Amped for FedRAMPCloud Security World, New Orleans

Ray PotterCEO

SafeLogic

David GerendasGroup Product ManagerIntel Security

Takeaways

• What FedRAMP compliance entails• Advantages of using a validated cryptographic

module in the cloud• How encryption modules become validated and

the pitfalls of the process• Meaning of FedRAMP compliance claims and how

to confirm• Right questions to ask vendors about their

encryption and FedRAMP compliance 2

Assurance

• A measure of confidence and trust (usually via a third party) that a product, product component, or system meets its claims or meets a specified set of requirements

• Applies to products and to systems

3

Systems Assurance / FedRAMP

Systems Assurance

• Using evaluated products does not provide an appropriate level of assurance by default

• Need to look at overall functionality of the system

• Risk mitigation / due diligence

5

FedRAMP

• December 9, 2010• Office of Management and Budget (OMB) released the 25 Point

Implementation Plan To Reform Federal Information Technology Management

• Cloud First policy was enacted -- requiring agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.

• December 8, 2011• OMB FedRAMP Policy Memo: Security Authorization of Information

Systems in Cloud Computing Environments• Establishes the Federal Risk and Authorization Management Program

(FedRAMP)• Requires all Federal agencies to meet FedRAMP requirements by

June 2014

Purpose

• Ensure that cloud based services have adequate information security

• Eliminate duplication of effort and reduce risk management costs

• Enable rapid and cost-effective procurement of information systems/services

Applicable Standards and Guidance

FIPS Publication 140-2: Security Requirements for Cryptographic Modules FIPS Publication 199: Standards for Security Categorization of Federal

Information and Information Systems FIPS Publication 200: Minimum Security Requirements for Federal

Information and Information Systems NIST SP 800-37, Rev 1: Guide for Developing the Risk Management

Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-53, Rev 4: Recommended Security Controls for Federal

Information Systems NIST SP 800-53A: Guide for Assessing the Security Controls in Federal

Information Systems NIST SP 800-137: Information Security Continuous Monitoring for Federal

Information Systems and Organizations

Goals

• Standardize security requirements• Accredit qualified third-party assessors• Provide repository of authorized secure cloud

packages• Standardize on-going assessment

methodologies• Standardize contract language

Key Stakeholders

• Federal agency customer – has a requirement for cloud technology that will be deployed into their security environment and is responsible for ensuring FISMA compliance

• Cloud Service Provider (CSP) – is willing and able to fulfill agency requirements and to meet security requirements

• Joint Authorization Board (JAB) – reviews the security package submitted by the CSP and grants a provisional Authority to Operate (ATO)

• Third Party Assessor (3PAO) – validates and attests to the quality and compliance of the CSP provided security package

• FedRAMP Program Management Office (PMO) – manages the process assessment, authorization, and continuous monitoring process

Executive Sponsorship & Governance

Security Assessment Packages

• JAB Provisional ATO• may take 18+ months; requires broader reviews/approvals• more widely accepted (government wide)

• Agency ATO• May take 12+ months; only requires sponsoring Agency ATO• Agency reputation and experience matters

• CSP Supplied• Package “in-waiting”• May not meet all acquiring agency requirements

Category Assessed By Authorizing Authority

FedRAMP Provisional Authorization Accredited 3PAO JAB

Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency

CSP Supplied Accredited 3PAO None

Security Testing

• Systems Security Plan• Security Assessment Plan• Security Test Cases• Security Assessment Report• Scanning / Continuous Monitoring

Authorization Process and Timeline

Authorize

CSP Addresses

JAB Concerns

JAB Review

ISSO & CSP

Review SSP

3PAO Creates

SAP/ ISSO Reviews

SAP

JAB Review

Final JAB Review /

P-ATO Sign Off

3PAO Tests & Creates

SAR

System Security Plan Security Assessment Plan SAR & POA&M Review Testing

ϲŵŽŶƚŚƐн

JAB Review

ISSO / CSP

Reviews SAR

CSP Addresses

Jab Concerns Creates

POA&M

CSP Addresses

JAB Concerns

CSP Addresses

Agency Concerns

Agency Review

CSP Implements

Control Delta

Agency Review

SAP

Address Agency Notes

Final Agency ATO Sign Off

3PAO Tests & Creates

SAR

System Security Plan Security Assessment Plan SAR & POA&M Review Testing

ϰŵŽŶƚŚƐн

Authorize

CSP Addresses Concerns

Agency Reviews

SAR

CSP Creates POA&M

Quality of documentation will determine length of time and possible cycles throughout the entire process

: W-dK

ŐĞŶĐLJ dK

AWS – Shared Security Model

AWS – Shared Security Model (Cont.)

Product Assurance / FIPS 140

Product Assurance

• Certification or evaluation of a product or product functionality against a set of requirements

• Required for product procurement in government and commercial industry

• Sets a barrier to entry

18

FIPS 140-2

• Federal Information Processing Standard 140• Specifies requirements for cryptographic

hardware and software modules • Published by US (NIST) and Canadian

Governments• Tested by independent laboratories• Offers 4 levels of validation

19

Areas of Validation

• Module Definition• Ports and Interfaces• Roles, Services, and Authentication• Finite State Model• Physical Security• Operating Environment• Key Management• Self Tests 20

Why FIPS 140-2?

• Required for Federal and industry procurement

• Provides a level of confidence that encryption functions are implemented correctly and to a benchmark

• FIPS Compliant– Embedding a module that already has a FIPS validation– Uses proven crypto functions

• FIPS Validated– Getting your own certificate– Reassures buyers

21

Challenges of a Typical FIPS 140-2 Validation

• Definition of the Module• HW & OS platform support• Use of approved algorithms• Development of appropriate documentation• Algorithm testing• Lengthy validation process• Significant time and resource requirements

22

Where Does FIPS 140 Fit?

• Encrypt Data in Motion

• Encrypt Data at Rest

The Role of FIPS 140-2 in FedRAMP

• Validated crypto is required for government– FedRAMP– FISMA– SP800-53

• If crypto isn’t validated, it might as well be plaintext

Do Your Due Diligence

• Where is your FIPS 140 Certificate?• Is the product / module FIPS-tested on a

current platform?• For consumers / developers, is your CSP doing

the right things?• Did you go through the FedRAMP process?

Let’s Connect

• @SafeLogic_Ray

• @SafeLogic

• www.SafeLogic.com

• info@SafeLogic.com