14
Federal Risk and Authorization Management Program (FedRAMP) Agency Implementation of FedRAMP May 2, 2013
Federal Risk and Authorization Management Program (FedRAMP)
Agency Implementation of FedRAMP May 2, 2013
Participants will…
• Understand what agencies must do to in order to comply with FedRAMP requirements
• See an example of how HHS has implemented FedRAMP in to agency-wide policy
2
What is FedRAMP?
3
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
FedRAMP Policy Memo
4
OMB Policy Memo December 8, 2011
• Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014
• Establishes Joint Authorization Board
• CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements
• Establishes PMO
• Maintained at GSA • Establishes FedRAMP processes for
agency compliance • Maintains 3PAO program
FedRAMP Policy Framework
5
eGov Act of 2002 includes Federal Information Security Management Act
(FISMA)
FedRAMP Security Requirements
Agency ATO
Congress passes FISMA
as part of 2002 eGov Act
OMB A-130 NIST SP 800-37, 800-137, 800-53
OMB A-130 provide policy,
NIST Special Publications
provide risk management
framework
FedRAMP builds upon NIST SPs
establishing common cloud
computing baseline supporting
risk based decisions
Agencies leverage FedRAMP process,
heads of agencies understand, accept
risk and grant ATOs
Cloud System Compliant with FedRAMP
• Agencies must authorize cloud systems using the FedRAMP process. This includes: – Ensuring the security package has been created using the required
FedRAMP templates – SSP, SAP, SAR
– Using the FedRAMP security control baseline and addressing ALL controls in that basline
– Using an independent assessor to test the system
• The security package for the cloud system authorization has been submitted to the FedRAMP PMO for listing in the repository
• An authorization letter for the system is on file with the FedRAMP PMO
6
June 2014 All Cloud Projects Must Meet
FedRAMP Requirements
How Should Agencies Implement FedRAMP?
• OMB Memo requires Agencies to ensure all cloud services they use meet the FedRAMP security authorization requirements.
• Agencies have many options to enforce this at an agency level: – Agency-wide policy mandating FedRAMP
• Can be through Administrator, CIO, or CISO
– Create an Agency FedRAMP Standard Operating Procedures • Can be through CIO or CISO
– Update existing Agency security processes to reflect FedRAMP requirements
• Agencies should be able to demonstrate to OMB how they are implementing FedRAMP into agency processes
7
Agency Example: HHS
• HHS recently released an Agency FedRAMP Standard Operating Procedure
• Released through HHS CISO
• Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements
8
HHS SOP: Define Actors
• Who is doing what?
• What are responsibilities of team members?
• What is hierarchy for decision making?
9
Who Will Be Involved?
HHS SOP: Authorization Process
• Detail how actors will authorize a CSP
• Integrate FedRAMP requirements in to authorization process
• Should align with current agency processes – HHS created a new SOP
specifically for FedRAMP – Agencies can choose to
update/modify/revise current SOPs or policies for security authorizations to reflect cloud systems.
10
How will FedRAMP Requirements Be Met?
HHS SOP: Submission to FedRAMP
11
• Worked with FedRAMP Team to ensure standard process aligns with PMO expectations
• Consistent with FedRAMP CONOPs.
• Includes details about initial documentation as well as periodic updates
How will Agency provide authorization to FedRAMP?
HHS SOP: Additional Guidance
12
• Add guidance in appendices to help consistency in authorizations
• Can provide additional information for agency policies relating to: – Risk acceptability criteria
– Checklists for completion
– Hierarchy of issue resolutions
– SME’s for particular areas of focus (e.g. credentialing, encryption, etc.)
Additional Agency Guidance for Authorizations
Summary
• Agencies must ensure they authorize all cloud services using the FedRAMP requirements
• Many options to enforce this.
• One example of implementing this agency-wide is HHS’s FedRAMP SOP. – Not overly complex
– Details roles, process, providing docs to FedRAMP, and gives additional guidance.
13
FedRAMP office is available to review and assist agencies in creating agency-wide policies and
SOPs for implementing FedRAMP.
www.FedRAMP.gov
Email: [email protected]
For more information, please contact us or visit us the following website:
@ FederalCloud
14
