Webinar – What you should know about FedRAMP assessments | 1
Work with Federal Agencies?Here's What You Should Know About FedRAMP Assessments
Webinar – What you should know about FedRAMP assessments | 2
Contents
• FedRAMP Overview• Setting the Stage• Assessment Process • Additional Topics and Summary
Webinar – What you should know about FedRAMP assessments | 3
What is FedRAMP?
Webinar – What you should know about FedRAMP assessments | 4
What is FedRAMP?The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments.
Launched in July 2012FedRAMP replaces what was previously a decentralized authority to operation (ATO) model where each agency performed their own assessment
Webinar – What you should know about FedRAMP assessments | 5
Understanding FISMA vs. FedRAMPIs a: Applies to: Utilizes for guidance: Assessed by:
FISMA
Law Government agencies FIPS 199FIPS 200NIST SP 800-53
An agency, which may use or rely on the work of an outside auditor
FedRAMP
Program for managing assessments andongoing compliance
Cloud providers that host or plan to host for government agencies
FedRAMP modified NIST800-53 standards
FedRAMP specific deliverables and templates
An accredited Third Party Assessment Organization (3PAO)
While often confused, FISMA is a law for agencies, FedRAMP is an audit program for cloud service providers (CSPs)
Webinar – What you should know about FedRAMP assessments | 6
Setting The Stage:Scope & Agency Involvement
Webinar – What you should know about FedRAMP assessments | 7
First DecisionJAB vs Agency Sponsor
• Option 1 - JAB Provisional Authorization (P-ATO)– FedRAMP Ready Assessment Required– Documentation reviewed by GSA, DoD, and DHS– Pros: Perceived as government-wide; No Agency
Sponsor Required– Con: Lengthier process
Webinar – What you should know about FedRAMP assessments | 8
First DecisionJAB vs Agency Sponsor
• Option 2 - Agency Authority to Operate (ATO)– All documentation reviewed by single agency– Most common approach
Webinar – What you should know about FedRAMP assessments | 9
Estimated Timeframes (Provided by FedRAMP PMO)
System Security Plan
Security Assessment
PlanTesting SAR & POA&M
Review Authorize
System Security Plan
Security Assessment
PlanTesting SAR & POA&M
Review Authorize
Quality of documentation will determine length of timeand possible cycles throughout the entire process
JABP-ATO
AgencyATO
6 months +
4 months +
Webinar – What you should know about FedRAMP assessments | 10
Cloud Delivery Models Drive Scope
https://www.e-education.psu.edu/cloudGIS/node/91
Cloud IaaS Provider Responsibilities
Leveraging a FedRAMPAuthorized IaaS provider allows a SaaS provider to “carve out” those controls and only audit against that which is their responsibility.
Webinar – What you should know about FedRAMP assessments | 11
The System Security Plan (SSP)• Template available on www.fedramp.gov • Average 400-500 pages in length• Key Components:
– System boundaries– Detailed control descriptions for each of the NIST 800-53 control
families (section 13+)
The CSP is 100% responsible for documenting the SSP and maintaining the controls on an ongoing basis.
Webinar – What you should know about FedRAMP assessments | 12
The Assessment Process
Webinar – What you should know about FedRAMP assessments | 13
The 3PAO Assessment Process• Two stages: Planning (SAP); Testing (SAR)• Assessment activities include:
– Credentialed vulnerability scanning / observation– Penetration testing– Manual controls inspection including interviews,
documentation review, and technical configuration review
• Findings and communication– Real-time documentation and coordination between
3PAO and CSP– Development of POAMs by CSP
Webinar – What you should know about FedRAMP assessments | 14
Continuous Monitoring• 97 core controls for moderate + Agency
specified ~ 50% controls• What happens after ATO
Webinar – What you should know about FedRAMP assessments | 15
Continuous Monitoring• Control requirements
– Continuous– Weekly (e.g. log monitoring)– Monthly (e.g. scanning)– Quarterly (e.g. account review)– Annually
Webinar – What you should know about FedRAMP assessments | 16
Continuous Monitoring• 3PAO annual assessment
– Assess core controls + % of all other controls (Agency-specified)– Review POAMs– Scanning (and/or observation of scanning)– Penetration testing
Webinar – What you should know about FedRAMP assessments | 17
Additional Topics and Summary
Webinar – What you should know about FedRAMP assessments | 18
FedRAMP+ & ITAR• Department of Defense
– DoD uses a FedRAMP + model w/ DoD SRG/STIG guidance– FedRAMP controls plus additional controls at designated levels
• Level 2 is aligned w/ FedRAMP• Level 4 adds an incremental 35 controls
• NIST 800-171– Standards for Controlled Unclassified Information (CUI)– Aimed primarily at contractors
• ITAR– Some agencies require only US persons access to federal systems– While not a requirement for FedRAMP some systems and support models
are built for ITAR compliance
Webinar – What you should know about FedRAMP assessments | 19
1H 2016 Updates• Current State:
– 31 JAB ATOs (4-High)– 45 CSPs granted an initial Agency ATO
• For example, AWS GovCloud has received 15 individual Agency authorizations for the same system
• FedRAMP Ready launched as part of the FedRAMPAccelerated process for JAB
• High baseline launched• New Templates
Webinar – What you should know about FedRAMP assessments | 20
Learn more:www.schellmanco.com/fedramp