Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessment and Authorization– Module 5 (combined with Module 6)

Published byMerry Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "Assessment and Authorization– Module 5 (combined with Module 6)"— Presentation transcript:

1 Assessment and Authorization– Module 5 (combined with Module 6)
ELO 5.1 Describe the high level assessment and authorization steps required for a cloud solution. ELO 5.2 Choose the steps (in appropriate order) of the DoD accreditation process for an externally-provided cloud service offering used by a DoD Mission owner. ELO 5.3 List the DoD information impact levels, and provide an example of each type. ELO Identify key attributes of what FedRAMP is, who directed it and why. ELO 5.5 Identify the FedRAMP security process ELO 5.6 Identify what a DoD Provisional Authorization is and the steps to get it ELO 5.7 Identify what a Cloud Access Point is and when it is necessary ELO 5.8 Tasks to Obtain Approval to Operate (ATO) ELO 5.9 Match key risk terms from the section to appropriate definitions.

2 Module – 5: Assessment and Authorization
Security Assessment and Authorization Overview Accreditation Process for Externally-Provided CSO The DoD Information Impact Levels Federal Risk and Authorization Management Program FedRAMP Security Process DOD Provisional Authorization DoD Provisional Authorization Process Cloud Access Point Authorizing Official Tasks Security A&A Risk Terms Module Review Module Summary Questions List the DoD information impact levels, and provide an example of each type. Identify issues associated with storing DoD data in non-US locations (moved to Cybersecurity Module 4). Identify risks associated with using outsourced IT offerings. Match key risk terms from the section to appropriate definitions.

3 RMF - Major System Security Lifecycle Steps
Security A&A Overview Security Assessment Overview To address the cloud IT security risks identified in the previous module a Component implements security controls based on the risk assessment of the threats and conducts a security assessment and accreditation (A&A) in accordance with the DoD Risk Management Framework (RMF) The DoD RMF is described in DoDI and provides the overall policy regarding the security of DoD Information Systems. The most important part of this policy is that the DoD Component appoints a trained Authorizing Official (AO) to oversee the process and who provides the final Approval to Operate (ATO) the cloud service when he/she determines the security risks of the CSO have been appropriately addressed Another important component is cybersecurity reciprocity. According to DoDI , “Cybersecurity reciprocity is an essential element in ensuring IT capabilities are developed and fielded rapidly and efficiently across the DoD Information Enterprise. Applied appropriately, reciprocity reduces redundant testing, assessing and documentation, and the associated costs in time and resources. The DoD RMF presumes acceptance of existing test and assessment results and authorization documentation.” To describe the high level assessment and authorization steps required for a cloud solution. RMF - Major System Security Lifecycle Steps Categorize System Select Security Controls Implement Security Controls Assess Security Controls Authorize System Monitor Security Controls ELO 5.1 Describe the high level assessment and authorization steps required for a cloud solution. MT 5.1.X To address the security risks associated with using a Cloud Service Offering, the Component implements security control based upon the risk assessment of the threats. MT 5.1.X A security assessment and accreditation (A&A) is conducted in accordance with the DoD Risk Management Framework (RMF). MT 5.1.X DoD Instruction is the DoD Risk Management Framework and provides the overall policy regarding the security of DoD Information Systems. MT 5.1.X There is a separate DAU Distance Learning course in development on the Risk Management Framework. There are several important concepts that apply to DoD Cloud Computing. MT 5.1.X According to the RMF, the DoD Component appoints a trained Authorizing Official (AO) to oversee the Assessment and Authorization process and who provides the final Approval to Operate (ATO) the cloud service when they determine the security risks of the Cloud Service Offering have been appropriately addressed. MT 5.1.X Another important component of the RMF is cybersecurity reciprocity, which is an essential element in ensuring Information Technology capabilities are developed and fielded rapidly and efficiently across the DoD Information Enterprise. When applied appropriate, reciprocity reduces redundant testing, assessing and documentation, and the associated costs in time and resources. The DoD RMF presumes acceptance of existing test and assessment results and authorization documentation.

4 Security A&A Overview (Continued)
Security Assessment Overview (continued) To reduce the duplication of effort in assessing Cloud Service Offerings (CSO), the DOD leverages the GSA Federal Risk and Authorization Management Program (FedRAMP) and DISA Provisional Authorization (PA) processes detailed in the Cloud Computing SRG to share security assessments among federal agencies. In procuring cloud services, it is important that the AO and acquisition professional work with the organization’s security team to determine the information impact level of the data that will be required to be processed by the CSO. The impact level will determine the process that will be used to procure the cloud services and the cloud service offerings that are eligible to meet the organization’s IT requirements. Note the focus is on the cloud service offering not with the cloud provider of the service who may offer services that are certified at different information impact levels. True or False: A Cloud Service Provider may have multiple Cloud Service Offerings at different Information Impact Levels. True. The Information Impact Level will determine the process that will be used to procure cloud service to meet the Mission Owner’s IT requirements. ELO 5.1 Describe the high level assessment and authorization steps required for a cloud solution. MT 5.1.X Following the concept of reciprocity, DoD leverages the GSA Federal Risk and Authorization Management Program (FedRAMP) and DISA Provisional Authorization (PA) process, detailed in the Cloud Computing SRG to share security assessments among federal agencies, when assessing a Cloud Service Offering. MT 5.1.X One of the most important steps when procuring Cloud Services is for the acquisition professional to work with the organization’s security team to determine the Information Impact Level of the data that will be required to be processed by the Cloud Service Offering. MT 5.1.X The Information Impact Level will determine the process that will be used to procure the cloud services and the cloud service offerings that are eligible to meet the organization’s IT requirements. MT 5.1.X Note the focus is on the Cloud Service Offering, not with the Cloud Service Provider of the service, who may offer other Cloud Service Offerings that are certified at different Information Impact Levels.

5 Accreditation Process for Externally-Provided CSO (1 of 2)
The six step RMF security assessment and accreditation steps are modified to leverage the FedRAMP and DoD Provisional Authorization processes 1. Determine Information Impact Level – determine the Information Impact Level of the application/system to be procured in accordance with the DoD Cloud Computing Security Requirements Guide (SRG) 2. Select Cloud Service Offering (CSO) – select the appropriate CSO based on the functional requirements and the Impact Level either from the DoD Approved Cloud Service Provider Catalog, FedRAMP Compliant Systems with Joint Authorization Board (JAB) approval, compliant cloud systems with an Agency FedRAMP Authorization, or by Component approved selection process 3. Initiate Assessment Process– contact DISA Cloud Support Office to request Provisional Authorization (PA) of your Component’s use of the CSO, work with the CSP to complete the appropriate DISA forms, and submit them. Identify the 7 steps in performing an assessment Match the 7 steps of the assessment process to the appropriate description ELO 5.2 Choose the steps (in appropriate order) of the DoD accreditation process for an externally-provided cloud service offering used by a DoD Mission owner. Mr. Terry Halvorsen, the DoD’s Chief Information Officer, made the following statement to the House Armed Services Committee, Subcommittee On Emerging Threats & Capabilities in February of He said, “Cloud computing plays a critical role in the Department’s IT modernization efforts. Our key objective is to deliver a cost efficient, secure enough enterprise environment (the security driven by the data) that can readily adapt to the Department’s mission needs. The Cloud will support the Department’s Joint Information Environment with a robust IT capability built on an integrated set of Cloud services provided by both commercial providers and DoD Components. We will use a hybrid approach to Cloud that takes advantage of all types of Cloud solutions to get the best combination of mission effectiveness and efficiency. This means in some cases we will use a purely commercial solution, which we have done with Amazon on public facing data, in others we will use a modified private Cloud hosted in commercial solutions, an example could be a shared federal or federal state government Cloud, and for our most protected data, a DoD private Cloud that uses best industry practices.” In order for the DoD to realize Mr Halvorsen’s vision, the Components and Mission Owners must be able to obtain an Approval to Operate (ATO) on both commercial and DoD Components’ Cloud Service Offerings. To begin that process we modify the six step Risk Management Framework security assessment and accreditation leveraging the Federal Risk Authorization and Management Plan (FedRAMP) and the DoD Provisional Authorization processes. We will go into more detail on the FedRAMP and DoD Provisional Authorization processes after first describing the ATO process and the Information Impact Levels. MT The first step, and probably the most crucial step, is to Determine the Information Impact Level of the data that will be stored and/or processed in the Cloud Service Offering, in accordance with the DoD Cloud Computing Security Requirements Guide. This is the most important step because the information impact level describes the type of data and the level of security required to protect the data. MT The second step is to Select the Cloud Service Offering. Recall that a Cloud Service Provider operates a data center that potentially has several Cloud Service Offerings housed within it. In this step, the Mission Owner selects the appropriate CSO based on the functional requirements AND the Information Impact Level either from the DoD Approved Cloud Service Provider Catalog, FedRAMP Compliant Systems with Joint Authorization Board (JAB) approval, compliant cloud systems with an Agency FedRAMP Authorization, or by Component approved selection process. MT The third step is to Initiate the Assessment Process. Start by contacting the Defense Information Systems Agency Cloud Support Office to request a Provisional Authorization (PA) of your Component’s use of the CSO. Work with the Cloud Service Provider to complete the appropriate DISA forms and submit them to the Cloud Support Office. CLE - Module 6 - Risk & Authorization (b)

6 Accreditation Process for Externally-Provided CSO (2 of 2)
4. Conduct Security Testing and Assessment – determine what FedRAMP or DoD security assessments have been conducted for the CSO, and either have a 3rd Party Assessment Organization (3PAO) or have DoD conduct security testing and assessment in accordance with the SRG, if an assessment has NOT already been completed by an authorized 3PAO or DoD organization or if these assessments are considered insufficient for this Component’s security needs 5. Support DISA Provisional Authorization – submit assessment information to DISA and work with DISA to mitigate any risks identified that will need be addressed to obtain a DISA PA from the DISA Approving Official (AO) 6. Prepare Component Security Authorization Package (SAP) – after obtaining DISA PA, conduct security assessment and risk analysis in accordance with the Component’s security requirements, leveraging the assessments prepared in previous steps or by other federal organizations 7. Submit SAP for Approval to Operate (ATO) – Submit SAP to the Component AO for approval, working with the CSO to address any security deficiencies that are required to be mitigated before obtaining the ATO. Identify the 7 steps in performing an assessment Match the 7 steps of the assessment process to the appropriate description ELO 5.2 Choose the steps (in appropriate order) of the DoD accreditation process for an externally-provided cloud service offering used by a DoD Mission owner. MT The fourth step is to Conduct Security Testing and Assessment. You will want to determine if reciprocity can be used for any previous FedRAMP or DoD security assessments that have already been conducted for the Cloud Service Offering. If an assessment has NOT already been completed by an authorized 3rd Party Assessment Organization (3PAO), of if the assessments are considered insufficient for this Component’s security needs, then a 3PAO or DoD organization will need to perform the security testing and assessment in accordance with the DoD Cloud Computing Security Requirements Guide. MT The fifth step is to Support DISA’s Provision Authorization. Submit assessment information to DISA and work with DISA to mitigate any risks identified that will need to be addressed to obtain a DISA PA from the DISA Approving Official (AO). MT The sixth step is to Prepare the Component Security Authorization Package (SAP). After obtaining DISA PA, conduct a security assessment and risk analysis in accordance with the Component’s security requirements, leveraging the assessments prepared in the previous steps or by other federal organizations. MT The seventh, and final step, is to Submit the SAP for Approval to Operate (ATO). Submit the SAP to the Component AO for approval, working with the Cloud Service Offering to address any security deficiencies that are required to be mitigated before obtain the ATO. So now that you know the high-level tasks required to obtain an ATO for an Externally-Provided Cloud Service Offering, let’s dive deeper into the first step, which we said was the most important one. We need to have a clear understanding of the Information Impact Level of the data, application and systems that will be stored and processed on the Cloud Service Offering. CLE - Module 6 - Risk & Authorization (b)

7 The DoD Information Impact Levels
Security Information Impact Levels The Cloud Computing Security Requirements Guide (SRG) describes 4 impact levels Level 2 Information Impact Level is for public data/non-sensitive data, e.g. DoD news and organization information for non-DoD individuals Level 4 Information Impact Level is for critical mission information, e.g. personally identifiable information (PII) or Protected Health Information (PHI) Level 5 information impact level is for high sensitivity National Security Systems, e.g. unclassified mission information that is more sensitive than Level 4 Level 6 information impact level is for classified SECRET National Security Systems Know the 4 DoD security impact levels and provide an example of each one What are the 4 impact levels? Provide an example of data at each impact level ELO 5.3 List the DoD information impact levels, and provide an example of each type. MT There are four Information Impact Levels described in the DoD Cloud Computing Security Requirements Guide. MT The Information Impact Levels are 2, 4, 5, and 6. MT We know how to count in the DoD; Information Impact Levels 1 merged with 2 and 3 merged with 4. MT Information Impact Level 2 is for public data and non-sensitive data. This is also referred to as Non-Controlled Unclassified Information. An example is DoD news and organization information available for dissemination to non-DoD individuals. It is the type of information you could find on the web at or MT Information Impact Level 4 is for critical mission information and is also referred to as Controlled Unclassified Information (CUI) or Non-CUI Critical Mission Information. Examples are Personally Identifiable Information (PII) or Protected Health Information (PHI). It is the type of information that could be contained in personnel, pay and health records. MT Information Impact Level 5 is for high sensitivity National Security Systems (NSS), also called Higher Sensitivity CUI. An example is unclassified mission information that is more sensitive than Level 4. MT Information Impact Level 6 is for classified National Security Systems. This is neither non-CUI, nor CUI. This is for classified information up to the SECRET level.

8 The DoD Information Impact Levels
Level 2 systems require FedRAMP Moderate controls Level 4 systems requires Level 2 controls and Level 4 overlay of controls Level 5 requires Level 4 controls plus controls for National Security Systems and other controls required for level 5 Level 6 requires Level 5 controls plus classified security controls; however Level 6 cloud services are not the focus of this training, so it will not be discussed in any detail Level 4 systems and above require a DoD Cloud Access Point (CAP) between the system and the NIPRNET/SIPRNET (Level 4/5 – NIPRNET, Level 6 – SIPRNET) to protect the DoD Information Network (DoDIN) Security Information Impact Levels Identify the high level security controls for each level Identify which impact levels require a Cloud Access Point? For which impact levels is a CAP required? Which level requires a classified security controls overlay? Which level requires only FedRAMP Moderate controls? ELO 5.3 List the DoD information impact levels, and provide an example of each type. MT 5.3.8

9 Information Impact Level

10 Information Impact Level 2
Information Impact Level 2 data is DOD data that the Component cleared for public release, information that has gone through the Freedom of Information Act (FOIA) process for release, information open to the public even if it requires a login. Level 2 applies to non-National Security Systems (NSS) only. The Deployment Model can be a Public Cloud For Level 2 data the Component can use a cloud service offering that has: Properly implemented the General Services Administration (GSA) FedRAMP Version 2 Moderate security controls that have validated by either a FedRAMP certified 3PAO or a DoD ATO and has the approval of the Joint Authorization Board (FedRAMP). The system also requires a DOD PA. For Level 2 systems, no additional assessment is required for a DOD PA beyond the above FedRAMP approval process. The CSP must maintain its FedRAMP approval for its CSO for the CSO to continue to have a DOD PA. The Authorizing Official for the Component must also provide Authorization to Operate or Interim Authority to Test (IATT) before use of the cloud service For Information Impact Level 2 there are no special connectivity requirements for accessing the CSO over the NIPRENET ELO 5.3 List the DoD information impact levels, and provide an example of each type.

11 Information Impact Level 4
Information Impact Level 4 data includes Controlled Unclassified Information (CUI) (i.e., For Official Use Only (FOUO), Law Enforcement Sensitive (LES), DoD Unclassified Controlled Nuclear Information (DOD UCNI), and Limited Distribution) Information Impact Level 4 systems are considered non-National Security Systems (NSS). Some examples of CUI include: Non-Appropriated Fund (NAF) data, educational systems that fall under The Family Educational Rights and Privacy Act (FERPA) Moderate and Sensitive PII (social security numbers, alien ID and other immigration documents, passport numbers, driver’s license numbers, vehicle identification numbers, and license plates) Trade Secrets Act data Protected Health Information (PHI) medical protected by the Health Insurance Portability and Accountability Act (HIPAA) Legal Law enforcement Biometric data Eligible cloud service offerings are required to meet FedRAMP Version 2 Plus security controls, which contains additional security controls for the system beyond the controls specified in FedRAMP Version 2 Moderate guidance. DISA must approve these cloud offerings as a Level 4-cloud service through the PA process. System requires connection to the DoD Enterprise Cloud Access Point Solution (CAP) for connectivity to the DODIN This solution requires that the deployment model used is either DoD /Federal Government Tenants only Community Cloud or a Private Cloud ELO 5.3 List the DoD information impact levels, and provide an example of each type.

12 Information Impact Level 5
Information Impact Level 5 systems include mission essential, critical infrastructure (military or civilian), deployment and troop movement, International Traffic in Arms Regulation (ITAR) data, or unclassified nuclear data. The system is considered a National Security System (NSS) Eligible cloud service offerings are required to meet FedRAMP Version 2 security controls plus additional security controls required for a Level 5 system DISA must approve them as a Level 5 cloud service through its PA process These systems requires a CAP solution This solution requires that the deployment model used is either DoD/Federal Government Tenants only Community Cloud or a Private Cloud ELO 5.3 List the DoD information impact levels, and provide an example of each type.

13 Federal Risk and Authorization Management Program
Federal Risk and Authorization Management Program (FedRAMP) FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The Office of Management and Budget (OMB) mandated compliance with FedRAMP for all Federal Agencies as their systems and applications are migrated to the commercial cloud under the Federal Government’s Cloud-First initiatives. OMB policy requires Federal departments and agencies to utilize FedRAMP approved CSP and share Agency Approval to Operate (ATO) documentation with the FedRAMP Secure Repository. FedRAMP uses a “do once, use many times” framework designed to reduce cost, time, and staff required for security assessments and process monitoring reports. The FedRAMP Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. JAB approved standards and processes result in the award and maintenance of a PA to host Federal Government missions. ELO 5.4 Identify key attributes of what FedRAMP is, who directed it and why. Recalling back to the second step in the Accreditation process, we need to Select the Cloud Service Offering from the DoD Approved Cloud Service Provider Catalog, FedRAMP Compliant Systems with Joint Authorization Board (JAB) approval, compliant cloud systems with an Agency FedRAMP Authorization, or by Component approved selection process. So what is FedRAMP? MT FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Who says we need FedRAMP approved Cloud Service Providers? MT The Office of Management and Budget (OMB) mandated compliance with FedRAMP for all Federal Agencies as their systems and applications are migrated to the commercial cloud under the Federal Government’s Cloud-First initiatives. Is there someplace to look for pre-approved FedRAMP approved Cloud Service Providers? MT OMB policy requires Federal departments and agencies to utilize FedRAMP approved CSP and share Agency Approval to Operate (ATO) documentation with the FedRAMP Secure Repository. What are the benefits of using the FedRAMP Secure Repository? MT FedRAMP uses a “do once, use many times” framework designed to reduce cost, time, and staff required for security assessments and process monitoring reports. What is the FedRAMP Joint Authorization Board (JAB)? MT The FedRAMP Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. JAB approved standards and processes result in the award and maintenance of a PA to host Federal Government missions.

14 FedRAMP Security Process
Initiation CSP submits System Security Plan (SSP) FedRAMP assigns Information Systems Security Officer (ISSO) and holds kickoff System Security Plan Review CSP and ISSO review SSP JAB Technical Representative (TR) Review CSP addresses JAB concerns Security Assessment Planning (SAP) 3rd Party Assessment Organization (3PAO) creates SAP and ISSO reviews JAB TR reviews SAP Testing – 3PAO tests and creates Security Assessment Report (SAR) SAR Review Meeting ISSO/CSP reviews SAR JAB TR review CSP addresses JAB concerns and creates Plan of action and Milestones (POAM) Authorize – Final JAB Review/P-ATO Identify the 6 steps of the FedRAMP Process ELO 5.5 Identify the FedRAMP Security Process MT There are six steps to obtaining FedRAMP-approved status, as identified in the flowchart and the entire process can take over 6 months for a Cloud Service Provider to become FedRAMP compliant. MT The first step is Initiation. In this step the Cloud Service Provider submits its System Security Plan, and FedRAMP assigns an Information Systems Security Officer (ISSO) to hold a kickoff meeting with the Cloud Service Provider. MT The second step is the Systems Security Plan Review, which can take between 10 and 15 weeks to complete. During this step the Cloud Service Provider and the ISSO review the SSP. The Joint Authorization Board assigns a technical representative (JAB TR) to review the SSP, which can take up to 2 weeks for the review. Depending upon the quality of the SSP and responsiveness and ability of the Cloud Service Provider to resolve comments can create iterations in this process. The Cloud Service Provider must then address the concerns identified by the Joint Authorization Board. MT The third steps is to create the Security Assessment Plan. This process is similar to the review of the System Security Plan but is much shorter in length, only requiring about 3-4 weeks. In this step a 3rd Party Assessment Organization (3PAO) creates the SAP which the ISSO reviews. The quality of the SAP and responsiveness and ability of the Cloud Service Provider to resolve agency comments can create iterations in this process. The JAB TR then reviews the SAP and the Cloud Service Provider must address the JAB concerns. MT The fourth step is to perform security testing and writing the Security Assessment Report (SAR). This step can take about 6 weeks to complete. MT The fifth step is to conduct a Security Assessment Report and Plan of Action & Milestones (POAM) Review. This step can also take up to 6 weeks to complete. The ISSO and the Cloud Service Provider review the Security Assessment Report. Depending upon the quality of the SAR, as well as the number and type of risks, can create iterations in this process. The JAB TR then has approximately 2 weeks to review the SAR and the Cloud Service Provider addresses the concerns identified by the JAB TR and creates the Plan of Action and Milestones. MT The sixth step is to Authorize. Once all documentation for the JAB P-ATO path is completed and approved by the JAB, the JAB will grant a P-ATO. For CSP Supplied and Agency packages, the CSP Authorization Package will be reviewed by the FedRAMP Director for approval. Once a CSP is granted authorization for its selected path, the CSP will be listed as FedRAMP Compliant. CLE - Module 6 - Risk & Authorization (b)

15 DOD Provisional Authorization
A DoD PA is an acceptance of risk based on an evaluation of the CSPs CSO and the potential for risk introduced to DOD networks. The DoD PA process follows the same “do once, use many times” framework as FedRAMP does. DoD PAs are granted at all information impact levels which provides a foundation that Authorizing Officials responsible for mission applications must leverage in determining the overall risk to the missions/applications that are executed as part of a CSO. A DoD PA is required for all CSOs The DISA Authorized Official for DOD PAs approves the requests for CSOs to receive a DOD PA after reviewing the documentation provided by the Mission Owner and the CSP through the DISA Direct Order Entry system and after reviewing the recommendations of the Defense Security Accreditation Working Group (DSAWG). ELO 5.6 Identify what a DoD Provisional Authorization is and the steps to get it MT Merely using a FedRAMP-compliant Cloud Service Provider is not enough to move your data and applications to a Cloud Service Offering (CSO), a DoD Provisional Authorization is required for all CSOs. MT DoD Provisional Authorizations are required at all Information Impact Levels which provides a foundation that Agency Authorization Officials responsible for mission applications must leverage in determining overall risk to the missions and applications that are executed as part of a Cloud Service Offering. MT The DoD Provisional Authorization (DoD PA) is an acceptance of risk based upon an evaluation of the Cloud Service Provider’s Cloud Service Offering and the potential risk introduced to DoD networks. MT The DoD PA follows the same FedRAMP “do once, use many times” framework. MT The Defense Information Systems Agency (DISA) Authorized Official for DoD Pas approves the request for CSOs to receive a DoD PA after reviewing the documentation provided by the Mission Owner and the Cloud Service Provider and the recommendations of the Defense Security Accreditation Working Group (DSAWG). MT The Mission Owner and CSP submit the documentation through the DISA Direct Order Entry system.

16 DoD Provisional Authorization Process
DoD Provisional Assessment Initiation CSP submits SSP+ DISA assigns Certifying Authority (CA) and Holds CSP Kick-Off System Security Plan Review CA review of SSP CSP addresses CA concerns Security Assessment Planning (SAP) 3rd Party Assessment Organization (3PAO) creates SAP and CA reviews Testing – 3PAO tests and creates Security Assessment Report (SAR) SAR Review Meeting CA reviews SAR CSP addresses CA concerns and creates Plan of action and Milestones (POAM) DSAWG Review – DSAWG comments on documentation Authorize – Final AO Review/PA Memo Sign Off Added to DISA Cloud Service Catalog ELO 5.6 Identify what a DoD Provisional Authorization is and the steps to get it The steps for getting the DoD Provisional Authorization are similar to the steps for a Cloud Service Provider to obtain FedRAMP compliance. The first step is the Initiation step. The Cloud Service Provider submits the System Security Plan+ for review to DISA. DISA then assigns a Certifying Authority and holds a Cloud Service Provider Kick-Off meeting. The second step is the System Security Plan+ Review. This review can take between 2 and 15 weeks to complete. The 3rd Party Assessment Organization (3PAO) creates a Security Assessment Plan (SAP+) and DISA’s Certifying Authority reviews the SAP+. The quality of the SAP+ and the responsiveness and ability of the Cloud Service Provider to resolve the CA’s comments and concerns can create iterations in this review process which can make it quite lengthy. The third step is Testing. The 3PAO tests and creates a Security Assessment Report (SAR+). The fourth step is the SAR+ and Plan of Action & Milestones (POA&M+) Review. The Certifying Authority reviews the SAR+ and the Cloud Service Provider addresses the CA’s concerns and creates the Plan of Action & Milestones. Once again, the quality of the SAR+, as well as the number and types of risks can create iterations in this Review process. The fifth step is the DoD Security Assessment Working Group (DSAWG) Review. The DSAWG has an opportunity to review and comment and make a certification recommendation to DISA Authorization Official for authorization. The sixth step is Authorize. The Final Authorization Official review is conducted and the Provisional Authorization memo is signed off and the Cloud Service Offering is added to DISA’s Cloud Service Catalog. Once a Cloud Service Offering receives its DoD Provisional Authorization, the Cloud Service Provider and the Mission Owner must Monitor and Manage the offering through Network Defense and Monitoring. CLE - Module 6 - Risk & Authorization (b)

17 Cloud Access Point Cloud Access Point (CAP)
The purpose of the CAP is to provide a barrier of protection between the DOD and the CSP IT infrastructure. All CSOs at Information Impact Level 4 or higher are required to be connected to the DISN through a DOD CIO approved Cloud Access Point (CAP) A CAP can be provided by DISA or a DOD Component The processes for connecting to the DISA CAP or implementing a DOD Component CAP are still in development. As DOD strives to meet the objectives of the DOD CIO to maximize the use of cloud computing, the DOD must protect the DODIN against cyber threats. DISA is responsible for developing the requirements and implementing a CAP to provide DODIN perimeter protection at the connection point to CSO that would include side channel attacks from the CSO to reach the DODIN. The CAP will prevent attacks against the DODIN infrastructure and mission applications that originate in the Cloud Service Environment. It will provide a consistent level of security that facilitates the implementation of commercial and DOD provided cloud services to support DOD mission applications. The CAP will provide the ability to detect and prevent an attack before reaching the DODIN. DoD O M DoD, Computer Network Defense (CND) Service Provider Certification and Accreditation Process requires all DoD information systems to be supported by a certified CND Service Provider. (CNDSP) ELO 5.7 Identify what a Cloud Access Point is and when it is necessary MT The purpose of the Cloud Access Point (CAP) is to provide a barrier of protection between the DOD and the CSP IT infrastructure and to detect and prevent an attack before reaching the DoDIN. MT All Cloud Service Offerings at Information Impact Level 4 or higher are required to be connected to the Defense Information System Network (DISN) through a DOD Chief Information Officer (CIO) approved Cloud Access Point. MT The CAP can be provided by DISA or a DoD Component, although the process for connecting to the DISA CAP or implementing a DoD Component CAP are still in development. Who is responsible for developing the requirements and implementing the Cloud Access Point? DISA The Cloud Access Point is supposed to provide DoDIN perimeter protection at the connection point to a Cloud Service Offering that would include side channel attacks from the CSO to reach the DoDIN. The CAP will prevent attacks against the DoDIN infrastructure and mission applications that originate in the Cloud Service Environment. The CAP provides a consistent level of security that facilitates the implementation of commercial and DoD-provided cloud services to support DoD mission applications. The CAP will provide the ability to detect and prevent an attack before reaching the DoDIN. DoD O M DoD, Computer Network Defense (CND) Service Provider (CNDSP) Certification and Accreditation Process requires all DoD information systems to be supported by a certified CND Provider.

18 Tasks to Obtain Approval to Operate
Authorizing Official Tasks Categorize system/application Information Impact Level Identify CSP Offering(s) with DoD Provisional Authorizations (PAs) that meet Information Impact Level Review existing CSO security documentation and determine additional mission security controls, testing, and assessment required for mission requirements Maximize use of existing body of evidence (e.g. scope, testing, results, residual risk, POA&Ms, continuous monitoring data) for the CSO Identify and resolve any additional testing requirements to assess the complete IT infrastructure supporting the mission Conduct testing and assessment of risks and vulnerabilities Document results of testing and assessment in Security Assessment Report and security Plan of Action and Milestones (POA&M) to mitigate security risks Prepare Security Authorization Package (SAP) for AO AO review of SAP If risk is acceptable – issue an Approval to Operate (ATO), explicitly reflecting acceptance of risk and liabilities identified in the assessments, for the Mission Owner’s unique system and mission. If risk is not acceptable – issue a Denial of Approval to Operate (DATO) and indicate risks that are required to be mitigated to obtain ATO ELO 5.8 Identify the tasks to Obtain Approval to Operate (ATO) MT Once again, one of the first and most important tasks is to categorize or properly identify the Information Impact Level of the data, system or application. MT Identify Cloud Service Provider Cloud Service Offerings with DoD Provisional Authorizations that meet the Information Impact Level. MT Review the existing CSO security documentation and determine if additional mission security controls, testing and assessment is required for mission requirements. MT Maximize the use of existing body of evidence (e.g. scope, testing, results, residual risk, POA&Ms, continuous monitoring data) for the CSO. MT Identify and resolve any additional testing requirements to assess the complete IT infrastructure supporting the mission. MT Conduct testing and assessment of risks and vulnerabilities MT Document the results of testing and assessment in Security Assessment Reports and security Plan of Action & Milestones to mitigate security risks. MT Prepare Security Authorization Package (SAP) for Authorizing Official MT The Authorizing Official reviews the SAP and then either issues an Approval to Operate (ATO) or a Denial of Approval to Operate (DATO). MT An ATO explicitly reflects the AO’s acceptance of risk and liabilities identified in the assessments for the Mission Owner’s unique system and mission. MT A DATO identifies the risks that need to be mitigated to obtain an ATO. CLE - Module 6 - Risk & Authorization (b)

19 Security A&A Risk Terms
Authorizing Official – as described in DoD Risk Management Framework (RMF)means the senior Federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations organizational assets, individuals, other organizations, and the Nation. Cloud Access Point (CAP) – a DoD system of network boundary protections and monitoring devices through which cloud services outside the DoD security boundary must traverse to connect to resources inside the DoD security boundary Controlled Unclassified Information (CUI) – established by Executive Order in November 2010, this is the categorical designation of unclassified information that under law or policy requires protection from unauthorized disclosure. DoD Provisional Authorization (PA) – is an acceptance of risk based on an evaluation of the CSP’s CSO and the potential for risk introduced to DoD networks FedRAMP - The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The Office of Management and Budget (OMB) mandates compliance with FedRAMP for all Federal Agencies as their systems and applications are migrated to the commercial cloud under the Federal Government’s Cloud-First initiatives. Match key terms to their definitions Match key terms to their definitions ELO 5.9 Match key risk terms from the section to appropriate definitions.

20 Security A&A Risk Terms (Continued)
Impact Levels – Cloud security information impact levels are defined by the combination of: the sensitivity of information to be stored and processed in the CSP environment the potential impact of an event that results in the loss of confidentiality, integrity or availability of that information. Information Impact Levels consider the potential impact should the confidentiality or the integrity of the information be compromised DoD Mission Owners categorize mission information systems in accordance with policy (DoDI and CNSSI 1253) to identify the impact level that most closely aligns with the defined categorization and information sensitivity. Joint Authorization Board (JAB) - The Joint Authorization Board (JAB) members are the CIOs from DHS, GSA, and DoD. The JAB defines and establishes the FedRAMP baseline system security controls and the accreditation criteria for Independent Assessors (3PAOs). The JAB works closely with the FedRAMP PMO to ensure that FedRAMP baseline security controls are incorporated into consistent and repeatable processes for security assessment and authorizations of CSPs. The JAB also issues provisional authorizations for cloud services they believe will be leveraged the most government wide. ELO 5.9 Match key risk terms from the section to appropriate definitions.

21 Security A&A Risk Terms (Continued)
Personally Identifiable Information (PII) ― any information about an individual maintained by an agency (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information Protected Health Information (PHI) – Security Authorization Package (SAP) – contains the security testing artifacts, Security Assessment Report (SAP), Plan of Action and Milestones (POA&M) to mitigate any security risks found, and any Provisional Authorization packages needed by the AO to determine whether to approve a system going into production and process DoD data in support of Component missions. ELO 5.9 Match key risk terms from the section to appropriate definitions.

22 Recapitulation of Modules – 1, 2, 3, 4
Review Previous Content

23 Module 5 - Review Summary

24 Module 5 – Summary Questions

25 Information Impact Level

26 Information Impact Levels
Level 1: Level 1 is no longer used and has been merged with Level 2. Level 2: Non-Controlled Unclassified Information (CUI), Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control. This level accommodates Non-CUI information categorizations based on CNSSI-1253 up to low confidentiality and moderate integrity (L-M-x). Level 3: Level 3 is no longer used and has been merged with Level 4. Level 4: Controlled Unclassified Information, Level 4 accommodates CUI which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order (EO) 13556, Controlled Unclassified Information (November 2010) or other mission critical data. Designating information as CUI or critical mission data to be protected at Level 4 is the responsibility of the owning organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO. Some types of CUI may not be eligible to be hosted on Impact Level 4 and 5 CSOs without a specific rider to the DoD PA. (e.g. for Privacy.) This level accommodates CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x) Level 5: Controlled Unclassified Information, Level 5 accommodates CUI that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ C/CEs. As such, NSS must be implemented at Level 5. Some types of CUI may not be eligible to be hosted on Impact Level 4 and 5 CSOs without a specific rider to the DoD PA. (e.g. for Privacy.) This level accommodates NSS and CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x) Source: Draft DoD Cloud Computing Security Requirements Guide V1 R2

27 Examples of Controlled Unclassified Information
Export Control--Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. This includes dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information. Privacy Information--Refers to personal information or, in some cases, personally identifiable information (PII) as defined in Office of Management and Budget (OMB) M or means of identification as defined in 18 USC 1028(d)(7) . Protected Health Information (PHI) as defined in the Health Insurance Portability and Accountability (HIPAA) Act of 1996 (Public Law (PL) ) . Other information requiring explicit CUI designation (i.e., For Official Use Only, Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information).

Download ppt "Assessment and Authorization– Module 5 (combined with Module 6)"

Similar presentations

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
PAGE www.fedramp.gov Quick Guide to the FedRAMP Readiness Process 1 August 2014 Presented by: FedRAMP PMO www.fedramp.gov.

PAGE Quick Guide to the FedRAMP Readiness Process 1 August 2014 Presented by: FedRAMP PMO
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.

What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Framework

Risk Management Framework
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google