trustedagent fedramp security authorization
TRANSCRIPT
1
Are you position to capture the opportunities of the Federal Government Cloud Services?
Learn how TrustedAgent can enable and accelerate yourCloud service offerings to Federal Government agencies.
Seize the opportunities.
How are your offerings meeting FedRAMP requirements?
How can you accelerate your FedRAMP security authorization process?
FedRAMP Assessment Readiness for CSPs using TrustedAgent
Setup FedRAMPSystem
Perform Security Categorization
Define Common or Tailored Controls
Implement Controls
Address Remediation
Create Assessment Readiness Package
1
4 5 6
32
TrustedAgent Overview
About Trusted Integration
Select to view Additional Details
Core Capabilities of TrustedAgent
Enforce GRC processes across organizational structures, inventory, people, hardware/software assets and relationships through their life cycles.
Support several regulations and standards including FedRAMP, FISMA, HIPAA, ISO, COBIT, etc.
Identify, assess, and mitigate risks and vulnerabilities. Assist analysts through the security authorization process by automating the
creation and management of security policies, procedures, and security authorization documentation.
Improve situational awareness with comprehensive notifications of key activities for security authorization, risk management, and compliance audits.
Manage and generate regulatory and organizational security and compliance requirements, policies, and documentation templates.
Monitor and improve ongoing security and risk posture. Provide senior management and oversight with comprehensive dashboard and
management reporting.
Key Features of TrustedAgent
Support a variety of Governance, Risk and Compliance (GRC) frameworks including: FedRAMP/NIST Risk Management Framework DIACAP
Support Multi-level Organizational Hierarchy Define Systems and Boundaries Determine Control Baseline
NIST 800-53 FedRAMP Controls DoD 8500.2 CNSSI-1253 HIPAA/HITECH Security and Privacy Controls NERC CIP Controls IT Governance Standards (ISO, SANS Critical Controls, Cloud Security, COBIT)
Manage Common Controls Implement Security Controls
Key Features of TrustedAgent (cont’d)
Assess Control Compliance Manage Remediation Validate, Review and Approve Authorization Packages Manage Performance Metrics Continuous Monitoring Content Management Security Authorization and Privacy Support Management and Ad Hoc Reporting User Administration Email and Message Alerts Unified Single View Access
Why select TrustedAgent Platform?
Since 2003, TrustedAgent platform has been the premier government-GRC (gGRC) solution for the government agencies.
gGRC differs from other traditional GRC solution in that gGRC: Able to handle detail-driven requirements and responses. Able to support complex requirements relating to content and format. Is customizable for various organization formats, specific contents and
requirements. Supports any number of deliverables including those unique to the
organization.
TrustedAgent GRC template-based design provides the flexibility and customization to support the complex requirements of government agencies and commercial clients.
About Trusted Integration, Inc.
Founded in 2001, small business centrally located in Alexandria, Virginia. Trusted Integration provides a leading governance, risk management and
compliance (GRC) technology platform from which organizations can manage their security authorization activities, conduct management reporting, and provide risk and compliance management across the enterprise.
Key differentiators from most other companies in our industry include: Core focus on innovative and leading-edge GRC solution Customized, effective, right-fit solution for our clients Employee security clearance rate of 70% (e.g., Secret, Top Secret, etc.) Robust and diverse current and past performances with Federal agencies and
commercial entities Emphasis on quality, structured methodology, customer service, and corporate
responsibility
Other kudos: We’ve been named an OMB ‘Center of Excellence’ for FISMA Reporting. We’re listed on the GSA Schedule, TIPSS 4-SB, and NASA SEWP.
TrustedAgent supports three classes of entities. System IaaS, PaaS, or SaaS applications Site Data center with physical location Program Policies and procedures
System entity describes any information system, application, or network.
Site entity describes inventory related to data centers where a large number of system entities are maintained or supported.
Program entity describes inventory containing policies and procedures where system or site class can leverage as common controls.
Select the Entity Class1
Elements of an Entity
Organizational Hierarchy
General Characteristics
Details Characteristics
People & Interconnections
Hardware & Software
Asset Categorization & Control Baseline Control
Implementation Details
Security Authorization
DocumentsDashboard
Findings & Weaknesses
Performance Metrics
Reports
Organizational Hierarchy
• Support up to 5 levels.• Data can be organized:
• Components or Divisions• Subcomponents or Business Units• Program Offices• Field Offices• One of more FedRAMP entities
representing systems, sites (data centers), or programs (policies & procedures).
Define FedRAMP System
• The created entity as shown contains general and detailed characteristics.
• Data collected to support documentation for compliance to a specific framework (e.g. FedRAMP), governance (e.g. ISO) or standard (e.g. PCI DSS).
Setup System Purpose, Boundaries, etc.
• Detailed attributes including purpose and intent, location, ownership, as well as technical and supporting information such as architecture diagrams, boundaries, interconnections, etc. can be organized and documented in one place.
• Many of these data can then be automatically incorporated into the FedRAMP documents as required.
Document Interconnections
• Establish interconnection(s) between systems.
• Interconnections may contain system statuses and date of validity.
• Support upload and validation or artifacts such as MOUs.
• POCs relating to Interconnections can also be documented.
• Multiple interconnections are supported.
User Access and POC Management• Role-based access controls
assignable to multiple users based organization’s governance.
• Roles can also enable rapid security authorization process through shared collaboration of activities across an enterprise.
• Points of contact (POCs) can be defined for each data entity using either built-in or user-defined titles.
• Multiple POCs can be assigned.
• Once assigned POCs a re rendered across multiple documents as required.
Enter Once
Re-Use Many
Streamlined
Error-free
#
Time is money“”- Benjamin Franklin
$
Perform Security Categorization• TrustedAgent automates
overall security categorization thereby eliminate any costly security determination errors.
• Track one-to-many information types and auto-calculates the overall security categorization using the built-in wizard.
• One or multiple information types can be selected.
• TrustedAgent automatically re-computes the overall security categorization based on the user selection.
• Support the scoping of security categorization objectives from default confidentiality, integrity, or availability values.
• Support custom security categorization template.
2
Determine Control Baseline
• Security controls can be assigned for the organization by components or by subcomponents.
• Using the overall security categorization TrustedAgent selects the control baseline based on the assigned security control template offering substantial time savings and error-free selection.
• Support several governance and control standards.
• Control standards can be customized for the organization.
Organize
Reusable
Updatable
Accurate
#
Simplicity is the ultimate sophistication
“”- Leonardo da Vinci
Why utilize Common Controls?
complexity
cost
Number of Providers
• TrustedAgent can support a myriad of deployment and service models and associated common controls balancing cost, complexity, and usability.
• Support up to 15 sources of providers.
3
Define Providers and Common Controls
• Common control providers can offer:
• One or multiple controls as common.
• One or more families of controls as common.
• Any combination thereof• Explicit acceptance/rejection
handshaking between providers and consumers ensure the integrity of exchanges of common controls.
• Common control provider identification is on critical requirement for FedRAMP control origination definition.
• One or more providers can be assigned for any given entity.
• Selection can be based:• Component• Subcomponent• Specific data entity
Select Consumers and Receive Common Controls
• The Consumers can choose to accept common controls only from providers that have explicitly granted the consumers the access to the controls.
• Multiple common control sources can be created.
• Once inherited, hybrid controls can be defined.
• Specific control or group of controls or families of controls can be assigned as common controls.
• Multiple sources can provide the same common controls (e.g. as in failover or alternate sites)
Tailoring of Controls• Tailoring of controls also
available to support CSP implementation of controls that may be more stringent than FedRAMP control requirements.
• Tailoring upward brings additional test cases to be evaluated, while tailoring downward may reduce the test cases to be assessed.
• Audit trail automatically captures the key details of control scoping.
• Tailoring does not impact overall security categorization.
Implement Security Controls
• Out-of-the-box support for predefined control implementation statuses to meet FedRAMP requirements.
• Quick access filter to identify statuses of controls.
4
Implement Security Controls• Indicate the Responsible
Organizations in the implementation of the controls. The selection will automatically render into key documents as required.
• Select the current status of the control from an implementation perspective.
• If exception is required, CSPs can document the exception in the Comments section.
• Once the control implementation status has been marked, the control will indicate accordingly.
Implement Security Controls
• Document the control implementation details (compliance description). Key data captures per FedRAMP requirements are:
• Responsible Roles• Implemented
parameters per the requirement(s)
• Specific solution that was implemented for each part of the requirements of the control.
• One or more compliance supporting artifacts can be uploaded, accelerating control assessment review and minimize errors.
• If compensating or alternative control is leveraged, the control(s) can also be captured.
• Optionally, the quantitative risk assessment method can also be utilized to further define the risk associated with the control.
• Once saved, control implementation is completed. The next control can then be documented.
3PAO Assessment Readiness
• Role-based assessor view designed for performing third-party assessment (FedRAMP 3PAO or ISO Auditors)
• Independent assessor can select the control to assess.
• Assessment is performed on applicable test cases defined by organization’s control set from security categorization.
• Control status updates according to combination of control implemented and test case assessed.
• Assessor can document actual test results observed and the test result status.
• Audit trail enabled.
Portability of Control Assessment
• Portability support is essential for assessing compliance for 3PAO as CSP’ infrastructures may be contained across multiple locations.
• Allow assessment to be performed by a team of assessors dedicated to the review of specific controls.
• Reviewed controls can be merged back to TrustedAgent to complete the overall assessment process.
• Portability support increase flexibility for 3PAO and accelerate the review process for the CSP.
Methodical
Organize
Integrated
3PAO Readiness
#
Insanity: doing the same thing over and over again and expecting different results.
“”- Albert Einstein
Vulnerability Assessment Management
• Vulnerability assessment is a fundamental requirement for continuous monitoring in FedRAMP.
• Findings can be imported from supported vulnerability network, database, and application scanning tools.
• Findings can be filtered prior to import.
• Findings are organized into finding reports.
• Findings can be accepted to manage for remediation.
5
Manage Remediation
• Milestones describe specific actions to be accomplished to address a weakness.
• One of more POCs can be assigned to milestones
• Weakness management in TrustedAgent spans the full lifecycle of the weakness.
• Weakness contain key information including priority, POC, scheduled completion date as well as other relevant details to support weakness remediation.
• One or more status updates can be applied against each milestone along with % completion enhancing communication and tracking.
Alerts and Notifications
• Be proactive and maintain awareness with comprehensive email alerts and message notifications.
• Quickly communicate changes and statuses in real-time.
Manage Performance Metrics• Statuses and key dates can
be tracked for each key security authorization document.
• Alerts can be generated based on the dates.
• Complete body of evidence for FedRAMP compliance can be generated and tracked.
Monitor Performance with Dashboard
• Comprehensive data filtering for data analytics by metric.
• Over 28 key metrics are available with detailed views.
• Details can be subsequently decomposed to actual data entities such as systems and sites.
• Dashboard decomposes information from components into subcomponents.
• Dashboard provides insight to current governance and security posture.
• Comprehensive detailed metrics of near real-time security performance with filters
• Historical views are available to evaluate performance over time.
.....
MultipleCompliance
andSecurity
Deliverables
TrustedAgent Data Management Process
automatesdata Entities
From both manual and automated data collection, TrustedAgent automates the creation and management of body of
evidence such as SSP, SAR, ITCP, etc. for the organization yielding substantial cost and time savings in security authorization package preparation and submission process.
6
Automated Body of Evidence
SSPSystem Security
Plan
SAPSecurity Assessment
Plan
SARSecurity Assessment
Report
POAMPlan of Action and
Milestones
CTWControl Tailor
Workbook
CISControl
Implementation Summary
Security Control Assessment
PrivacyPTA and PIA
FIPS 199
E-Authentication
Rules of Behavior Attestation
ContinuousMonitoringContinuousMonitoring
Infrastructure
Web App
Database
Pen Testing
Risk
Recom
men
dation
Vulnerability Scans
Sample Security Authorization Outputs
Management Reporting
• Over 70+ built-in reports of key performance metrics at three levels of organizational hierarchy.
• Comprehensive search analysis on weakness remediation.
• Custom reports can be quickly developed and deployed for the organizations using internal report writers.
• Reports can be exported into Office.
• Offers the ability for report writers the ability to develop and execute ad hoc reports.
• The ad hoc reports can be published to different locations within TrustedAgent.
Continuous Monitoring
• Changes in HW/SW asset can also be tracked.
• Integration with recurring vulnerability assessment and FDCC/SCAP compliance scans.
• New findings can also be imported based self-assessment or external audits.
• Serve as a central data warehouse and reporting platform that aggregates, correlates, and reports on risk and security posture concerning the organization’s IT assets on an ongoing, continual basis.
• Users can set controls and control families to be continuously monitored.
• Setting of continuous monitoring controls by component, subcomponent, or system specific.
• Refresh of selected controls requiring ongoing reassessment for control effectiveness.
Effective
Efficient
Reusable
Reproducible
#
Effective security measures do not come cheap.“ ”- Arlen Specter
Contact Information
Trusted Integration, Inc.Tuan [email protected]
525 Wythe StreetAlexandria, VA 22314703-299-9171 Ext 103 or Ext 108703-299-9172 Faxwww.trustedintegration.com