Federal Risk and Authorization

Management Program (FedRAMP)

Moderator: Fran Trentley, Akamai

Vera Ashworth, US Federal, CGI

Christine Schweickert, Akamai

Matt Mitchel, Knowledge Consulting Group

Why FedRAMP?

2

Problem:• A duplicative, inconsistent, time consuming,

costly, and inefficient cloud security risk

management approach with little incentive to

leverage existing Authorizations to Operate

(ATOs) among agencies.

Solution: FedRAMP• Uniform risk management approach

• Standard set of approved, minimum security

controls (FISMA Low and Moderate Impact)

• Consistent assessment process

• Provisional ATO

FedRAMP Policy Framework

3Management Act (FISMA)

eGov Act of 2002 includes

Federal Information Security

Management Act (FISMA)

Requirements

FedRAMP

Security

Requirements

Agency Agency

ATO

Congress passes FISMA as part of

2002 eGov Act

137,

800-53

OMB A-130

NIST SP 800-37, 800-137,

800-53

OMB A-130 provide policy, NIST Special

Publications provide risk management

framework

FedRAMP builds upon NIST SPs establishing

common cloud computing baseline

supporting risk based decisions

Agencies leverage FedRAMP process, heads of

agencies understand, accept risk and grant ATOs

FedRAMP Authorizations

4

Mandatory Federal Requirement• OMB Policy Memo – December 2011.

• Mandates FedRAMP compliance for all cloud services used by the

Federal government.

Granting Authorizations• Federal agencies are required by FISMA to individually grant an

ATO.

• Federal agencies must ensure all cloud providers they use meet

the FedRAMP requirements.

Authorizations that meet the FedRAMP requirements:• Address the FedRAMP baseline controls

• Use the mandatory FedRAMP templates

• Are listed within the FedRAMP repository

• Have an ATO letter on file with FedRAMP PMO

©2013 AKAMAI | FASTER FORWARDTM

JAB FedRAMP Governance Model: Focus on Security

and Transparency

� In October 2010, the White House launched the Federal Risk and

Authorization Management Program (FedRAMPSM

)

• Provides framework for a standard and secure approach to Assessing and

Authorizing (A&A) cloud computing services and products

• Allows joint authorizations and continuous security monitoring services for

Government/Private cloud computing systems intended for multi-agency use

CGI Proprietary Information

©2013 AKAMAI | FASTER FORWARDTM

Only 1 Path to ATO is JAB Granted & Requires

Continuous Monitoring, Future FedRAMP Compliance

CGI Proprietary Information

Higher Level of Review (lower risk for Government)

©2013 AKAMAI | FASTER FORWARDTM

Total Cost of Ownership: Who Pays Over Time?

CGI Proprietary Information

Look beyond compute cost comparisons to know what you are signing up for in the long term

©2013 AKAMAI | FASTER FORWARDTM

Akamai FedRAMP

Service Name: Akamai Content Delivery Network

(Akamai CDN)

Service Model: Infrastructure as a Service (IaaS)

Deployment Model: Public Cloud

Impact Level: Moderate

Authorization Date: August 22, 2013 (JAB

Provisional Authorization)

Package ID: F1206061353

3PAO: Knowledge Consulting Group, Inc. (KCG)

FedRAMP Accredited)

Contact Information: Christine Schweickert

cschweic@akamai.com

Akamai was awarded an JAB P-ATO on August 26, 2013 under FedRAMP

assessment package number F1206061353.

Akamai C&A documentation will be found in the FedRAMP repository. Our

Government customers should plan on leveraging the FedRAMP repository to

view our SSP, and associated documentation. This link shows the process:

http://www.gsa.gov/portal/content/133763.

The Akamai FedRAMP accreditation boundary includes:

• the HTTP (Content Delivery) Edge Servers

• the HTTPS (Secure Content Delivery) Edge servers

• NetStorage

• HD Streaming

• Global Traffic Management (GTM) System

• Enhanced DNS Service with DNSSEC

• the Luna Control Center Portal

• Additionally, the Akamai NOCC, Akamai Domain Name Servers, and the

Akamai internal systems: KMI, Authgate, and AMS.

©2013 AKAMAI | FASTER FORWARDTM

Matt Mitchell: Director- Risk Advisory ServicesContact: matt.mitchell@knowledgecg.com

� One of the largest pure cyber security services companies

� Over 260 information security professionals

� Expertise in each of the major domains of cybersecurity:

� Governance & Risk Management

� Compliance

� Operations

� Cyber attack simulation and exploitation

� Supporting over 15 agencies along with leading private sector clients:

� Hi-tech

� Financial services

� Cloud providers

� Power and energy

� Leads KCG’ FedRAMP services practice

� 15 years of public and private security experience

� Currently supporting leading cloud providers:

� Develop and execute cloud security and compliance management strategies

� Implement security, compliance, and risk management programs

� Implement security governance and workforce transformation programs

� Build and manage rationalized compliance control frameworks:

� FedRAMP, NIST, PCI DSS, SOC2, SOX, HIPAA, ISO, BITS

©2013 AKAMAI | FASTER FORWARDTM

Federal Risk and Authorization Management Program (FedRAMP)

Moderator: Fran Trentley, AkamaiVera Ashworth, US Federal, CGI Christine Schweickert, AkamaiMatt Mitchel, Knowledge Consulting Group