We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byColten Cromer
Modified over 2 years ago
1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman, Senior Manager Grant Thornton LLP
2 © Grant Thornton LLP. All rights reserved. Agenda Federal Adoption and Regulation of Cloud Services o Introduction o Cloud computing: the push for adoption in the Federal sector o FedRAMP – elements, governance, and process o FedRAMP – efficiencies and shortcomings Questions Many thanks to Kurt Garbars, Senior Agency Information Security Officer, GSA, and Chair, Cloud Computing Security Working Group, for the content of some of these slides…
3 © Grant Thornton LLP. All rights reserved. Cloud within the Federal Sector The push for cloud adoption Part of a larger drive for efficiency (data center consolidation, etc) Cloud computing strategy released February 8, 2011 Estimates $20B of the $80B Federal IT budget could be spent on cloud computing Builds on "Cloud First" policy (part of the administration's 25 point IT plan) Embraces all cloud service models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) The Feds have invaded the cloud already NASA Nebula (community cloud focused on research) USDA migration
4 © Grant Thornton LLP. All rights reserved. Cloud within the Federal Sector
5 © Grant Thornton LLP. All rights reserved. Cloud within the Federal Sector
6 © Grant Thornton LLP. All rights reserved. FedRAMP: Overview A government-wide initiative to provide joint authorization services FedRAMP PMO in GSA Unified government-wide risk management Agencies would leverage FedRAMP authorizations (when applicable) Agencies retain their responsibility and authority to ensure use of systems that meet their security needs FedRAMP would provide an optional service to agencies Federal agencies will interact with FedRAMP in two ways: Sponsoring a multi-agency cloud provider Leveraging a FedRAMP authorized system
7 © Grant Thornton LLP. All rights reserved. FedRAMP: Participants Joint Authorization Board (JAB) DoD, DHS, GSA, Sponsoring Agency CIOs Authorizes service provider to operate Information Security and Identity Management Committee (ISIMC) Creates guidelines for secure use of cloud computing by federal agencies including Federal CIO “Top 20” security issues Socializes and reviews FedRAMP documents, vetting cloud best practices, lessons learned, emerging concepts, etc NIST Provides technical support to FedRAMP for the application of security standards and guidelines to cloud computing JAB Technical Representatives Review of the authorization package Recommendations to the Authorizing Officials FedRAMP Operations Office Day-to-day support of the authorization process Interacts with federal agencies and service providers
8 © Grant Thornton LLP. All rights reserved. FedRAMP: Governance model Responsible for setting priorities, providing strategic guidance, and ensuring that program objectives are clearly communicated to Federal Agencies. Federal CIO Council Responsible for socializing and reviewing FedRAMP documents, vetting cloud computing best practices, lessons learned, emerging concepts, etc. ISIMC Federal CIO Provides overall direction and program oversight. Responsible for program performance and accountability. Responsible for developing and maintaining FedRAMP security requirements, reviewing assessments, authorizing cloud computing solutions. JAB JAB TRs Operations FedRAMP
9 © Grant Thornton LLP. All rights reserved. FedRAMP: Governance model Permanent members include DoD CIO, DHS CIO, GSA CIO –Sponsoring agency of specific cloud service provider (CSP) Responsibilities –Authorize CSPs to operate –Manage overall risk (both initially and ongoing) –Approve security requirements and A&A process used by FedRAMP Supported by JAB Technical Representatives (JABTR) –Technical staff under CIOs to provide recommendations and assistance to CIOs Roles and Responsibilities of the JAB
10 © Grant Thornton LLP. All rights reserved. FedRAMP: Process Cloud BPA Government Cloud Systems Services must be intended for use by multiple agencies Agency Sponsorship Primary Agency Sponsorship Primary Agency Contract Secondary Agency Sponsorship Cloud Services through FCCI BPAs There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: 312
11 © Grant Thornton LLP. All rights reserved. FedRAMP: Process Agency X has a need for a new cloud based IT system Agency X gets security requirements for the new IT system from FedRAMP Agency X releases RFP for new IT system and awards contract to cloud service provider (CSP) Agency X submits request to FedRAMP office for CSP To be FedRAMP authorized to operate CSP is put into FedRAMP priority queue
12 © Grant Thornton LLP. All rights reserved. FedRAMP: Process CSP and agency sponsor begin authorization process with FedRAMP office CSP, agency sponsor and FedRAMP office review security requirements and any alternative implementations FedRAMP office and agency coordinate with CSP for creation of system security plan (SSP) CSP has independent assessment of security controls and develops appropriate reports for submission to FedRAMP office FedRAMP office reviews and assembles the final authorization package for the JAB JAB reviews final certification package and authorizes CSP to operate FedRAMP office adds CSP to authorized system inventory to be reviewed and leveraged by all Federal agencies FedRAMP oversees continuous monitoring of CSP
13 © Grant Thornton LLP. All rights reserved. FedRAMP: Control requirements Authorization process is based on current NIST guidance Controls based on NIST SP R3 Cloud Computing Security Working Group (CCSWG) worked with the JAB over the past 10 months in creating controls Members from agencies across government 13 additional controls/enhancements for low impact systems Approximately 60 additional controls/enhancements for moderate impact systems FIPS 199 and R1 apply
14 © Grant Thornton LLP. All rights reserved. FedRAMP: Control requirements
15 © Grant Thornton LLP. All rights reserved. FedRAMP: Control responsibilities Agencies remain responsible for a variety of controls (e.g SaaS): Security categorization Privacy impact assessment Account management (i.e. provisioning of users) Identification and authentication (e.g. 2-factor, password policy) Auditing and monitoring (e.g. audit log reviews) As an agency goes from SaaS to PaaS to IaaS, agency control requirement responsibilities increase
16 © Grant Thornton LLP. All rights reserved. FedRAMP: Continuous monitoring FedRAMP will perform continuous monitoring oversight of cloud service providers Monitoring of controls that fall within the system boundary defined in the service provider’s SSP will be done by Independent 3rd party assessors hired by the CSP and also by the CSP depending on the control Please refer to the FedRAMP continuous monitoring section continuous monitoring deliverables and reporting requirements Continuous monitoring of any controls that fall outside of the system boundary defined in service provider’s SSP and identified as customer responsibility should be done by the customer Agency
17 © Grant Thornton LLP. All rights reserved. FedRAMP: Continuous monitoring Continuous monitoring includes: Maintenance of the system security plan Vulnerability scans on a regular and continuous basis Automated mechanism for verifying configuration settings Monitoring of operational and management controls Situational awareness and incident response Ability to add or remove controls throughout the lifecycle of the system o FedRAMP will ask for implementation plans o Ability to respond to new threats FISMA reporting Watch the watcher……. assess the assessor
18 © Grant Thornton LLP. All rights reserved. FedRAMP: Efficiencies Duplicative risk management efforts Incompatible requirements Potential for inconsistent application and interpretation of Federal security requirements AgencyA&AVendor BEFORE AgencyA&AVendor FedRAMP Unified Risk management and associated cost savings Inter-Agency vetted and compatible requirements using a shared cloud service Effective and consistent assessment of cloud services AFTER
19 © Grant Thornton LLP. All rights reserved. FedRAMP: Efficiencies Example – 3 Agencies, 3 Cloud Providers Currently if each agency used all 3 providers 9 full Assessment and Authorizations (A&A) would need to be performed Under FedRAMP 3 A&As could be leveraged Cost savings of up to 67% for just 3 agencies and 3 providers Transparent and consistent A&A help alleviate duplicative efforts Multi-Agency Use Saves Money Multi-Agency Use Saves Money Continuous monitoring leveraged across agencies FedRAMP oversees process, cloud service providers and independent assessors perform continuous monitoring activities Agencies would only have to provide continuous monitoring on agency specific controls Continuous Monitoring Leveraging
20 © Grant Thornton LLP. All rights reserved. FedRAMP: Shortcomings Too dependent on NIST Lack of application-specific controls Inherits focus on non-technical controls Infrequent "continuous monitoring" Monthly or quarterly Top threats to be assessed by DHS every 6 months Centralized structure removes some autonomy from agencies Federal CIO desire for sensitive information from vendors
21 © Grant Thornton LLP. All rights reserved. Questions, answers, discussion Orus Dearman, Senior Manager Grant Thornton LLP McLean, VA T E
22 © Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd This presentation is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd, and is in all respects subject to negotiation, agreement and signing of specific contracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or proprietary material. Dissemination to third-parties, copying or use of this information is strictly prohibited without the prior written consent of Grant Thornton LLP.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.
December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.
Module N° 4ICAO State Safety Programme (SSP) Implementation Course 1 Module N° 4 – ICAO SSP framework Revision N° 5ICAO State Safety Programme (SSP) Implementation.
Grant Accountability and Transparency Act NATIONAL ASSOCIATION OF STATE COMPTROLLERS 2016 ANNUAL CONFERENCE CAROL A KRAUS, CPA.
1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.
How to commence the IT Modernization Process? 1 Tony Lester August 2011.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
Slide 1 Course: e-Governance Project Lifecycle Day 1 Session 3 e-Governance Project Development LifeCycle.
Federal Cloud Computing Initiative Matthew Goodrich November 5, 2010 GSA Confidential and Proprietary – Not for Distribution Section 508 Coordinator Conference.
Moving to the Cloud HHS Directions in Cloud Computing Mary Forbes, Chief Enterprise Architect Scott Cory, Capital Planning and Investment Control Officer.
Effective Contract Management Planning For Performance-Based Contracting.
Auditing Governance Functions. Page 2 Agenda ► Defining Corporate Governance ► Internal Audit’s Role in Corporate Governance ► Areas of Audit Focus ►
2 Session Objectives Increase participant understanding of effective financial monitoring based upon risk assessments of sub-grantees Increase participant.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
The Implementation Structure DG AGRI, October 2005 EU Rural Development.
Complying With The Federal Information Security Act (FISMA)
Infrastructure Study and Assessment (INSA) and State Portal Upgrade N.C. Office of Information Technology Services Infrastructure Study and Assessment.
EMS Checklist (ISO model) EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.
Roles and Responsibilities Examples. Introduction Standards and Frameworks: – ISO/IEC – COBIT 5 – ITIL® – MOF 4 Functional Divisions Examples.
ECM Project Roles and Responsibilities By Jacqueline Rodriguez.
NIMS Resource Management IS-700.A – January 2009 Visual 5.1 NIMS Command and Management Unit 5.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MSCG Training for Project Officers and Consultants: Project Officer and Consultant Roles in Supporting Successful Onsite Technical Assistance Visits December.
1 Compliance Responsibilities: National Service Criminal History Checks Corporation for National and Community Service Office of Grants Management, Washington,
Visual 3.1 Delegation of Authority & Management by Objectives Unit 3: Delegation of Authority & Management by Objectives.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Additional Assurance Services: Other Information Chapter 20 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
DOD IT MODERNIZATION ENABLING AGILE, SECURE, EFFICIENT, AND EFFECTIVE DOD IT For more information go to dodcio.defense.gov/ITModernization (*website not.
1 State Budget Manual Update Meeting June 2007 OSBM State Budget Manual Update July 1, WELCOME BUDGET MANAGERS AND CHIEF FISCAL OFFICERS.
Some slides in this presentation were excerpted from US Eds February 2009 PowerPoint presentation titled: Help! Im a New Title I Director. What Do I Need.
YES New Mexico Enterprise Eligibility System Human Services Department Lead Agency November 28, 2007.
Subchapter M-Indian Self- Determination and Education Assistance Act Program Part 273-Education Contracts under Johnson-OMalley Act.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 606 CMR 14.00: Background Record Checks What you need to know!
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
It.ufl.edu FISMA 101. it.ufl.edu AGENDA FISMA Project Overview The Basics: FISMA and NIST RMF The Details: Six specific processes Portable Computing.
Human Capital Investment Programme Disability Activation Project (DACT) WELCOME Support Workshop Thursday 7 th February
Security Controls – What Works Southside Virginia Community College: Security Awareness.
LMI Enterprise Architecture and Information Assurance Integration Approach A Case Study.
© 2016 SlidePlayer.com Inc. All rights reserved.