fedramp - federal agencies & cloud service providers meet fisma 2.0

ISACA Research Triangle Chapter

February, 2012

(final update May2013)

Valdez Ladd MBA, MS ISM, CISA, CISSP

U.S. Government Cloud Services:

Federal Risk and Authorization Management Program

(FedRAMP)


FedRAMP• .

ISACA Research Triangle ChapterOverview:

• Fed CIO 25 point plan to reform Federal IT • FDCCI• Security - Conflicting Agency processes for vendors, cloud service providers

• FedRAMP Overview - http://www.fedramp.gov

• Process and Benefits• Phased Implementation• • Third Party Assessment Organizations (3PAO) Overview• Requirements• Application• • FedRAMP Security Controls• NIST Special Publication 800-53, Rev. 3 • Selection of Controls• FISMA Approval/Review Process• 3PAO• Continuous Monitoring• ISAP, SCAP, CyberScope

• Tools:• * Cloud Security Alliance GRC Stack & FedRAMP Baseline Security Controls


FedRAMP TIMELINE

• Dec. 8, 2011 Fed CIO Steve VanRoekel launches FedRAMP program

• Dec. 16, 2011 Industry Day on 3PAO Application Process• Dec. 23, 2011 Deadline for questions for first round of 3PAO

applications• Jan. 6, 2012 FedRAMP publishes responses to December 23

questions• Jan. 9, 2012 First day for acceptance of FedRAMP applications for

first round• Jan. 20, 2012 Last day for acceptance of FedRAMP applications for

first round• March, 2012 ( estimated) First group of 3PAOs announced on

– www.fedramp.gov–

May 21, 2013- Amazon.com's AWS GovCloud (US) Achieves a FedRAMP Compliant Agency ATO (Authorized to Operate) ℠ 3rd company awarded ATO

http://www.fedramp.gov/


• 25 POINT IMPLEMENTATION PLAN TO REFORM FEDERAL IT MANAGEMENT

• Vivek Kundra U.S. Chief Information Officer DECEMBER 9, 2010

• ACHIEVING OPERATIONAL EFFICIENCY .

• - Apply Light Technology and Shared Solutions . . . . . . . . . . . . . . . . . . . .

• * plans to consolidate at least 800 data centers by 2015 (Cloud First Strategy)

• EFFECTIVELY MANAGING LARGE-SCALE IT PROGRAMS .

• Streamline Governance and Improve Accountability .• • Strengthen Program Management . . . . . . . . . . . . . . . .

. . . . . . . • Align the Acquisition Process and Budget Process with the Technology Life Cycle

. .• Increase Engagement with Industry . . . . . . . . . . . . .

• http://www.cio.gov/documents/25-point-implementation-plan-to-reform-federal%20it.pdf


Federal IT Shared Services Strategy

• Shared Services Strategy

• Implement a Shared First Plan – Each agency will develop a shared services plan that includes, at minimum, two commodity IT areas for migration to a shared environment by December 31, 2012, with an initial focus on consolidation at the intra-agency level.

• Assess & Benchmark Existing Lines of Business – Each existing LoB will assess current services and develop benchmark metrics to measure quality and uptake of services provided;

• Develop Roadmaps for Modernization & Improvement of Existing Services – Each Managing Partner will develop a roadmap for improvement of existing services. Agencies and OMB will work together to monitor progress toward these goals throughout the year.


Federal IT Shared Services Strategy


Federal Data Center Consolidation Initiative (FDCCI)

• GOALS:

• Reduce Costs / Reduce Energy Use • Limit Long-term Capital Investments (CAPEX)• Improve Efficiency & Service Levels via Automation

• Guarantee Performance: Redundancy, Load Balancing, COOP (continuity of operations )

• Enhance Business Agility & Effectively Manage Change• Maintain Security: CIA (Availability, Integrity, Confidentiality)

• Implement ITSM Best Practices – ITIL, CMMI-Svc• Implement SDLC Best Practices – CMMI-Dev, CMMI-Acquisition


• The Federal Data Center Consolidation Initiative (FDCCI) February 26, 2010

•

• ISSUES:

- High data center redundancy

- High costs, inefficiency, unsustainable and enormous

energy consumption

• December 21, 2011

• The federal government is on pace to close at least 1,200 of its 3,100 data centers by the end of 2015, per Federal CIO Steven VanRoekel


FDCC Initiative

• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf

http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf


FDCC Initiative IT Security Management to improve FISMA compliance.

Uses functional architecture that helps augment data center security and improve compliance:

• Identity Lifecycle Management

• Provides an integrated identity administration solution that serves• As the foundation for automated user provisioning, self-service requests, and • identity governance—the centralized control of users, roles, and policies.

• • Information Protection and Access Control

• Enforces policies relating to access to systems, web applications, and • information. It also provides management of privileged users to limit improper • administrator actions.

• Together = Content Aware Identity and Access Management

• Ref: http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf

http://www.ca.com/~/media/Files/whitepapers/fdcci-wp.pdf


FDCC Initiative


FDCC Initiative Reality: Confusion!

Too many • - Agencies (State Dept., FDA, SEC, FTC, Agriculture, etc.,)• - Different processes & interpretations• - Separate FISMA implementations

• *image courtesy nlm.nih.gov

• FedRAMP to the Rescue!

ISACA Research Triangle Chapter FedRAMP

Purpose ("Do Once, Use Many Times" )

• Establishes Federal policy for the protection of Federal information in cloud services

• Describes the key components and its operational capabilities

• Defines Executive department and agency responsibilities in developing, implementing, operating, and maintaining the program

• Defines the requirements for Executive departments and agencies using the program in the acquisition of cloud services

• www.fedramp.net

http://www.fedramp.net/


FedRAMP • The FedRAMP security controls are based on NIST SP 800-53 R3 / 53

A, controls

Low and moderate impact US systems that address cloud computing.

• The program will deliver a cost-effective, risk-based approach for the adoption and use of cloud services.

• Operating under a “do once, use many times” framework, federal officials believe that FedRAMP will save cost, time and staff required to conduct security assessments for federal departments to make the jump to the cloud.

• The program is also designed to foster better relationships between agencies and cloud security providers (Shared Services Strategy)

• Standardized security requirements for the authorization and ongoing cyber security operation of cloud services for selected information system impact levels.


FedRAMP

• A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by cloud security providers;

• •• Authorization packages of cloud services reviewed by a Joint

Authorization Board (JAB) consisting of security experts from the Department of Homeland Security (DHS), Department of Defense (DoD) and General Services Administration (GSA);

• •• Standardized contract language to help executive departments and

agencies integrate FedRAMP requirements and best practices into acquisition; and

• •• A repository of authorization packages for cloud services that can

be leveraged government wide.• •


FedRAMP

• How will cloud services be prioritized for FedRAMP review?

Joint Authorization Board (JAB) priority:• • “FedRAMP will prioritize the review of cloud systems with the

objective to assess and authorize cloud systems that can be leveraged government-wide.

• In order to accomplish this, FedRAMP will prioritize Secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services

• (1) Cloud systems with existing Federal agency’s• authority-to-operates (ATOs) get first priority

• (2) Cloud systems without an existing Federal agency ATO get second priority


FedRAMP• .

ISACA Research Triangle Chapter Federal Information Security Management Act (FISMA) 2002

• Created by OMB authorization and National Institute of Standards and Technology (NIST) implementation guidance.

• NIST Special Publication 800-53 Revision 3: 2009 Security Controls for Federal Information Systems and Organizations.

• NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• Compliance framework defined by FISMA and supporting standards

• 1. Inventory of information systems• 2. Categorize information and information systems according to risk

level• 3. Security controls• 4. Risk assessment• 5. System security plan• 6. Certification and accreditation• 7. Continuous monitoring (new)

ISACA Research Triangle ChapterFISMA

• FedRAMP – Authorization deliverables for Cloud computing service providers (CSP).

• ( *297 controls, 604 pages document)

• A. Develop Plan of Action & Milestones: (POAM)• B. Assemble Security authorization Package

(SAP)• C. Determine Risk • D. Determine the Acceptability of Risk• E. Obtain Security Authorization Decision

(yes/no)

ISACA Research Triangle ChapterFedRAMP

• Third Party Assessment Organizations (3PAOs) Required:

• As a part of the FedRAMP process, cloud service providers (CSPs) must use a FedRAMP approved third party assessor to independently validate and verify that they meet the FedRAMP requirements.

• Per NIST, FedRAMP implemented a conformity assessment process to qualify 3PAOs. This conformity assessment process qualifies 3PAOs according to two requirements:

• Independence and quality management in accordance with ISO standards Technical competence through FISMA knowledge testing


• Third Party Assessment Organizations (3PAOs)

• Controls:

• Perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring cloud service providers (CSPs) meet requirements.

• FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

• Independent assessors of whether a cloud service provider has met the 297 agreed upon FedRAMP security controls (604 pages) so they can get an authority to operate (ATO).

• Companies cannot be 3PAOs and cloud service providers (CSP) at the same time for same contracts (MOU, etc.,)


• Cloud service providers or 3PAO?


Summary:

• FedRAMP – Authorization deliverables for Cloud computing service providers (CSP).

• (*297 controls, 604 pages document – Requires 3PAO)

• A. Develop Plan of Action & Milestones: (POAM)• B. Assemble Security authorization Package (SAP)• C. Determine Risk • D. Determine the Acceptability of Risk• E. Obtain Security Authorization Decision

• Goals: Reduce Costs, time, and increase shared services & cyber security, etc., throughout Federal Agencies


Continuous Monitoring

(FISMA) requires agencies to report quarterly and annually• based on performance measures (and security metrics) defined

by the Office of Management of Budget (OMB).

• FISMA guidance from OMB involves a four tiered approach:•

1. Data feeds directly from security management tools2. Government-wide benchmarking on security posture3. Agency-specific interviews4. Office of Inspector (OIG) reviews

• Data Feeds pulled from Security Management Tools - CyberScope & CyberStats


Pre - Continuous Monitoring

• Agencies were spending an estimated 10 percent of their information technology budgets to comply with FISMA.

• $8 billion annual investment.

• U,S. State Department Chief Information Security Officer John Streufert achieved significant results in moving from the paperwork of compliance to real-time operational security:


Pre - Continuous Monitoring

High-risk security vulnerabilities was reduced by 90 % from July 2008 to July 2009

Cost of certifying and accrediting IT systems required under FISMA was cut by 62 % by continuously updating security data.

* 2010 Wikileaks & US Army Private Bradley Manning – Insider Threat

http://en.wikipedia.org/wiki/Bradley_Manning


1st Continuous Monitoring program: US State Department

Policies put responsibility for security status in the hands of local officials Who have direct control of systems and applying scanning tools that use the

Consensus Audit Guidelines of critical security controls.

• Perform scans every two to 15 days rather than every three years

• By scoring each site and making local administrators responsible for security status,

• Each of the department’s 260 embassies and 40 domestic offices are regularly scored on their security posture and assigned a grade ,

• every 36 hours on a scale of A+ to F-.• .

• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1



• NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations

• - Manages risk consistently throughout the organization. • - Ensures continued effectiveness of all security controls.

• - Verifies legislation, directives, regulations, policies and standards/guidelines. • - Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.

• - Ensures knowledge and control of changes to organizational • systems and environments of operation.

• - Maintains awareness of threats and vulnerabilities

• William Jackson, Mar 03, 2010, http://gcn.com/Articles/2010/03/03/RSA-Futue-of-FISMA.aspx?Page=1



The CyberScope system

- A web-based application used to collect data from each federal agency through live data feeds and data entry by agency personnel.

• - The expectation is that most Departments will be able to leverage their internal security information management systems to supply the data required.

• ** Unfunded Mandate **


The CyberScope System: data feeds

• NIST initiated the Information Security Automation Program (ISAP)

• This capability is achieved through the Information Security Automation Program (ISAP). It is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations.

• Standards based automation of security checking and remediation as well as automation of technical compliance activities (e.g. FISMA).

• The NIST Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.

• http://nvd.nist.gov/scap/docs/ISAP.doc


Security Content Automation Protocol (SCAP)

A methodology for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA) compliance).

The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP

http://nvd.nist.gov/scap/docs/ISAP.doc


Security Content Automation Protocol (SCAP)

• SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.

• • SCAP - standardizing the format and nomenclature in which

software flaw and security configuration information is communicated, to machines and humans.

• SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.

• http://nvd.nist.gov/scap/docs/ISAP.doc


SCAP Components

• Common Vulnerabilities and Exposures (CVE)• Common Configuration Enumeration (CCE)• Common Platform Enumeration (CPE)• Common Vulnerability Scoring System (CVSS)• Extensible Configuration Checklist Description Format (XCCDF)• Open Vulnerability and Assessment Language (OVAL)

• Open Checklist Interactive Language (OCIL) Version 2.0

• Asset Identification• Asset Reporting Format (ARF)• Common Configuration Scoring System (CCSS)• Trust Model for Security Automation Data (TMSAD)

• Mitre "Making Security Measurable" web site• http://makingsecuritymeasurable.mitre.org/index.html

http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol

http://makingsecuritymeasurable.mitre.org/index.html


SCAP Checklists

Standardize and enable automation of the linkage between computer security configurations and the NIST SP 800-53 A controls framework.


checklists.nist.gov/



SCAP Validation Program

NIST focus on working with government and industry to establish more secure systems and networks:

- security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation;

- Security metrics, security evaluation criteria and evaluation methodologies, tests and test methods;

- security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research methodologies;

- security protocol validation activities; with voluntary industry standards bodies and other assessment regimes.



SCAP

Independent Third Party Testing

-Assures the customer/user that the product meets the NIST specifications.

- The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements.

- A third-party lab (accredited by National Voluntary Laboratory Accreditation Program (NVLAP)) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements.

- A vendor seeking validation of a product should contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process.


ISACA Research Triangle ChapterFedRAMP (future)

Valdez Ladd CISSP, CISA, MBA, MS ISM

ISACA Research Triangle ChapterGeneric Cloud Security Architecture

• .


• Questions ?

FedRAMP

FISMA

Valdez Ladd CISSP, CISA, MBA, MS ISM

Contact me: Linkedin

Cloud Security Alliance GRC Stack

Cloud Trust Protocol

•

http://assets1.csc.com/cloud/downloads/wp_cloudtrustprotocolprecis_073010.pdf

http://assets1.csc.com/cloud/downloads/wp_cloudtrustprotocolprecis_073010.pdf

Cloud Security Alliance Guidance v3.0

• Security Guidance for Critical Areas of Focus in Cloud Computing

• Section I. Cloud Architecture •

Domain 1: Cloud Computing Architectural FrameworkSection ll. Governing in the CloudDomain 2: Governance and Enterprise Risk Management Domain 3: Legal Issues: Contracts and Electronic DiscoveryDomain 4: Compliance and Audit ManagementDomain 5: Information Management and Data SecurityDomain 6: Interoperability and Portability

•Section Ill. Operating in the Cloud

•Domain 7: Traditional Security, Business Continuity, and Disaster RecoveryDomain 8: Data Center Operations Domain 9: Incident Response Domain 10: Application Security Domain 11: Encryption and Key Management Domain 12: Identity, Entitlement, and Access Management Domain 13:Virtua|ization Domain 14: Security as a Service

FedRAMP

FedRAMP Baseline Security Controls tool

&

FedRAMP Baseline Security Controls tool

Walkthrough is outside of presentation


ReferencesFedRAMPwww.fedramp.gov/

fedramp.netwww.fedramp.net/

Cloud Security Alliancehttps://cloudsecurityalliance.org/

NIST Special Publications (800 Series)http://csrc.nist.gov/publications/PubsSPs.html

Valdez Ladd: linkedin

http://csrc.nist.gov/publications/PubsSPs.html