C O N F E R E N C E 2 0 1 9
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark. All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Questionmark OnDemand for GovernmentBriefing28 February 2019
David HuntStacy Poll
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
CSP •Questionmark Corporation
3PAO • Schellman & Company, LLC
Agency • USDA?
Stakeholders in FedRAMP Process
Slide 2
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
FedRAMP Governance
Slide 3
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
System Security
Plan (SSP)
System Assessment Plan (SAP)
System Assessment
Report (SAR)
Documents on OMB MAX
Slide 4
Describes the OnDemand for Government service and how it is secured
Describes how the 3PAO will review the SSP
Describes the findings from the Audit
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Trustworthy, secure cloud-based assessment management for U.S. Governmental Agencies
Questionmark OnDemand for Government, provides governmental agencies a cloud-based assessment management system designed to be compliant with FedRAMP and hosted in a FedRAMP certified U.S. data center dedicated to U.S. government needs.
System Description
Slide 5
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.Slide 6
Monitoring ProductionUAT/Staging
VPN Gateway
Database and Domain Controller Subnet
Application Subnet
ETL & Mirror Witness
M
Application Gateway
Mirrored DB servers
Domain Controllers
InternetPlatform Admin
(Requires Multi-factor Authentication)
RDP/3389
Management
Application Subnet
ETL & Mirror Witness
M
Participant Delivery
Application Gateway
Mirrored DB servers
Domain Controllers
Customer Portal
Database and Domain controller Subnet
HTTPS/443
RDP/3389
Platform Admin
Customer
Monitoring
WSUS 8530/8531
Microsoft Azure
GovCloud
HOMIE
Nessus
Virtual Network
HTTPS/443
RDP/3389
WinRM/5985SQL/49164 & 49172
ActiveDirectory*
8834
WSUS
ManagementParticipant Delivery
Customer Portal
HOMIE
WinRM/5985SQL/49164 & 49172
ActiveDirectory*
VPN Gateway
Microsoft AzurePublic
Monitoring
WSUSUpstream
Virtual Network
Octopus Deploy
Octopus Deploy
HTTPS/443
VPN Gateway
Security Monitor
HTTPS/443
RDP/3389
HTTPS/8834
HTTPS/8834
Security Monitor(Requires Multi-factor
Authentication)
HTTPS/8834
Office 365
Dynamics 365(Requires Multi-factor
Authentication)
VSTS(Requires Multi-factor
Authenication)
Veracode(Requires Multi-factor
Authentication)
External Service Providers
OD4G System
Boundaries
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.Slide 7
User Interactions
with the System
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Questionmark invests heavily in FedRAMP
Slide 8
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Next step: Agency review
Slide 9
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
The assessment methodology used to conduct the security assessment for the OD4G system is summarized in the following steps:
3.1. Perform tests described in the SAP workbook and record the results
3.2. Identify vulnerabilities related to the CSP platform
3.3. Identify threats and determine which threats are associated with the cited vulnerabilities
3.4. Analyze risks based on vulnerabilities and associated threats
3.5. Recommend corrective actions
3.6. Document the results
How was the Audit Performed?
Slide 10
This Photo by Unknown Author is licensed under CC BY-SA-NC
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Schellman expands boundary to include supporting services
Over 250 evidence items provided by Questionmark
Evidence and screenshots collect by Schellman as part of two week in person audit with IT
Infrastructure Manager andInformation Security Officer
The Audit
Slide 11
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Questions
Slide 12
C O N F E R E N C E 2 0 1 9
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark. All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Stacy Poll
Slide 13
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Status of ATO
Slide 14
Questionmark can not bring this across the finish line without you.
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
We want you to achieve your goals and enjoy the
process!
Questionmark’s mission is to provide the highest quality testing and assessment software and support services to enable individuals and organizations reach their goals.
Welcome to Questionmark OnDemand for Government!
Slide 15
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Migration Process
Slide 16
Trial Migration
• Upload Database to Microsoft Azure Government Cloud Server
• Scripts Migrates to OnDemand for Government Development environment
Testing and Validation
• Create roles and assign to Administrators
• Customer is allocated a period of time to test / validate the migrated data
• Average time takes 30 days
Production Migration
• After customer approves migration in staging, the process is repeated for production
• Customer can plan for a finite and brief period of down-time based on the results of trial phase
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Results, Groups, Schedules Content
▪ Assessments and Questions migrate into new repository
Participants ▪ Migrate with role of Participant▪ Maintains Group membership
Administrators▪ Migrate with no roles
Content▪ Need to assign Authors to Topics
and Assessments permissions
Administrators▪ Need to assign Roles
▪ Need to assign to Topics and Assessments permissions
Your Data in the new Platform
Stays the Same Needs Administration
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Migration can only work on a 5.7 Perception database▪ If you are on an older version we will need to assist you with upgrading it to 5.7 prior to the migration.
Root Admin email address▪ You will need to removed your Rood Admins email address from your Perception Database prior to uploading your database
Alternate we will need an email address that is not yet already in use
▪ Give the email address to the Tech overseeing the Migration
Resources files and repository files▪ Leave all things as they are
Do not edit, delete or rename files.
Database Administrator check list :▪ https://www.questionmark.com/content/migrating-from-perception-to-ondemand-for-government
All role and schema owners should be defaults, as specified on the above link.
Make sure that only the default stored procedures are present in your Perception database.
Set database collation SQL_Latin1_General_CP1_CI_AS
Complete Checklist for Database configurations
Run SQL commands as stated in link
Make sure to compress the database backup when creating the .bak file.
Make sure not Web.config files in repository file directories.
Performing the table truncations as listed in link.
Make sure the autogrowth for the database data file is set to By 50 MB, unrestricted growth
If your Perception database is larger than 10 GB, email Questionmark to let them know to expect a "large" database.
Pre Trial Migration
Slide 18
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Make a copy of your Repository Files and Shared Repository files
Create a Zip file of the following (Do Not Encrypt and please used copies)▪ Repository Database Named exactly as it is named
▪ Shared Repository files
You will be given the SFTP address to upload directly to the Microsoft Azure Government Cloud Server.
A script will be ran against the file and convert it to your trial migration area.
Once the script runs, You will be given the URL to access
Trial Migration
Slide 19
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Set up Roles and Permissions and assign to Administration Have admin users test that they can access the system and see what they were assigned to see
▪ Topic folders assigned Users can see/not see▪ Groups results or access they can see/not see
Graphics show up in assessments Templates are in place and look good Create some test questions with the Next Gen Authoring Building an assessment Publish and deliver assessment Review reports Test any integrations
Validate the area
Slide 20
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Trial area looks good? Contact Questionmark to schedule a Live Migration Date
Repeat steps in the Pre Trial Migration slide and Trial Migration slides
Stop use of Perception Once area migration is complete,
▪ Set up Roles and Permissions and assign to Administration
▪ Set up integrations
Live Migration
Slide 21
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark. All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.
Questions?
Slide 22