance and Enterprise Risk Management
Domain 3: Legal Issues: Contracts and Electronic Discovery
Domain 4: Compliance and Audit Management
Domain 5: Information Management and Data Security
Domain 6: Interoperability and Portability
•
Section Ill. Operating in the Cloud
•
Domain 7: Traditional Security, Business Continuity, and Disaster Recovery
Domain 8: Data Center Operations
Domain 9: Incident Response
Domain 10: Application Security
Domain 11: Encryption and Key Management
Domain 12: Identity, Entitlement, and Access Management
Domain 13:Virtua|ization
Domain 14: Security as a Service