Federal Risk and Authorization Management Program (FedRAMP) – From the FedRAMP PMO, CSP, and 3PAO Perspective

Matt Goodrich – FedRAMP PMO James Bowman – Autonomic Resources (CSP) Michael Carter – Veris Group (3PAO) April 18, 2013

What is FedRAMP?

2

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.

Why FedRAMP?

3

Problem: • A duplicative, inconsistent, time

consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.

Solution: FedRAMP • Uniform risk management approach • Standard set of approved, minimum

security controls (FISMA Low and Moderate Impact)

• Consistent assessment process • Provisional ATO

Key Benefits

• Re-use of existing security assessments across agencies

• Savings in cost, time and resources – do once, use many times

• Risk-based, not compliance-based

• Transparency between government and cloud service providers

• Transparency trust, reliability, consistency, and quality of the Federal security authorization process

4

FedRAMP Timeline

5

March 2009

Cloud Computing Program Launched Executive Steering Committee Established

April 2009

Cloud Computing Program Management Office Established

October 2009

Security Working Group Established

December 2010

Federal Cloud Computing Strategy Published

Feb – Mar 2011

Government Tiger Teams Review Comments

December 2011

FedRAMP Policy signed

February 2012

FedRAMP CONOPS Published

Q1 09 Q2 09 Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Q4 10 Q1 11 Q2 11 Q3 11 Q4 11 Q1 12 Q2 12 Q3 12 Q4 12 Q1 13

February 2010

FedRAMP Concept Announced

June 2010

FedRAMP Drafts Initial Baseline

July – Sept. 2010

FedRAMP Concept Vetted with Industry & Government

November 2010

FedRAMP Concept, Controls, & Templates Released

January 2011

Over 1,200 public comments received

Apr – June 2011

Executive Team Solidifies Tiger Team Recommendations

July – Sept. 2011

3PAO Concept Planned

May 2012

3PAOs Accredited

June 2012

FedRAMP Launches Initial Operational Capability

January 2013

JAB Grants 2nd Provisional Authorization

December 2012

JAB Grants 1st Provisional Authorization

FedRAMP Policy Memo

6

OMB Policy Memo December 8, 2011

• Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014

• Establishes Joint Authorization Board

• CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements

• Establishes PMO

• Maintained at GSA • Establishes FedRAMP processes for

agency compliance • Maintains 3PAO program

FedRAMP Policy Framework

7

eGov Act of 2002 includes Federal Information Security Management Act

(FISMA)

FedRAMP Security Requirements

Agency ATO

Congress passes FISMA

as part of 2002 eGov Act

OMB A-130 NIST SP 800-37, 800-137, 800-53

OMB A-130 provide policy,

NIST Special Publications

provide risk management

framework

FedRAMP builds upon NIST SPs

establishing common cloud

computing baseline supporting

risk based decisions

Agencies leverage FedRAMP process,

heads of agencies understand, accept

risk and grant ATOs

Complying with FedRAMP Policy

8

Agency use of cloud services must meet FedRAMP requirements:

1. Baseline security controls

2. FedRAMP templates

3. Submission of security packages to FedRAMP

• All assessments do not require a provisional ATO granted by the JAB

• Agencies can continue to grant their own ATOs without JAB sign-off

• CSPs can submit FedRAMP compliant packages to agencies requesting an ATO

Agencies must leverage existing FedRAMP ATOs

found in the FedRAMP repository

June 2014 All Cloud Projects Must Meet

FedRAMP Requirements

FedRAMP and NIST RMF 800-37

9

NIST Risk

Management

Framework

Agency

CSP

CSP and 3PAO

Agency

JAB / Agency

CSP -Low Impact -Moderate Impact

-FedRAMP Low or Moderate Baseline

-Describe in SSP

-FedRAMP Accredited 3PAO

-Provisional Auth. -Agency ATO

- Continuous Monitoring

6. Monitor Security Controls

5. Authorize Information

System

4. Assess the Security Controls

3. Implement Security Controls

2. Select the Controls

1. Categorize the Information System

FedRAMP Standardizes RMF for Cloud

NIST SP 800-37 Step FedRAMP Standard

1. Categorize System Low and Moderate Impact Levels

2. Select Controls Control Baselines for Low and Moderate Impact Levels

3. Implement Security Controls Document control implementations using the FedRAMP templates

4. Assess the Security Controls FedRAMP accredited 3PAOs use standard process, templates

5. Authorize the System Joint Authorization Board or Agency AO authorize the system

6. Continuous Monitoring CSPs conduct monitoring in accordance with Continuous Monitoring Strategy and Guide

10

FedRAMP Key Stakeholders

11

Cloud Service

Provider

• Implement and Document Security

• Use Independent Assessor

• Monitor Security • Provide Artifacts

Federal

FedRAMP

3PAOs Third Party Assessment

Organizations

• Contract with Cloud Service Provider

• Leverage ATO or use FedRAMP Process when authorizing

• Implement Consumer Controls

• Establish Processes and Standards for Security Authorizations

• Maintain Secure Repository of Available Security Packages

• Provisionally Authorize Systems That Have Greatest Ability to be Leveraged Government-wide • Cloud auditor, maintains

independence from CSP • Performs initial and

periodic assessment of FedRAMP controls

• Does NOT assist in creation of control documentation

Agencies

PMO & JAB

PMO and JAB Responsibilities

12

• Program Management Office (PMO) ‒ Liaise with Federal agencies to understand and meet FedRAMP

requirements

‒ Work with CSPs for JAB provisional authorizations

‒ Establish and maintain 3PAO accreditation program

‒ Create and maintain all documentation needed for FedRAMP compliance

‒ Maintain FedRAMP repository

‒ All information maintained publicly at FedRAMP.gov

‒ Answer all questions that come to info@FedRAMP.gov

• Joint Authorization Board (JAB) ‒ CIOs from DHS, DOD, GSA

‒ Establish FedRAMP requirements: baseline controls and processes

‒ Provisionally authorize CSPs that have greatest ability to be leveraged government-wide

Agency Responsibilities

• All new cloud projects must use FedRAMP baseline controls and templates for initiating, reviewing, granting, and revoking security authorizations

• All existing cloud projects (implemented or in the acquisition process) must meet FedRAMP requirements by June 2014

• All cloud projects – Establish and implement continuous monitoring plans through

incident response and mitigation capabilities

– Require cloud services providers to meet FedRAMP requirements via contractual provisions

– Use FedRAMP repository as ATOs are granted by JAB

• Agencies must report to OMB annually cloud services that cannot meet FedRAMP requirements (First Report due May 15, 2013)

13

Cloud Service Providers

• Cloud Service Provider (CSP)

– Commercial or government entity that has a cloud offering/service (IaaS, PaaS or SaaS)

• CSP Responsibilities

– Implement FedRAMP security controls

– Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls

– Create submit and maintain authorization packages

– Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies

• Status

– Two (2) Provisionally Authorized Providers on fedramp.gov

14

3rd Party Assessment Organization (3PAO)

• 3PAO – Cloud Auditor: performs initial and periodic security assessment of

cloud systems

• Responsibilities – Conduct Assessment of CSP Security Control Implementation

– Generate Security Assessment Reports and associated evidence

– Cannot prepare documents for a CSP that they will assess

• FedRAMP Accredited 3PAOs – Accredited according to (1) ISO 17020 for quality management and

independence and (2) FISMA knowledge

– Currently privatizing accreditation process: bit.ly/3PAOAB

– Applications should be accepted again beginning in Fall 2013

• Status – Current 17 accredited 3PAOs

15

Do Once, Use Many Times

16

• FedRAMP standardizes the security authorization process for industry and government through requirements, process and format

• FedRAMP requirements can be met three ways, and any security package that meets the FedRAMP requirements will be listed in the repository for leveraging.

JAB Provisional Authorization

Agency Authorization

CSP Supplied Package

Secure Repository

CSP

CSP

CSP

Regardless of the path,

standards promote

leveraging by agencies

Type of Cloud Deployment Models

• Public – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them

• Community – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns

• Private – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers

• Hybrid – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public)

Reference NIST SP 800-145

17

Types of Cloud Service Models

• IaaS – The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.

• PaaS – The capability provided to the consumer is to deploy consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.

• SaaS – The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure.

Reference NIST SP 800-145

18

Cloud Service Models

Reference FedRAMP

CONOPS 19

FedRAMP CONOPS

Page 35

Figure 7-2. Security Control Responsibilities

After reviewing the security assessment package and the accompanying Provisional

Authorization, Agencies can then grant an ATO under their own authority.

7.1. FedRAMP Secure Repository

The FedRAMP PMO maintains a secure repository of security assessment packages that Federal

agencies can leverage. The repository will hold assessment packages in four different categories

and will includes information about how to review current versions of the security assessment

package as described in Table 7-1.

Table 7-1. Security Assessment Package Categories

Category Name Category ID Assessed by Authorizing Authority

CSP Supplied C Accredited 3PAO N/A

Agency ATO* A Any 3PAO* Agency

Agency ATO with FedRAMP 3PAO W Accredited 3PAO Agency

FedRAMP Provisional Authorization P Accredited 3PAO JAB (+ Agency)

*Not eligible for JAB review and Provisional Authorization

The different categories of assessment packages offer flexibility for Federal agencies and CSPs

to allow for unique leveraging of security assessments. When reviewing security assessment

packages, agencies will come to understand the level of review the security assessment package

has received, as well as the risk exposure associated with the cloud service.

7.1.1. CSP Supplied

The CSP will self-supply a security assessment package using the FedRAMP process. The CSP

will follow the FedRAMP security assessment process utilizing internal ISSOs and an accredited

FedRAMP Provisional Authorization Timeframe Overview

FedRAMP Action

FedRAMP / CSP Action

FedRAMP JAB Action

Key

CSP Action FedRAMP / 3PAO Action

FedRAMP / 3PAO / CSP Action

Quality of SSP and responsiveness and ability of

CSP to resolve ISSO comments can create

iterations in this process

Quality of SAP and responsiveness and ability of

CSP to resolve ISSO comments can create

iterations in this process

Quality of SAR as well as number and types of

risks can create iterations in this process

Assign ISSO

-- Kick Off

ISSO / 3PAO /

CSP review

SAR

Address

JAB Notes

JAB Review

ISSO / CSP

review SSP

ISSO / 3PAO

Review SAP

JAB Review

Address

JAB Notes

JAB Review

Address JAB

Notes

Final Review P-ATO Signoff

SSP Ready

Review

Testing

SSP Finalization 10-15 weeks

SAP Finalization 3-4 weeks

SAR / POA&M Review 6 weeks

Testing 6 weeks

6 months +

SSP Review and Approval Timeframe K

icko

ff

SSP Approved

Remediate

SSP comments 1-3 Weeks

ISSO Review 1 Week

JAB Review 2 Weeks

Deliver SSP to JAB

Finalize

SSP 1-2

Weeks

CSP Respond to Comments 4-6 Weeks

ISSO Review & Comments 3-4 Weeks

Delivery of SSP and supporting docs in FedRAMP template

1 week

2-3 weeks

10 – 15+ weeks

CSP Action

ISSO Action

ISSO / CSP Action

JAB Action

Key

Iterations in this stage depend on quality of documentation and responsiveness and thoroughness of CSP to ISSO comments.

Architectural Briefing to JAB

SAP Review and Approval Timeframe

Delivery of SAP

SAP Approved

Review 1 Day

JAB TR Review 1 week

Deliver SAP to JAB TRs

Finalize

SAP 1-2 Days

CSP Respond to Comments

2 Days

ISSO Review & Comments

2 Days

3 – 3 ½ Weeks

Remediate

SAP comments 1-2 Days

ISSO Action

ISSO / 3PAO Action

JAB TR Action

Key

3PAO Action

Iterations in this stage depend on quality of documentation and

responsiveness and thoroughness of CSP to ISSO comments.

SAR and POA&M Review and Approval Timeframe

SAR Approved

Review 1 Day

JAB TR Review 1 Week

Delivery of SAR & POA&M to

JAB TRs

Review & Comments

2 Weeks

Delivery of SAR & POA&M

12 Weeks

Working Session -Review

Sampling of Results

1 Day

Final Review 2 days

ISSO Action

ISSO / 3PAO Action

JAB TR Action

Key

3PAO Action

Respond to Comments

1 Week

SAR Preview to JAB

TRs 1 Day

Working Session w/ JAB

TRs 1 Day

Remediate Comments

1 Week

Assessment 6 Weeks

Iterations in this stage depend on quality of SAR, responsiveness of 3PAO to ISSO comments and number and type of risks and if anything has to be remediated.

CSP Continuous Monitoring Responsibilities

• Monthly

– Operating System Scans

• Quarterly

– Operating System, Database, Web Application Scans

– Plan of Actions and Milestones (POA&M) Update

• Annually

– Review and Update Information Security Policy and Procedures

– Provide Basic Security Awareness Training

– Review and Re-certify User Accounts/Physical Access

– Review and Update Baseline Configuration

– Review and Update CM, CP, IRP, SSP, System Inventory

– Complete IR and CP Training and Exercises

– Test System Backups

24

CSP Continuous Monitoring Responsibilities

• Every Three Years

– Provide Role Based Security Training

– Review and Update Position Categorizations

– System Reauthorization

25

Benefits of FedRAMP for CSPs

26

Streamline and accelerate the security accreditation process.

“Do once, use many times” model

Standard baseline of security control requirements

FedRAMP Authorized CSPs

• As of April 16th, the FedRAMP Joint Authorization Board has issued two Provisional ATOs.

– Autonomic Resources | ARC-P | IaaS | December 26th, 2012

– CGI Federal | CGI IaaS Cloud | IaaS | January 31, 2013

Reference FedRAMP.gov

27

ATO Package Review

28

Page 1 of 2

FedRAMP Package Access Request Form

For Review of FedRAMP Security Package

INSTRUCTIONS:

1. Please complete this form, then print and sign. 2. Distribute to your Government Supervisor for review and signature. 3. Please email your signed Request Form to info@fedramp.gov.

User Information

Date of Request: Agency or Department:

First Name: Bureau:

Last Name: Office:

E-Mail Address:

Phone:

Select one:

□□

Federal Employee

Federal Contractor – If yes, what organization?:

If you are a Federal contractor, please also review Attachment A: Federal Contractor Non Disclosure Agreement for FedRAMP, sign and attach to this request.

Requested Package

Name of Package Requested:

What is the Package ID (located on the CSP listing on FedRAMP.gov)?

Do you have a current contract with this CSP?

Contract Number Name of CSP Contact: Phone: Email:

If you are not a current customer, access is granted for 30 days in order to properly ensure a high level of access control and maintain proper security over the security authorization packages.

Access Authorization

All reviewers are required to use multi-factor authentication via PIV (Personal Identity Verification) card to obtain access to the FedRAMP secure repository on the OMB MAX system.

In order to gain access to the FedRAMP secure repository, the FedRAMP PMO requires approval from an Authorized FedRAMP Approver. This is your agency CISO or someone they have designated. If you are unsure of who your FedRAMP approver is, please email the FedRAMP PMO at info@FedRAMP.gov. Authorized FedRAMP Approver:

First Name: Title:

Last Name: Agency / Department:

Phone: Bureau:

Email: Office:

1. Complete the FedRAMP request form to

gain access to the FedRAMP repository.

2. Send completed form to

info@FedRAMP.gov with the title

"signed form requesting access to MAX"

3. Form must be signed by an agency CISO

4. If you are not a Federal employee you

must also sign the FedRAMP NDA

5. List the ARC-P FedRAMP package

ID F1206141381

What is a 3PAO?

29

• Third-Party Assessment Organization

• Independently accredited assessment organization

• Demonstrated technical competency to test security implementations and collect representative evidence

• Based on concept of conformity assessment, as defined in ISO/IEC 17020

• Classification Type

– Type A: Provide Assessment Services Only

– Type C: Provide Consulting and Assessment Services, just not to the same customer and with a clear organizational separation within the company

• As of April 16th, 17 companies have been accredited as a 3PAO

Role of a 3PAO

30

• Perform the independent FedRAMP assessment to determine the state of compliance with FedRAMP requirements

• Only an accredited 3PAO may perform the initial and on-going periodic assessments – Non-3PAOs can provide consulting support in preparation of a

FedRAMP assessment, they just cannot perform the actual FedRAMP assessment

– A Type C 3PAO may perform the FedRAMP assessment or provide consulting support, just not both for the same customer

• Contracted on behalf of the CSP, not the Government

Steps to an Assessment

31

• Develop a Security Assessment Plan – Scope of the Assessment

– Assessment Boundary

– Schedule

• Conduct Control Assessment – Roughly 300 Controls/Enhancements; 1900 Test Cases

– Component Level Testing; # Components Increases # of Test Cases

– Customized ‘Test’ Test Cases

– Complete Associated FedRAMP Test Case Workbooks

• Conduct Source Code Review – Perform Scan Using Common Tool (CSP Responsibility)

– Review Scan Tool Output

– Identify Source Code Weaknesses

Steps to an Assessment

32

• Conduct Vulnerability Scans – Fully Credentialed

– All OS/Network, Database, Web Components

• Conduct Penetration Test – Business Logic

– Combination of Automated and Manual Checks

• Develop Security Assessment Report – Summarizes all Findings

– Outlines Level of Risk Associated with the Solution

– Provide Recommendations for Remediation

3PAO Continuous Monitoring Responsibilities

33

• Annual Requirements – Conduct Fully Credentialed OS/Network, Database, Web Component

Vulnerability Scans

– Perform Unannounced Penetration Test

– Assess a Subset of Security Controls

• Ad-Hoc Testing – New Components, Releases

– Agency-specific Required Controls Outside of FedRAMP Baseline

Lessons Learned

• FedRAMP PMO – Is there a FedRAMP bottleneck?

• Timeframe for authorizations and vendors’ ability to meet FedRAMP requirements

• Agency authorizations is a viable path – JAB authorization not required

• Autonomic Resources – What is difficult for CSPs going through the FedRAMP process?

– FedRAMP ISSO – Your advocate and representative to the JAB

– Open and transparent

• Veris Group – Common Assessment Issues

– Authenticated Scans

– Configuration/Patch Management – Use of automated mechanisms to remediate scan findings

34

Question and Answers

35

• Questions?

• Contact Information – FedRAMP PMO (Matt Goodrich): Matthew.Goodrich@gsa.gov

– Autonomic Resources (James Bowman): James_Bowman@autonomicresources.com

– Veris Group (Michael Carter): mcarter@verisgroup.com