Presentation is loading. Please wait.

Presentation is loading. Please wait.

PAGE[classification marking]www.fedramp.gov[classification marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 www.fedramp.gov.

Published byDavid Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "PAGE[classification marking]www.fedramp.gov[classification marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 www.fedramp.gov."— Presentation transcript:

1 PAGE[classification marking]www.fedramp.gov[classification marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 www.fedramp.gov

2 PAGE[classification marking]www.fedramp.gov[classification marking] 1 FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December 2012. FedRAMP is the first government-wide security authorization program for FISMA – mandatory for all agencies and all cloud services FedRAMP’s framework is being modeled in other government security programs (mobile, data) and by other countries (Canada, UK, EU, China) FedRAMP’s focus is to ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems, key of which is re-use Conservative cost estimates for FedRAMP is $40M for the govt alone Pre-FedRAMP FedRAMP Model

3 PAGE[classification marking]www.fedramp.gov[classification marking] 2 FedRAMP Overview Current Statistics Authorizations JAB P-ATOs - 15 –Includes services from IBM, Microsoft, Akamai, HP, Lockheed Martin Agency ATOs - 11 –Includes Amazon, AINs, USDA, Micropact, Salesforce In Process CSPs JAB P-ATO – 15 Includes services from Dell, SecureKey, Oracle, Amazon, Microsoft, IT-CNP, IBM Agency ATOs – 23 Includes Microsoft, Google, Adobe, IBM, Oracle, Verizon

4 PAGE[classification marking]www.fedramp.gov Agency ATO Quick Guide www.fedramp.gov

5 PAGE[classification marking]www.fedramp.gov 4 The agency ATO process should follow the FedRAMP Security Assessment Framework (SAF) The SAF is based on the NIST Risk Management Framework The FedRAMP Security Assessment Framework is a available at FedRAMP.gov on the Templates and Key Documents webpageFedRAMP Security Assessment Framework Agency ATO Guide FedRAMP Security Assessment Framework

6 PAGE[classification marking]www.fedramp.gov SAP Testi ng Agency ATO Guide Timeline for the SAF JAB P-ATOs Agency ATOs 5 CSP Supplied AssessMonitorAuthorize SSP ConMon Reports SAR POA M Documen t NIST RMF 1, 2, 3 NIST RMF 4NIST RMF 5NIST RMF 6 9+ mo s 5+ mo s 3+ mo s 5

7 PAGE[classification marking]www.fedramp.gov TRUSTED INTERNATE CONNECTIONS (TIC) CSPs are required to support agency TIC implementations –CSPs do not host TIC components in their environments FEDERAL INFORMATION PROCESSING STANDARD (FIPS) PUB 140-2 CSPs are required to implement only FIPS Pub 140-2 for all cryptographic implementations –External interfaces with Federal customers PERSONAL IDENTITY VERIFICATION (PIV) Agencies are required to use PIV for multi-factor authentication –CSPs are required to support PIV as a multi-factor solution Agency ATO Guide Considerations During SAF 6

8 PAGE[classification marking]www.fedramp.gov 7 ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage We suggest that you use the Test Cases that we released in Excel format for public comment: http://cloud.cio.gov/docum ent/rev-4-test-case- workbook http://cloud.cio.gov/docum ent/rev-4-test-case- workbook Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) ATO Letter Cert Letter FedRAMP Templates Available: FIPS 199 Control Implementation Summary (CIS) System Security Plan Information System Security Policy User Guide E-Authentication Template Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) Rules of Behavior (ROB) IT Contingency Plan Agency ATO Guide Document Checklist – Templates Available

9 PAGE[classification marking]www.fedramp.gov 8 The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness The documents listed on this slide do not have an FedRAMP template No Template Available: Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan Agency ATO Guide Document Checklist – Docs w/o Templates

10 PAGE[classification marking]www.fedramp.gov GRANTING AN AUTHORITY TO OPERATE (ATO) Once a review is complete, an authorization should be granted and provided to the FedRAMP PMO Authorization for Cloud Providers should not be tied to individual Applications or Platforms –CSPs are intended for multiple tenants, use by different customers –Authorizations should be viewed as building blocks For Microsoft packages, consuming agencies will need to leverage all of the packages that relate to the service being consumed –e.g. GFS, Azure, O365 Customer Agencies will ALWAYS have some responsibility for controls –e.g. an agency will always have to enforce 2 factor authentication Agency ATO Guide Granting an ATO 9

11 PAGE[classification marking]www.fedramp.gov 10 Included with the authorization package should be a Certification Letter and ATO Memo detailing your agency’s authorization. A sample Certification Letter is attached below: You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpageFedRAMP ATO Memo Template Agency ATO Guide Sample ATO and Cert Letter Template

12 PAGE[classification marking]www.fedramp.gov FedRAMP Development Updates www.fedramp.gov

13 PAGE[classification marking]www.fedramp.gov STAKEHOLDER DEVELOPMENT CISO Organizations (DoD, VA, DHS, DOJ, HHS) –Represent 75% of all High Systems NIST Cloud Security Working Group FedRAMP Development Updates High Baseline 12 PATH FORWARD Public Comment Period (two iterations) Internal Government vetting (in addition to wider public comment period) Release January 2015 Finalization (tentative) by end of CY2015 Number of Controls

14 PAGE[classification marking]www.fedramp.gov FedRAMP Development Update Procurement Guidance 13 OMB’s FedRAMP Memo requires agencies to enforce FedRAMP via contractual provisions. Agencies are implementing FedRAMP via contractual provisions inconsistently and in ways that are overly restrictive. Agencies need more directed, specific, and authoritative guidance on how to appropriately include FedRAMP in their contracts. Working with OMB to develop joint OFPP and eGov guidance to agencies. –USG should foster a competitive marketplace of cloud providers - both new and established –Agencies must be willing to undertake authorizations as with any FISMA system – cloud and non-cloud

15 PAGE[classification marking]www.fedramp.gov[classification marking] 14 FedRAMP Development Update FedRAMP Forward: Two Year Priorities FedRAMP FORWARD Provide stakeholders with the PMO’s key objectives over the next two years. Plan addresses prioritizes activities for thoughtful, deliberate, and effective growth. Addresses key program issues with a roadmap of regular outputs to keep stakeholders engaged and informed KEY OUTCOMES Baseline metrics not restricted to PortfolioStat Training modules for FedRAMP FedRAMP agency working groups Creation of automation requirements Re-use of other industry standards within FedRAMP FedRAMP overlays that allow for compliance with other IT initiatives like TIC, IPv6, HSPD-12. Creation of a high baseline

Download ppt "PAGE[classification marking]www.fedramp.gov[classification marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 www.fedramp.gov."

Similar presentations

1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman,

1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman,
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.

Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
PAGE www.fedramp.gov Quick Guide to the FedRAMP Readiness Process 1 August 2014 Presented by: FedRAMP PMO www.fedramp.gov.

PAGE Quick Guide to the FedRAMP Readiness Process 1 August 2014 Presented by: FedRAMP PMO
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
PAGE www.fedramp.gov Agency ATO Quick Guide 1 December 23, 2014 www.fedramp.gov.

PAGE Agency ATO Quick Guide 1 December 23,
Cybersecurity Blueprints

Cybersecurity Blueprints
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
CSBG Application Process

CSBG Application Process
SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.

SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.
Conformity Assessment: activities & systems

Conformity Assessment: activities & systems
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.

Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
PAGE www.fedramp.gov Agency ATO Quick Guide 1 May 1, 2015 www.fedramp.gov.

PAGE Agency ATO Quick Guide 1 May 1,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Risk Management Framework

Risk Management Framework

Similar presentations

Ads by Google