FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fedramp Baseline Controls
FedRAMP Security Assessment Framework v2.4 A CSP NOT LISTED IN THE SECURE REPOSITORY ... [OMB...
Transcript of FedRAMP Security Assessment Framework v2.4 A CSP NOT LISTED IN THE SECURE REPOSITORY ... [OMB...
FedRAMP SECURITY ASSESSMENT FRAMEWORK
Version 2.4
November 15, 2017
|i
EXECUTIVE SUMMARY
ThisdocumentdescribesageneralSecurityAssessmentFramework(SAF)fortheFederalRiskandAuthorizationManagementProgram(FedRAMP).FedRAMPisaGovernment-wideprogramthatprovidesastandardizedapproachtosecurityassessment,authorization,andcontinuousmonitoringforcloud-basedservices.FedRAMPusesa“doonce,usemanytimes”frameworkthatintendstosavecosts,time,andstaffrequiredtoconductredundantAgencysecurityassessmentsandprocessmonitoringreports.
FedRAMPwasdevelopedincollaborationwiththeNationalInstituteofStandardsandTechnology(NIST),theGeneralServicesAdministration(GSA),theDepartmentofDefense(DOD),andtheDepartmentofHomelandSecurity(DHS).ManyotherGovernmentAgenciesandworkinggroupsparticipatedinreviewingandstandardizingthecontrols,policiesandprocedures.
|ii
DOCUMENT REVISION HISTORY
DATE VERSION PAGE(S) DESCRIPTION AUTHOR
06/06/2014 2.0 All MajorrevisionforNISTSP800-53Revision4.Includesnewtemplateandformattingchanges.
FedRAMPPMO
12/04/2015 2.1 AllFormattingchangesthroughout.Clarifieddistinctionbetween3PAOandIA.ReplacedFigures2and3,andAppendixCFigureswithcurrentimages.
FedRAMPPMO
06/06/2017 2.2 Cover Updatedlogo FedRAMPPMO
11/06/2017 2.3 AllRemovedreferencestoCSPSuppliedPathtoAuthorizationandtheGuidetoUnderstandingFedRAMPastheynolongerexist.
FedRAMPPMO
11/15/2017 2.4 All Updatedtothenewtemplate FedRAMPPMO
HOW TO CONTACT US
QuestionsaboutFedRAMPorthisdocumentshouldbedirectedtoinfo@fedramp.gov.
FormoreinformationaboutFedRAMP,visitthewebsiteathttp://www.fedramp.gov.
|iii
TABLE OF CONTENTS
EXECUTIVESUMMARY............................................................................................................I
DOCUMENTREVISIONHISTORY.............................................................................................II
1. FEDRAMPOVERVIEW.......................................................................................................11.1. APPLICABLELAWSANDREGULATIONS..............................................................................11.2. APPLICABLESTANDARDSANDGUIDANCE.........................................................................11.3. FEDRAMPOVERVIEW........................................................................................................21.4. AUTHORITIES....................................................................................................................31.5. PURPOSE...........................................................................................................................31.6. GOVERNANCEANDSTAKEHOLDERS..................................................................................4
1.6.1. OFFICEOFMANAGEMENTANDBUDGET...........................................................................51.6.2. FEDRAMPJOINTAUTHORIZATIONBOARD.........................................................................51.6.3. NATIONALINSTITUTEOFSTANDARDSANDTECHNOLOGY................................................51.6.4. DEPARTMENTOFHOMELANDSECURITY...........................................................................61.6.5. FEDRAMPPROGRAMMANAGEMENTOFFICE....................................................................61.6.6. FEDERALAGENCIES............................................................................................................61.6.7. FEDERALCHIEFINFORMATIONOFFICERSCOUNCIL...........................................................71.6.8. THIRD-PARTYASSESSMENTORGANIZATIONS....................................................................71.6.9. CLOUDSERVICEPROVIDERS...............................................................................................8
2. FEDRAMPREQUIREMENTS...............................................................................................82.1. TWOAUTHORIZATIONPATHS...........................................................................................9
2.1.1. JOINTAUTHORIZATIONBOARDP-ATO...............................................................................92.1.2. FEDRAMPAGENCYATO......................................................................................................9
2.2. CONTRACTUALLANGUAGE..............................................................................................102.3. USINGACSPNOTLISTEDINTHESECUREREPOSITORY.....................................................10
3. FEDRAMPSECURITYASSESSMENTFRAMEWORK............................................................103.1. DOCUMENT......................................................................................................................11
3.1.1. CATEGORIZETHEINFORMATIONSYSTEM........................................................................113.1.2. SELECTSECURITYCONTROLS............................................................................................123.1.3. IMPLEMENTSECURITYCONTROLS...................................................................................12
3.2. ASSESS.............................................................................................................................143.2.1. USEOFATHIRD-PARTYASSESSMENTORGANIZATION....................................................143.2.2. USEOFANON-ACCREDITEDINDEPENDENTASSESSOR...................................................143.2.3. COMPLETETHESECURITYASSESSMENTPLAN.................................................................143.2.4. USETESTCASEPROCEDURES...........................................................................................143.2.5. PERFORMSECURITYTESTING...........................................................................................15
3.3. AUTHORIZE......................................................................................................................153.3.1. ANALYSISOFRISKS...........................................................................................................15
|iv
3.3.2. PLANOFACTIONANDMILESTONES.................................................................................153.3.3. SUBMISSIONOFASECURITYPACKAGEFORAUTHORIZATION........................................163.3.4. AUTHORIZATIONLETTER..................................................................................................163.3.5. LEVERAGINGFEDRAMPSECURITYPACKAGES..................................................................163.3.6. REVOKINGANAUTHORIZATION.......................................................................................17
3.4. MONITOR.........................................................................................................................183.4.1. OPERATIONALVISIBILITY..................................................................................................193.4.2. CHANGECONTROL...........................................................................................................203.4.3. INCIDENTRESPONSE........................................................................................................20
4. THIRDPARTYASSESSMENTORGANIZATIONS.................................................................214.1. REQUIREMENTSFORACCREDITATION..............................................................................214.2. BECOMINGANACCREDITED3PAO...................................................................................21
APPENDIXA:FEDRAMPACRONYMS......................................................................................23
APPENDIXB:SUMMARYOFFEDRAMPSTAKEHOLDERS.........................................................24
LIST OF FIGURES
Figure1–FedRAMPGovernanceEntities............................................................................................................4Figure2–FedRAMPRiskManagementFramework..........................................................................................10Figure3–FedRAMPContinuousMonitoring.....................................................................................................19
LIST OF TABLES
Table1:SummaryofFedRAMPStakeholders....................................................................................................24
|1
1. FEDRAMP OVERVIEW
1.1. APPLICABLE LAWS AND REGULATIONS
§ ComputerFraudandAbuseAct[PL99-474,18USC1030]§ E-AuthenticationGuidanceforFederalAgencies[OMBM-04-04]§ FederalInformationSecurityManagementAct(FISMA)of2002[TitleIII,PL107-347]§ FreedomofInformationActAsAmendedin2002[PL104-232,5USC552]§ GuidanceonInter-AgencySharingofPersonalData–ProtectingPersonalPrivacy[OMBM-
01-05]§ HomelandSecurityPresidentialDirective-7,CriticalInfrastructureIdentification,
PrioritizationandProtection[HSPD-7]§ InternalControlSystems[OMBCircularA-123]§ ManagementofFederalInformationResources[OMBCircularA-130]§ Management’sResponsibilityforInternalControl[OMBCircularA-123,Revised12/21/2004]§ PrivacyActof1974asamended[5USC552a]§ ProtectionofSensitiveAgencyInformation[OMBM-06-16]§ RecordsManagementbyFederalAgencies[44USC31]§ ResponsibilitiesfortheMaintenanceofRecordsAboutIndividualsbyFederalAgencies[OMB
CircularA-108,asamended]§ SecurityofFederalAutomatedInformationSystems[OMBCircularA-130,AppendixIII]
1.2. APPLICABLE STANDARDS AND GUIDANCE
§ TheNISTDefinitionofCloudComputing[NISTSP800-145]§ ComputerSecurityIncidentHandlingGuide[NISTSP800-61,Revision2]§ ContingencyPlanningGuideforFederalInformationSystems[NISTSP800-34,Revision1]§ EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)
[NISTSP800-27,RevisionA]§ GuideforAssessingtheSecurityControlsinFederalInformationSystems[NISTSP800-53A,
Revision4]§ GuideforDevelopingSecurityPlansforFederalInformationSystems[NISTSP800-18]§ GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:A
SecurityLifeCycleApproach[NISTSP800-37,Revision1]§ GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
[NISTSP800-60,Revision1]
|2
§ GuideforSecurity-FocusedConfigurationManagementofInformationSystems[NISTSP800-128]
§ InformationSecurityContinuousMonitoringforFederalInformationSystemsandOrganizations[NISTSP800-137]
§ ManagingInformationSecurityRisk:Organization,Mission,andInformationSystemView[NISTSP800-39]
§ MinimumSecurityRequirementsforFederalInformationandInformationSystems[FIPSPublication200]
§ PersonalIdentityVerification(PIV)ofFederalEmployeesandContractors[FIPSPublication201-1]
§ RecommendedSecurityControlsforFederalInformationSystems[NISTSP800-53,Revision4]§ GuideforConductingRiskAssessments[NISTSP800-30Revision1]§ SecurityConsiderationsintheSystemDevelopmentLifeCycle[NISTSP800-64,Revision2]§ SecurityRequirementsforCryptographicModules[FIPSPublication140-2]§ StandardsforSecurityCategorizationofFederalInformationandInformationSystems[FIPS
Publication199]§ TechnicalGuidetoInformationSecurityTestingandAssessment[NISTSP800-115]
1.3. FedRAMP OVERVIEW
FedRAMPisaU.S.GovernmentprogramtostandardizehowtheFederalInformationSecurityManagementAct(FISMA)appliestocloudcomputingservices.Cloudcomputingoffersmanyadvantagesovertraditionalcomputing.Throughcloudcomputing,FederalAgenciesareabletoconsolidateandprovisionnewservicesfaster,atthesametimereducinginformationtechnologycosts.Cloudcomputingalsoenablesefficienciesforservicestocitizensandoffersstrongercybersecuritysafeguardsthanwhatispossibleusingtraditionalinformationtechnology(IT)methods.
FedRAMPprovidesastandardizedapproachtosecurityassessment,authorization,andcontinuousmonitoringofcloudbasedservices.Usinga“doonce,usemanytimes”framework,FedRAMPreducesthecostofFISMAcomplianceandenablesGovernmententitiestosecureGovernmentdataanddetectcybersecurityvulnerabilitiesatunprecedentedspeeds.
FedRAMPwasdevelopedincollaborationwiththeNIST,GSA,DOD,andDHS.OtherGovernmentAgencies,workinggroups,andindustryexpertsparticipatedinprovidinginputtothedevelopmentofFedRAMP.ThisdocumentreplacestheFedRAMPConceptofOperationsanddescribestheSecurityAssessmentFramework(SAF)forFedRAMP.WhenAuthorizingOfficials(AOs)incorporatetheFedRAMPSAFwithinternalsecurityauthorizationprocesses,it
|3
willensuretheymeettheFedRAMPrequirementsforcloudservicestheyuse.TheFedRAMPSAFissubjecttoupdatesastheprogramevolvestowardsustainedoperations.
1.4. AUTHORITIES
OnDecember9,2010,theOfficeofManagementandBudget(OMB)releasedaplantoreformFederalinformationtechnologyinitiatives:25PointImplementationPlantoReformFederalInformationTechnologyManagement.1Inthisplan,Point3createdthe“CloudFirst”Policy,whichrequiresU.S.FederalAgenciestousecloud-basedsolutionswheneverasecure,reliable,cost-effectivecloudoptionexists.Inafollow-uptothe25PointPlan,onFebruary8,2011,OMBreleasedtheFederalCloudComputingStrategy,2givingAgenciesadefinedstrategyandroadmapforeffectivelymigratingservicestothecloud.Toprovideacost-effective,risk-basedapproachfortheadoptionanduseofcloudservices,onDecember8,2011,OMBreleasedtheSecurityAuthorizationofInformationSystemsinCloudComputingEnvironments,alsoknownalsoastheFedRAMPPolicyMemo.3TheFedRAMPPolicyMemorequiresthatallFederalAgenciesmeettheFedRAMPrequirementsforallAgencyuseofcloudservicesbyJune2014.4
1.5. PURPOSE
FedRAMPisaGovernment-wideprogramthatprovidesastandardizedapproachtosecurityassessment,authorization,andcontinuousmonitoringforcloudproductsandservices.Thisapproachusesaframeworkthatsavescosts,time,andstaffrequiredtoconductredundantAgencysecurityassessments.
ThepurposeofFedRAMPisto:
§ EnsurethatcloudsystemsusedbyGovernmententitieshaveadequatesafeguards§ Eliminateduplicationofeffortandreduceriskmanagementcosts§ Enablerapidandcost-effectiveGovernmentprocurementofinformationsystems/services
1http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reform-federal-it.pdf2https://cio.gov/wp-content/uploads/downloads/2012/09/Federal-Cloud-Computing-Strategy.pdf
3https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf
4TheFedRAMPSAFappliestoallcloudcomputingdeploymentandservicedeliverymodels.MoreinformationcanbefoundaboutwhatservicesqualifyascloudservicesinNISTSP800-145.
|4
FedRAMPusesasecurityrisk-basedmodelthatcanbeleveragedacrossmultipleAgencies.AllFedRAMPCloudServiceProviders(CSP)useastandardizedsecuritybaselinegearedtowardscloudsystems.FedRAMPprovidesprocesses,artifacts,andaSecureRepositorythatenablesAgenciestoleverageauthorizationswith:
§ Standardizedsecurityrequirements§ Conformityassessmentidentifyingqualifiedindependent,third-partysecurityassessors§ RepositoryofauthorizationpackagesforsecurecloudsthatallAgenciescanleverage§ StandardizedongoingassessmentandauthorizationapproachforGovernmentclouds§ StandardizedcontractlanguagetohelpAgenciesintegrateFedRAMPrequirementsandbest
practicesintoacquisitions.
1.6. GOVERNANCE AND STAKEHOLDERS
FedRAMPisgovernedbyExecutivebranchentitiesthatworkincollaborationtodevelop,manage,andoperatetheprogram,asillustratedin
Figure1.FedRAMPstakeholdersarethoseindividualsandteamswithavestedinterestintheimplementationandoperationsofFedRAMP.TheFedRAMPPolicyMemooutlinedstakeholderresponsibilitiesthathavebeenfurtherdelineatedintheJointAuthorizationBoard(JAB)Charter.FedRAMPstakeholdersandtheirresponsibilitiesaredescribedinthesectionsthatfollow.AsummaryofstakeholderresponsibilitiescanbefoundinTable1ofthisdocument.
Figure 1 – FedRAMP Governance Ent it ies
|5
1.6.1. OFFICE OF MANAGEMENT AND BUDGET
OMBisresponsibleforimplementingandenforcingPresidentialpoliciesandprioritiesGovernment-wide.ThesedutiesextendtoFedRAMP,whereOMBisresponsiblefor:
§ EstablishingFederalpolicyforprotectionofFederalinformationcloudservices§ DescribingthekeycomponentsofFedRAMPanditsoperationalcapabilities§ DefiningExecutiveDepartmentandAgencyresponsibilitiesindeveloping,implementing,
operating,andmaintainingFedRAMP§ DefiningtherequirementsforExecutiveDepartmentsandAgenciesusingFedRAMPinthe
acquisitionofcloudservices
MostoftheserequirementsareestablishedbytheFedRAMPMemoissuedbyOMB.TheOMBalsohasanactiveroleinmeasuringFedRAMPcompliancebygatheringdatafromFederalAgenciesthroughPortfolioStat.
1.6.2. FEDRAMP JOINT AUTHORIZATION BOARD
TheJABmembersaretheChiefInformationOfficers(CIOs)fromDHS,GSA,andDOD.TheJABdefinesandestablishestheFedRAMPbaselinesystemsecuritycontrolsandtheaccreditationcriteriaforThirdPartyAssessmentOrganizations(3PAO).TheJABworkscloselywiththeFedRAMPProgramManagementOffice(PMO)toensurethatFedRAMPbaselinesecuritycontrolsareincorporatedintoconsistentandrepeatableprocessesforsecurityassessmentandauthorizationsofCSPs,throughthisFedRAMPSAF.
TheJABalsofollowstheFedRAMPSAFtoissueaProvisionalAuthoritytoOperate(P-ATO)forcloudservicesitbelieveswillbeleveragedthemost,Government-wide.ForthoseP-ATOs,theJABalsoensuresthosesystemsmaintainanacceptableriskposturethroughcontinuousmonitoring.
1.6.3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NISTistheFederalGovernment’sleadingbodyfortheestablishmentofstandards.AsrequiredbyFISMA,NIST’ssecuritystandards(NISTSpecialPublication[SP]800-53,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations;FederalInformationProcessingStandards[FIPS]Publication[PUB]199,StandardsforSecurityCategorizationofFederalInformationandInformationSystems;FIPSPUB200,MinimumSecurityRequirementsfor
|6
FederalInformationandInformationSystems;andNISTSP800-37,Revision1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems)serveasthefoundationforFedRAMP.NISTadvisesFedRAMPonFISMAcompliancerequirementsandalsoassistsindevelopingstandardsfortheaccreditationofindependent3PAOs.
1.6.4. DEPARTMENT OF HOMELAND SECURITY
DHSsetsthecontinuousmonitoringstrategyforallU.S.FederalAgencies.Assuch,FedRAMPsubscribestoDHScontinuousmonitoringpracticesinaccordancewithDHSguidance.DHSalsomanagestheUnitedStatesComputerEmergencyReadinessTeam(US-CERT),whichistheGovernmententitythatcoordinatesandrespondstosecurityincidentsforallU.S.FederalAgencies.Last,DHSmanagestheTrustedInternetConnections(TIC)andassistsAgenciesinimplementingTICcompliantinterconnections.
1.6.5. FEDRAMP PROGRAM MANAGEMENT OFFICE
TheFedRAMPPMOisresponsibleforthedevelopmentoftheFedRAMPprogramandmanagesitsdaytodayoperations.ThePMOcreatesprocesses,guidance,andtemplatesforAgenciesandCSPstouseforthepurposeofdeveloping,assessing,andauthorizingcloudsystemsinaccordancewithFISMA.ThisFedRAMPSAFworksinconcertwiththeseprocesses,guidance,andtemplatesandallareavailablepubliclyatwww.fedramp.gov.
ThePMOalsoworkswiththeJABtoprovisionallyauthorizecloudservicesproviders.ThePMOfacilitatescloudserviceprovidersthroughtheFedRAMPSAFandresultingcontinuousmonitoringactivities.Additionally,theFedRAMPPMOmanagesthe3PAOaccreditationprogrambasedonthecriteriaestablishedbytheJAB.
Finally,thePMOservesasthecommunicationsliaisontoallstakeholdersandassistsCSPs,3PAOs,andAgenciesinunderstandingFedRAMPrequirements.
1.6.6. FEDERAL AGENCIES
FederalAgencies,includingDepartmentsandOffices,areconsumersofcloudcomputingservices.Theymustensurethatallcloudsystemsthatprocess,transmit,orstoreGovernmentinformationusetheFedRAMPbaselinesecuritycontrolsbyusingtheFedRAMPSAFwhen
|7
grantingsecurityauthorizationsunderFISMA.FederalAgenciesmustenforcetheFedRAMPrequirementsthroughtheircontractswithCSPs.5
WhenFederalAgenciesgrantsecurityauthorizationsusingtheFedRAMPSAF,theymustuseanyexistingauthorizationsasastartingpointinapplyingtheFedRAMPSAF.OnceanAgencygrantsanauthorizationthatfollowstheFedRAMPSAF,thentheymustsubmitthatsecurityauthorizationpackagetotheFedRAMPPMOforverificationofmeetingtheFedRAMPrequirements(ifnotalreadyintherepository).Additionally,theFederalAgencymusthavean“AuthoritytoOperate”(ATO)letteronfilewiththeFedRAMPPMO.
1.6.7. FEDERAL CHIEF INFORMATION OFFICERS COUNCIL
TheFederalCIOCouncilcoordinatescrossAgencycommunicationsandhostseventstodisseminateFedRAMPinformationtoFederalCIOsandtheirrepresentatives.TheFedRAMPPMOparticipatesinFederalCIOCouncileventsandreviewsallCIOCouncilinputonFedRAMP.
1.6.8. THIRD-PARTY ASSESSMENT ORGANIZATIONS
3PAOsplayacriticalroleintheFedRAMPsecurityassessmentprocess,astheyaretheindependentassessmentorganizationsthatverifycloudproviders’securityimplementationsandprovidetheoverallriskpostureofacloudenvironmentforasecurityauthorizationdecision.Theseassessmentorganizationsmustdemonstrateindependenceandthetechnicalcompetencerequiredtotestsecurityimplementationsandcollectrepresentativeevidence.3PAOsmust:
§ PlanandperformsecurityassessmentsofCSPsystems§ ReviewsecuritypackageartifactsinaccordancewithFedRAMPrequirements
TheSecurityAssessmentReport(SAR)createdbythe3PAOisakeydeliverableforleveragingAgenciestouseFedRAMPsecurityassessmentpackages.
TheFedRAMPJABrequiresthata3PAObeaccreditedthroughtheFedRAMP3PAOProgramforanyJABP-ATOs.AgenciesarehighlyencouragedtousetheseorganizationsforAgencyauthorizationsthatmeettheFedRAMPrequirements.WhileAgenciesarefreetousenon-3PAOIndependentAssessors(IA),useofa3PAOassessorremovestheAgencyrequirementtoprovideanattestationtotheindependenceandcompetencyofthesecuritycontrolassessor.
5Templatesforcontractlanguageareavailableonwww.fedramp.gov.
|8
1.6.9. CLOUD SERVICE PROVIDERS
CSPsoffercloudcomputingservicesforusebyconsumers.CSPsinterestedinhavingtheU.S.GovernmentasaconsumeroftheirservicemustmeettheFedRAMPsecurityrequirementsandimplementFedRAMPbaselinesecuritycontrols.CSPsverifytheircompliancewithFedRAMPsecurityrequirementsbyfollowingtheFedRAMPSAF.Throughthisprocess,therisksofaCSPsservicesaredeterminedanditgivesAgencyauthorizingofficialstheabilitytodetermineiftheriskpostureofaCSPservicemeetstheriskpostureneededtohostGovernmentdata.IfaCSPisauthorizedfollowingtheFedRAMPSAF,theymustalsoperformcontinuousmonitoringtomaintainthatauthorization.
CSPsmustreviewinformationpublishedonwww.fedramp.govforperiodicupdatestoguidance,templates,andFedRAMPnews.
2. FedRAMP REQUIREMENTS
AkeyelementtosuccessfulGovernmentadoptionofcloudcomputingistoensurethatessentialsecuritycontrolsareproperlyimplementedoncloudsystemsthatprocess,store,and/ortransmitGovernmentdata.Additionally,cloudsystemsneedtoprovidethelevelofsecuritycommensuratewithspecificneedstoprotectGovernmentinformation.Effectivesecuritymanagementmustbebasedonriskmanagementandnotonlyoncompliance.Byadheringtoastandardizedsetofprocesses,procedures,andcontrols,Agenciescanidentifyandassessrisksanddevelopstrategiestomitigatethem.
FISMArequiresFederalAgenciestoreviewriskandmakerisk-baseddecisionsonwhetherornottoauthorizeasystem.FedRAMPbuildsuponFISMA.Accordingly,theFedRAMPPolicyMemorequiresFederalAgenciestouseFedRAMPwhenassessing,authorizing,andcontinuouslymonitoringcloudservicesinordertoaidAgenciesinthisprocessaswellassaveGovernmentresourcesandeliminateduplicativeefforts.
|9
2.1. TWO AUTHORIZATION PATHS
2.1.1. JOINT AUTORIZATION BOARD P-ATO
EitheraCSPoranAgencycanmakearequesttohaveasystemprocessedforaJABP-ATObysubmittinganInitiateRequestformonwww.fedramp.gov.ForJABP-ATOs,6theJABwillprovidetheriskreviewofalldocumentationprovidedbytheCSPinthesecurityauthorizationpackage.CSPswillworkwiththeFedRAMPPMOthroughtheSAFandpresentalldocumentationtotheJABforriskreview.
WhentheJABgrantstheP-ATO,theJABwillprovidearecommendationtoallFederalAgenciesaboutwhetheracloudservicehasarecommendedacceptableriskpostureforFederalGovernmentuseatthedesignateddataimpactlevels.
ForFedRAMPJABP-ATOs,CSPsmustcontractwithanaccredited3PAOtoindependentlyverifyandvalidatethesecurityimplementationsandthesecurityassessmentpackage.
2.1.2. FedRAMP AGENCY ATO
CSPsmayworkdirectlywithanAgencytoobtainaFedRAMPAgencyATO.Inthiscase,theFederalAgencywillprovidetheriskreviewofalldocumentationprovidedbytheCSPinitssecurityauthorizationpackage.CSPswillworkdirectlywiththeFederalAgencysecurityofficeandpresentalldocumentationtotheAuthorizingOfficial(AO)orequivalentforanauthorization.
AsnotedinSection1.6.8,FederalAgenciesmayelecttouseaFedRAMPaccredited3PAOoranon-accreditedIAtoperformtheindependentassessment.Ifanon-accreditedassessorisused,theAgencymustprovideevidenceoftheassessor’sindependenceandprovidealetterofattestationoftheassessor’sindependencewiththesecurityauthorizationpackage.TheFedRAMPPMOhighlyrecommendsAgenciesselectanassessorfromtheFedRAMP3PAOaccreditationprogram.
OnceanAgencyauthorizesapackage,theAgencymustinformtheFedRAMPPMObysendinganemailtoinfo@FedRAMP.gov.ThePMOtheninstructstheCSPhowtosubmitthepackageforPMOreview.AfterreviewingthepackagetoensureitmeetsalloftheFedRAMP
6UnderFISMA,theJABcannotacceptriskonbehalfofanyAgency.Therefore,itissues“Provisional”ATOstoindicatethataCSPhasmetalloftheFedRAMPrequirementsthatAgenciescanusetograntATOs.
|10
requirements,theFedRAMPPMOwillpublishthepackageintheSecureRepositoryforotherAgenciestoleverage.
2.2. CONTRACTUAL LANGUAGE
TheFedRAMPPolicyMemorequiresFederalAgenciestoensurethatFedRAMPrequirementsaremetthroughcontractualprovisions.ThisistoensurethataCSPhasacontractualobligationtomeetandmaintaintheFedRAMPrequirements.ToassistAgenciesinmeetingthisrequirement,FedRAMPprovidesstandardtemplatecontractlanguageaswellastemplatecontractclausescoveringallFedRAMPrequirements.FederalAgenciescanusethesecontractclausesduringtheprocurementprocessforacquiringcloudservices.FedRAMPcontractclausesareavailableonwww.fedramp.gov.
2.3. USING A CSP NOT LISTED IN THE SECURE REPOSITORY
IfanAgencywouldliketouseaCSPsystemthatisnotlistedintheFedRAMPSecureRepository,theAgencymustusetheFedRAMPSAFandprocessesandmustensuretheCSPhasimplementedtheFedRAMPbaselinesecuritycontrolrequirementsbeforegrantinganATO.
3. FEDRAMP SECURITY ASSESSMENT FRAMEWORK
FederalAgenciesarerequiredtoassessandauthorizeinformationsystemsinaccordancewithFISMA.TheFedRAMPSAFiscompliantwithFISMAandisbasedonNISTSpecialPublication800-37.FedRAMPdefinesasetofcontrolsforLowandModeratesecurityimpactlevelsystemsbasedonNISTbaselinecontrols(NISTSP800-53,asrevised)withasetofcontrolenhancementsthatpertaintotheuniquesecurityrequirementsofcloudcomputing.
FedRAMPusesthesamedocumentsanddeliverablesthatNISTrequiresAgenciestouse,asdescribedinNISTSP800-37.TheonlypartoftheFedRAMPprocessthatisnewtoFederalAgenciesinvolvestheControlImplementationSummary.ThesetwodocumentshelpdelineateandsummarizesecurityresponsibilitiesforCSPsandAgencies.
FedRAMPsimplifiestheNISTRiskManagementFrameworkbycreatingfourprocessareasthatencompassthesixstepsdetailedwithinNISTSP800-37:Document,Assess,Authorize,andMonitorasshownin
Figure 2,below.
|11
Figure 2 – FedRAMP Risk Management Framework
3.1. DOCUMENT
InthedocumentphaseoftheSAF,Steps1-3oftheRiskManagementFrameworkwillbecoveredbycategorizingtheinformationsystem,selectingthesecuritycontrols,andimplementinganddocumentingthesecuritycontrolsandimplementationsintheSystemSecurityPlan(SSP)andsupportingdocuments.
3.1.1. CATEGORIZE THE INFORMATION SYSTEM
Tocategorizethesystem,theCSPdeterminestheinformationtypesandcompletesaFIPSPUB199worksheettocategorizewhattypesofdataare(orcanbe)containedwithinthesystemtodeterminetheimpactlevelforthesystem.ThecategorizationisbaseduponNISTSpecialPublication800-60(VolumesIandII)GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories.
Theanalysisofthedatacontainedinthesystem,basedupontheinformationintheFIPSPUB199worksheet,willdetermineifthesecuritycategorizationforthesystemisattheLow,Moderate,orHighimpactlevel.Atthistime,FedRAMPonlysupportssecurityassessmentsofsystemsthathaveLoworModerateimpactlevels.AtemplatefortheFIPSPUB199isavailableonwww.fedramp.gov.
|12
3.1.2. SELECT SECURITY CONTROLS
AftercompletingacategorizationinaccordancewithFIPSPUB199,theCSPselectstheFedRAMPsecuritycontrolsbaselinethatmatchestheFIPSPUB199categorizationlevelfromSection3.1.TheFedRAMPsecuritycontrolbaselineispublishedonwww.fedramp.gov.Additionally,Section13oftheFedRAMPSystemSecurityPlanTemplatesummarizesthecontrolsforbothLowandModeratesecurityimpactlevelsystems.
TheFedRAMPsecuritycontrolbaselineprovidestheminimumsetofcontrolsthatCSPswillneedtoimplementtomeetFedRAMP’srequirementsforLoworModeratesecurityimpactlevelsystems.
3.1.3. IMPLEMENT SECURITY CONTROLS
OncetheCSPhasselectedtheFedRAMPsecuritycontrolbaseline,thenextstepistoimplementthesecuritycontrolsrelatedtothatimpactlevel.Formostproviders,manyofthecontrolsarealreadyimplementedbutneedtobedescribedadequatelywithintheFedRAMPtemplates.Somecontrolsmightrequiretheimplementationofnewcapabilities,andsomecontrolsmightrequireare-configurationofexistingimplementations.
TheFedRAMPprogramtakesintoaccountthatsystemsmayvarybetweenvendorsandallowssomeflexibilityinimplementingcompensatingcontrolsoralternativeimplementations.Theimperativepartofimplementingsecuritycontrolsisthattheintentofasecuritycontrolismet.CSPsmayprovidealternativeimplementationsthatdemonstratetheimplementationsatisfiestheintentofthecontrolrequirement.Foranycontrolthatcannotbemet,CSPsmustprovidejustificationfornotbeingabletoimplementthecontrol.
3.1.3.1. SYSTEMSECURITYPLAN
Afterimplementingsecuritycontrols,CSPsmustdocumentthedetailsoftheimplementationinaSystemSecurityPlan.EverysecuritypackagemustincludeanSSPbasedontheFedRAMPtemplate.AllcloudprovidersmustusetheFedRAMPtemplate,regardlessofwhattypeofATOtheyarevyingfor.TheSSPdescribesthesecurityauthorizationboundary,howtheimplementationaddresseseachrequiredcontrol,rolesandresponsibilities,andexpectedbehaviorofindividualswithsystemaccess.Additionally,theSSPallowsAOsandreviewteamstounderstandhowthesystemisarchitected,whatthesystemboundariesare,andwhatthesupportinginfrastructureforthesystemlookslike.
TheSSPtemplatecanbefoundonwww.fedramp.gov.AdditionalguidanceabouthowtodescribecontrolimplementationsintheSSPcanbefoundwithintheSSPtemplate.
|13
3.1.3.2. INHERITINGCONTROLSFROMALOWER-LEVELSYSTEM
Inthecloudspace,manycloudsystemsrelyonothercloudsystemstoprovideacomprehensivesetofservicesfortheendcustomer.AnexampleofthisisasoftwareproviderutilizinganinfrastructureprovidertodelivertheSoftwareasaService(SaaS).Inthiscase,thesoftwareproviderwillinheritsecuritycontrolsfromtheinfrastructureprovider.
TheFedRAMPSSPtemplateprovidesformarkingacontrolasinheritedandfromwhichsystemthatcontrolisbeinginherited.Byallowingforinheritedcontrols,FedRAMPenablesthestackingofauthorizationpackageslikebuildingblocks.Inthismodel,theSSPforeachsystemmustonlydescribetheimplementationofthatspecificsystem(forexample,SaaSserviceprovidersintheexampleabovewouldnotdetailanyimplementationdetailsoftheleveraginginfrastructureproviderwithintheSaaSserviceSSP).Thiseliminatesredundancyacrossauthorizationpackagesandkeepsauthorizationsdelineatedbysystem.
Muchinthesamewaythesoftwareproviderintheexampleabovereliesontheinfrastructureprovidertodeliverservices,thesoftwareprovideralsoreliesonthesecurityimplementationsandauthorizationoftheinfrastructureproviderforthesoftwareprovider’simplementationsandauthorization.Accordingly,ifaCSPhasinheritedcontrolswithintheSystemSecurityPlan,theauthorizationofthatCSPwillbedependentontheauthorizationoftheCSPwhosecontrolstheyinheritandsystemstheyusetodelivertheendservice.
3.1.3.3. ADDITIONALSECURITYCONTROLSFORSPECIFICNEEDS
AgenciesmayrequireadditionalsecuritycontrolsabovetheFedRAMPbaselineduetospecificAgencymissionneeds.Inthiscase,theCSPmayneedtoaddtotheFedRAMPbaselineoralterparameterstoappropriatelyaddressAgencycustomerneeds.CSPsandAgenciesmustaddressdeltacontrolsbyaddingthemtotheFedRAMPtemplatesorbyprovidingadeltadocumentthataddressestheuniqueAgencyrequirementsabovetheFedRAMPbaseline(recommended).
3.1.3.4. SUPPORTINGDOCUMENTS
InordertocompletelyandaccuratelydocumentthesecuritycontrolimplementationintheSSP,CSPsmustsubmitsupportingdocumentsatthesametimetheSSPissubmitted.Thesesupportingdocumentsinclude:ane-AuthenticationWorksheet,aPrivacyThresholdAnalysis(andifapplicable,aPrivacyImpactAssessment),theCSP’sInformationSecurityPolicies,UserGuideforthecloudservice,RulesofBehavior,anITContingencyPlan,aConfigurationManagementPlan,aControlInformationSummary(CIS),andanIncidentResponsePlan.Templatesformanyofthesedocumentsareavailableonwww.fedramp.gov.
|14
3.2. ASSESS
CSPsmustuseanindependentassessortotesttheinformationsystemtodemonstratethatthecontrolsareeffectiveandimplementedasdocumentedintheSSP.ThisassessmentstartswithdocumentingthemethodologyandprocessfortestingthecontrolimplementationintheSecurityAssessmentPlan(SAP).
3.2.1. USE OF A THIRD-PARTY ASSESSMENT ORGANIZATION
CSPsthatseekaJABP-ATOmustusea3PAOtoperformthetestingphaseoftheprocess.
3.2.2. USE OF A NON-ACCREDITED INDEPENDENT ASSESSOR
CSPssubmittingAgencyATOFedRAMPpackagesmusthavethesystemtestedbyanindependentthirdparty;however,theyarenotrequiredtouseaFedRAMPaccredited3PAO.Ifanon-accreditedIAisused,FederalAgencieswillberequiredtosubmitanattestationdescribingtheindependenceandtechnicalqualificationsoftheIAutilizedtoassessthatCSPpackage.
3.2.3. COMPLETE THE SECURITY ASSESSMENT PLAN
TheSecurityAssessmentPlan(SAP)isdevelopedbythe3PAOorIA.The3PAOorIAcreatesatestingplanusingtheFedRAMPSAPtemplate.TheSAPidentifiesalltheassetswithinthescopeoftheassessment,includingcomponentssuchashardware,software,andphysicalfacilities.Italsoprovidesaroadmapandmethodologyforexecutionofthetestsandindicatesthatthe3PAOorIAwillusetheFedRAMPassociatedsecuritytestcasesthatareprovidedintheformofaworksheet.
TheSAPtemplatecanbefoundonwww.fedramp.gov.AdditionaldetailsaboutwhatmustbeincludedwithintheSAParelocatedwithintheSAPtemplate.
3.2.4. USE TEST CASE PROCEDURES
All3PAOsandIAsmustusetheFedRAMPbaselinesecuritytestcasecaseswhenassessingacloudsystemslatedforFedRAMPcompliance.FedRAMPbaselinesecuritytestcaseproceduresareavailableonwww.fedramp.gov.
ForanyalternativeimplementationsofcontrolsacloudproviderdetailsintheSSP,the3PAOorIAmustcreatealternativetestcasesthatadequatelytesttheeffectivenessoftheCSP’scontrolimplementationandanyriskassociatedwiththatimplementation.
|15
3.2.5. PERFORM SECURITY TESTING
The3PAOorIAperformsthetestingoftheCSP’ssystembyfollowingtheproceduresdetailedintheSAPandinaccordancewiththetestcaseprocedures.
Whilethe3PAOorIAisresponsibleforperformingthetests,thisprocessrequiresthecoordinationwiththeCSP,whomustworkwiththe3PAOorIAtodetailanappropriateplantocoordinateonsitevisits,personnelinterviews,andschedulewhenscanswillbeperformedonthesystem.CSPsmustlockdownthesystemasmuchaspossibleduringtestinginordertoremediateanyrisksfoundduringtesting.
3.3. AUTHORIZE
Oncetestinghasbeencompleted,thenextstepisforAOstomakeanauthorizationdecisionbasedonthecompletedpackageofdocumentsandtherisksidentifiedduringthetestingphase.
3.3.1. ANALYSIS OF RISKS
Aftertestingthesecuritycontrols,the3PAOorIAanalyzestherisksandpresentstheresultsinaSecurityAssessmentReport(SAR)usingtheFedRAMPprovidedtemplateavailableonwww.fedramp.gov.TheSARcontainsinformationaboutvulnerabilities,threats,andrisksdiscoveredduringthetestingprocess.Additionally,theSARcontainsguidanceforCSPsinmitigatingthesecurityweaknessesfound.
TheSARmustfirstbedeliveredtotheCSPforreviewinordertodiscussanymitigatingfactors,falsepositives,andotherinformationthe3PAOorIAmightnothaveconsideredwhencreatingtheSAR.OncetheCSPand3PAOorIAhavefinishedtheirreviews,the3PAOorIAwillthensharetheSARwiththeAO’ssecurityteam.TheAO’steamwillanalyzetheSARtodeterminetheoverallriskpostureoftheCSPssystem.
ASARtemplateisavailableonwww.fedramp.govandincludesguidanceontheidentificationandpresentationofrisks.
3.3.2. PLAN OF ACTION AND MILESTONES
AfterreceivingtheSARfromthe3PAOorIA,theCSPdevelopsaPlanofAction&Milestones(POA&M)thataddressesthespecificvulnerabilitiesnotedintheSAR.TheCSPneedstodemonstratethatithasaplaninplace,completewithstaffing,resources,andaschedule,forcorrectingeachsecurityweaknessidentified.ThePOA&MservesasatrackingsystemfortheCSPandrepresentstheCSP’s“todo”list.
|16
APOA&Mtemplateisalsoavailableonwww.fedramp.gov.
3.3.3. SUBMISSION OF A SECURITY PACKAGE FOR AUTHORIZATION
FollowingthedevelopmentoftheSAR,theCSPmustassembleafinalpackageandsubmitthepackageforauthorizationreview.AfinalpackagewillincludealldocumentscreatedandreferencedwithinSection3;alltestplansandassociatedresultscompletedduringtestinginSection4,andtheSARandPOA&McreatedinSection5.AOswillreviewtheentiresecuritypackageandmakearisk-baseddecisiononwhetherornottoauthorizethesystem.
Note: Allsubmittedpackagesmusthavepropersensitivitymarkingsonthecoverpageandfooterpageofdocuments.SensitivitymarkingsmaybetakenintoconsiderationintheeventofaFreedomofInformationAct(FOIA)request.
3.3.4. AUTHORIZATION LETTER
OnceanAOhasmadearisk-baseddecisiontoauthorizeaCSPenvironmentforuse,theyformalizethisdecisioninanATOletter.AOsprovidethislettertotheCSPsystemowner.AOsmustalsocopytheFedRAMPPMOontheseletterssothattheFedRAMPPMOcanverifyAgencyuse,andkeepAgenciesinformedofanychangestoaCSP’sauthorization.
CSPsthathaveanAgencyauthorizationwillhaveauthorizationlettersgrantedbyaspecificGovernmentAgencywhichallowsthatAgencytohouseitsdatawithinthatCSP’senvironment.CSPsthatgothroughtheJABwillhaveaP-ATOlettersignedbytheJAB.
CSPsthatreceiveeithertypeofauthorizationwillbeaddedtothelistofauthorizedCSPsonwww.fedramp.gov.Thelistingwillprovidebasicinformationabouttheserviceofferingrelatedtotheauthorizedsystem.Theauthorizationletterandsecuritypackagewillbestoredinasecure,access-controlled,repositoryforreviewbyAgenciesthatwishtoleveragetheCSP’sauthorizationinordertoissuetheirownATO.
FederalAgenciescanleverageFedRAMPsecuritypackagesfromAgenciesandtheJABinthesameexactfashion.FederalAgenciesmustrevieweithertypeofpackageandmakeanAgencydeterminationofwhethertheCSPsriskpostureisacceptableforuseatthatAgency.
3.3.5. LEVERAGING FEDRAMP SECURITY PACKAGES
OneoftheprimarybenefitsofFedRAMPistheabilityforAgenciestoreuseauthorizationpackagesandtoleveragetheworkthathasalreadybeencompleted–the“doonce,usemany
|17
times”framework.AgenciesmaywanttoreviewthelistofsecuritypackagesalreadyavailablebeforeattemptingtoacquireservicesfromaCSPthatisnotintheFedRAMPSecureRepository.
ThePMOmaintainsaSecureRepositoryofFedRAMPsecuritypackagesforAgenciestoreviewwhenmakingprocurementdecisions.PackagesavailableforreviewarelistedontheFedRAMPwebsite.
Thislistingonwww.fedramp.govprovidesadescriptionoftheCSPsthathaveFedRAMPcompliantpackages,thetypeofservicestheyofferandtheassessmentlevelofthepackage.ItalsodescribesCSPsthatareundergoingassessmentbuthavenotyetreceivedaP-ATO.AfterreviewingthelistofavailableCSPpackages,AgenciesmaycontactFedRAMPtorequestaccesstospecificCSPsecuritypackagesavailableintheFedRAMPSecureRepository.
TheFedRAMPPMOhasaprescribedprocessforallowingaccesstosecuritypackageandtheFedRAMPSecureRepository.Allpackagereviewersmusthavea.govora.milemailaddress.
ThepackagesallowAgenciestouseexistingdocumentationtoassesstheCSP’sapplicationofsecuritycontrolimplementations,includingevidenceoftheimplementationofthesecontrols.Additionally,Agenciescanreviewanyexistingvulnerabilitiesandriskmitigationsplansforthecloudservicerepresentedbythepackage.
IfanAgencydecidestoprocureservicesfromaCSPthatislistedintheFedRAMPsecurityrepository,regardlessofthepackagetype,thereisarequirementtoreportthisinformationtotheFedRAMPPMO.Agenciescanreportthisinformationbysendinganemailtoinfo@FedRAMP.gov.TheFedRAMPPMOkeepstrackofhowmanytimesaparticularpackagehasbeenleveraged.
IfanAgencydecidestoleverageapackage,regardlessofwhatlevelthesecuritypackagemeetsasdescribedinSection3.1,theAgencywillstillneedtoissueitsownATO.ThereasonforthisistheFederalInformationSecurityManagementAct(FISMA)requiresAgenciestoindividuallyaccepttheriskofuseofanyITsystem.AsdescribedinSection3.3.3,Agenciesmayrequireadditionalcontrolstofittheirindividualcircumstancesandriskposture.
AfterreviewingthesecurityauthorizationpackageofaCSP,AgenciesmustbeawarethattherearealwayscustomerresponsibilitiesrelatedtotheuseofaCSPsservices.Akeyexampleofthisismulti-factorauthentication.CSPscanprovidetheabilitytohavemulti-factorauthentication,butAgenciesmustuseandenforcethisfortheCSPsystemwithitsAgencyusers.
3.3.6. REVOKING AN AUTHORIZATION
CSPswithanauthorizationarerequiredtoimplementcontinuousmonitoring,continuetomeettheFedRAMPrequirements,andmaintainanappropriaterisklevelassociatedwithaLoworModeratesecurityimpactlevelinordertomaintainanauthorization.IfaCSPfailstomaintain
|18
itsriskpostureandcomplywithFedRAMPcontinuousmonitoringrequirements,theJABAOortheAgencyAOcanchoosetorevoketheCSP’sauthorization.IfanAgencyrevokesaCSP’sFedRAMPAuthorizationitshouldnotifytheFedRAMPPMObysendinganemailtoinfo@fedramp.gov.TheFedRAMPPMOwillnotifyreliantstakeholdersofchangestothestatusofanyCSPauthorizations.
3.4. MONITOR
Ongoingassessmentandauthorization,hereinafterreferredtoascontinuousmonitoring,isthethirdandfinalprocessforcloudservicesinFedRAMP.OnceaCSPreceivesaFedRAMPAuthorization(JABorAgency),itmustimplementacontinuousmonitoringcapabilitytoensurethecloudsystemmaintainsanacceptableriskposture.Thisprocessdetermineswhetherthesetofdeployedsecuritycontrolsinaninformationsystemremaineffectiveinlightofplannedandunplannedchangesthatoccurinthesystemanditsenvironmentovertime.
ForsystemswithaFedRAMPJABP-ATO,theFedRAMPPMOmanagesbothyearlyandmonthlycontinuousmonitoringactivities:thesesystemsmustconductyearlyassessmentsandmustsubmitmonthlycontinuousmonitoringtotheFedRAMPPMO.(SeeContinuousMonitoringStrategyGuideforrequirementsanddetails). ForsystemswithanAgencyFedRAMPATO,theAgencymustmanagecontinuousmonitoringactivitiesandprovideatminimumayearlyupdatetoaCSP’ssecurityauthorizationpackagewiththepastyear’scontinuousmonitoringactivitieswithintheFedRAMPSecureRepository.
ContinuousmonitoringresultsingreatertransparencyofthesecuritypostureoftheCSPsystemandenablestimelyrisk-managementdecisions.Security-relatedinformationcollectedthroughcontinuousmonitoringisusedtomakerecurringupdatestotheSSP,SAR,andPOA&M.Continuousmonitoringkeepsthesecurityauthorizationpackagetimelyandprovidesinformationaboutsecuritycontroleffectiveness.ThisallowsAgenciestomakeinformedriskmanagementdecisionsastheyusecloudservices.AhighlevelillustrationofthecontinuousmonitoringprocessforFedRAMPAuthorizationsisdetailedinFigure 3,below.
|19
Figure 3 – FedRAMP Continuous Monitoring
3.4.1. OPERATIONAL VISIBILITY
Thegoalofoperationalvisibilityistoreducetheadministrativeburdenassociatedwithdemonstratingcomplianceandinsteadtoshifttowardreal-timeoversightmonitoringthroughautomatedapproachesinaccordancewithOMBM-10-15,FY2010ReportingInstructionsfortheFederalInformationSecurityManagementActandAgencyPrivacyManagement.Toachieveoperationalvisibility,CSPsprovidetwodifferenttypesofinformation:periodicallysubmittedcontrolartifacts,andannualre-assessments.Formoreinformationonperiodicsubmissionofevidentiaryartifacts,refertotheFedRAMPContinuousMonitoringStrategyGuideavailableonwww.fedramp.gov.
Annually,CSPsmustre-assessasubsetofthesecuritycontrolsandsendresultstotheFedRAMPPMOandleveragingAgencies.There-assessmentofthesecontrolsmustbecompletedbyanIAinthesamewaytestingwascompletedfortheinitialauthorization.Essentially,theannualassessmentisamini-assessment.TheFedRAMPContinuousMonitoringStrategyGuideidentifiescorecontrolswhichmustbere-testedonanannualbasis.TheAuthorizingOfficialandCSPmustthenagreeonadditionalcontrolsthatwillbetestedbasedoncontrolchangesandidentifiedrisksinthepreviousyear.
TemplatesfortheannualSAPandSARareavailableonwww.fedramp.gov.
|20
3.4.2. CHANGE CONTROL
CSPsmaymakeperiodicchangestothesystemaccordingtotheproceduresfoundinthesystem’sConfigurationManagementPlan.CSPsmustreportanychangesorproposedchangesthatsignificantlyimpacttheCSP’sabilitytomeetFedRAMPrequirements.Thesechangesinclude,butarenotlimitedto,significantchangesasdefinedintheSSPandConfigurationManagementPlan,changesintheCSP’spointofcontact,changesintheCSP’sriskposture,changestoanyapplicationsresidingonthecloudsystem,and/orchangestothecloudsysteminfrastructure.
CSPsmustnotifytheAOofanyimpendingchangetothesystemthatfallsoutsideoftheCSP’sConfigurationManagementPlantoidentifyiftheproposedchangerisestothelevelofasignificantchange.TheCSPmustfilloutaFedRAMPSignificantChangeSecurityImpactAssessmentForm,whichtheCSPcandownloadfromwww.fedramp.gov.Theformmustincludeadescriptionofthechangeandadiscussionoftheimpactofthechangetotheriskposture.CSPsareencouragedtodiscussthechangewiththerespectiveAOandreviewteamsandtheIAforguidanceonassessingtheriskofthechange.CSPsmustthensubmittheformtotheAOforreview.
AreviewoftheSecurityImpactAnalysisFormbytheAOwilldictatethecourseofactionfortheCSPsproposedchangebetweenallowingthechangetooccurwithinthenormalcourseofaCSP’sconfigurationmanagementallthewaytoare-authorization,dependingontheseverityoftheimpact.
Afteranyproposedchangesaremade,anyimpactedsecuritycontrolsmustbedocumentedinthesecurityauthorizationpackageandupdateddocumentationmustbeprovidedtotheAO.
3.4.3. INCIDENT RESPONSE
ThesharedtenantarchitectureofcloudservicesimpliesthatasingleincidentmayimpactmultipleFederalAgenciesleveragingthecloudservices.FedRAMPworkswithUS-CERTtocoordinateincidentresponseactivitiesinaccordancewiththeFedRAMPIncidentCommunicationsProcedurepublishedonwww.fedramp.gov.
CSPsmusthaveincidentresponseplansinplaceforallFedRAMPcompliantsystems,anddocumentitaspartoftheSSPinSection3.IncidentresponseplansarerequiredbyOMBM-07-16,SafeguardingAgainstandRespondingtotheBreachofPersonallyIdentifiableInformationandNISTSP800-61,Revision2,ComputerSecurityIncidentHandlingGuide.Intheeventofasecurityincident,aCSPmustfollowtheprocessandproceduresfoundinthesystemIncidentResponsePlaninaccordancewiththeFedRAMPIncidentCommunicationsProcedure.
|21
AOsmustensurethatCSPsreportincidentsaccordingtothesystem’sdocumentedIncidentResponsePlan.AnyAgenciesimpactedbyasecurityincidentmustcommunicateincidentinformationtoUS-CERTandtheFedRAMPPMOaccordingtoproceduresprescribedinthisdocument.
BasedontheseverityandoutcomeofsecurityincidentsandtheimpacttheyhaveonthesecuritypostureofaCSPenvironment,AOsmayinitiateareviewofaCSP’sauthorization.FailuretoreportincidentsmayalsotriggerareviewofaCSP’sauthorization.
4. THIRD PARTY ASSESSMENT ORGANIZATIONS
FedRAMPrequirestheuseofindependentassessorsforallFedRAMPcompliantauthorizations.ForJABprovisionalauthorizations,aFedRAMPaccredited3PAOmustbeused.FedRAMPhasestablishedaconformityassessmentprocesstoaccredit3PAOs.3PAOs,essentially,aretheauditingfirmsthatperforminitialandperiodicassessmentsofCSPsystemsperFedRAMPrequirements,provideevidenceofcompliance,andplayanongoingroleinensuringthatCSPsmeetFedRAMPrequirements.3PAOsprovidetheindependentassessmentthatassuresAOsatFederalAgenciesthatacloudcomputingservicemeetsthesecurityrequirementsoutlinedbyFedRAMPandanyrisksordeficienciesareidentified.
4.1. REQUIREMENTS FOR ACCREDITATION
FedRAMPrequiresaccredited3PAOstomeettheInternationalOrganizationforStandardization/InternationalElectrotechnicalCommission(ISO/IEC)17020standards,asrevised,forindependenceandmanagerialcompetence.Inaddition,accredited3PAOsmustmeetFedRAMPrequirementsfortechnicalFISMAcompetencethroughdemonstratedexpertiseinassessingcloud-basedsolutions.FedRAMPbasesitsaccreditationprocessfor3PAOsontheconceptofconformityassessment–amethodologytodemonstratecapabilityinmeetingrequirementsrelatingtoaproduct,process,system,personorbodyasdefinedbyISO/IEC17020.
Thespecific3PAOrequirementscanbefoundonwww.fedramp.gov.
4.2. BECOMING AN ACCREDITED 3PAO
FedRAMPhastransitionedtheaccreditationprocessfor3PAOstotheprivatesectorandhasselectedAmericanAssociationofLaboratoryAccreditors(A2LA)toperformtheassessmentactivitiesassociatedwithbecominganaccredited3PAO.A2LAwillusethe3PAOrequirementsavailableonFedRAMP.govandcoordinatewiththeFedRAMPPMOtoaccredit3PAOs.TheFedRAMPPMOwillcontinuetobetheonlyauthorityabletofullyaccreditFedRAMP3PAOs.
|22
InformationregardingtheprocesstoobtainanA2LAFedRAMP3PAOassessmentcanbefoundatwww.A2LA.org/FedRAMP.
|23
APPENDIX A: FedRAMP ACRONYMS Themaster list of FedRAMP acronym and glossary definitions for all FedRAMP templates isavailableontheFedRAMPwebsiteDocumentspageunderProgramOverviewDocuments.
(https://www.fedramp.gov/resources/documents-2016/)
Pleasesendsuggestionsaboutcorrections,additions,[email protected].
|24
APPENDIX B: SUMMARY OF FedRAMP STAKEHOLDERS
Table 1 : Summary of FedRAMP Stakeholders
ROLE DUTIES AND RESPONSIBILITIES
JABMembers(CIOsfromGSA,DHS,andDOD)
§ DefineandupdateFedRAMPbaselinesecuritycontrols.§ Approveaccreditationcriteriaforthird-partyassessmentorganizations.§ Establishthepriorityqueue,whichsetstheorderinwhichtheFedRAMPPMO
performsthereviewofsecuritypackages.§ ReviewsecurityassessmentpackagesforCSPsgrantedProvisional
Authorizations.§ EnsureProvisionalAuthorizationsarereviewedandupdatedregularly;notify
AgenciesofchangestoorremovalofProvisionalAuthorizations.
JABTechnicalRepresentatives
§ ProvidesubjectmatterexpertisetotheJABAO.§ SupporttheFedRAMPPMOindefiningandimplementingthejoint
authorizationprocess.§ RecommendauthorizationdecisionstotheJABAO.§ EscalateissuestotheJABAOasappropriate.
FedRAMPPMO(GSA)
§ CreateprocessesforAgenciesandCSPstorequestFedRAMPsecurityauthorization.
§ CreateaframeworkforAgenciestoleveragesecurityauthorizationpackagesprocessedbyFedRAMP.
§ WorkincoordinationwithDHStoestablishaframeworkforcontinuousmonitoring,incidentresponseandremediation,andFISMAreporting.
§ EstablishaSecureRepositoryforauthorizationpackagesthatAgenciescanleveragetograntsecurityauthorizations.
§ CoordinatewithNISTandA2LAtoimplementaformalconformityassessmenttoaccredit3PAOs.
§ Developtemplatesforstandardcontractlanguageandservicelevelagreements(SLAs),MemorandumofUnderstanding(MOU)and/orMemorandumofAgreement.
§ Serveasaliaisontoensureeffectivecommunicationamongallstakeholders.
DepartmentofHomelandSecurity
§ AssistGovernment-wideandAgency-specificeffortstoprovideadequate,risk-basedandcost-effectivecybersecurity.
§ Coordinatecybersecurityoperationsandincidentresponse.§ DevelopcontinuousmonitoringstandardsforongoingcybersecurityofFederal
Informationsystems.§ DevelopguidanceonAgencyimplementationoftheTrustedInternet
Connection(TIC)programwithcloudservices.
|25
Agencies
§ UsetheFedRAMPprocesswhenconductingriskassessments,securityauthorizationsandgrantinganATOtoacloudservice.
§ EnsurecontractsrequireCSPstocomplywithFedRAMPrequirementsandmaintainFedRAMPProvisionalAuthorization.
§ ProvidetotheFederalCIOanannualcertificationinlistingallcloudservicesthattheAgencydeterminescannotmeetFedRAMPrequirementswithappropriaterationaleandproposedresolutions.
§ Assess,authorizeandcontinuouslymonitorsecuritycontrolsthataretheAgency’sresponsibility.
CloudServiceProviderEithercommercialorAgencyoperator
§ ImplementsecuritycontrolsbaseduponFedRAMPsecuritybaseline.§ CreatesecurityassessmentpackagesinaccordancewithFedRAMP
requirements.§ Contractwithanindependent3PAOtoperforminitialsystemassessmentand
requiredongoingassessmentsandauthorizations.§ MaintainContinuousMonitoringprograms.§ ComplywithFederalRequirementsforChangeControlandIncidentReporting.