Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Accreditation of Commercial Software, Myths and Methods

Software developers wishing to offer their commercial products to the U.S. Government face a dizzying array of compliance programs. Understanding FISMA, FedRAMP, DoD SRG, ICD-503, CJIS, and even HIPAA is critical to delivering value to the mission, and are dependent on the specific workload and the customer. This session will de-mystify compliance, starting with foundation of "NIST 800.-53", and helping a solution provider understand the range of requirements from "NIST Cybersecurity Framework" to "NIST 800-171", and who is responsible for providing the body of evidence and achieving accreditations.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Accreditation of Commercial Software, Myths and Methods

  1. 1. P U B L I C S E C T O R S U M M I T Washington DC
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Accreditation of Commercial Software – Myths and Methods Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Government Accreditation Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Agenda Short History of Government Accreditation Customer Requirements Security & Accreditation Myths Resources
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T A secure system is one that does what it is supposed to - Gene Spafford
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Ancient History The Rainbow Series (1980s and 1990s)
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T More Recent History
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Security is always excessive until it's not enough - Robbie Sinclair
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Government Agencies Flashlight Image © Robertsrob | Dreamstime.com Government - FISMA o Risk Management Framework DoD – formally DITSCAP/DIACAP o NOW - RISK Management Framework US Intelligence o ICD-503
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Technology Firms and ISVs More Public Sector Compliance Frameworks: o Criminal Justice Information Services Division (CJIS) o Defense Federal Acquisition Regulations Supplement (DFARS) o Internal Revenue Service Publication 1075 (IRS Pub 1075) o Payment Card Industry Data Security Standard (PCI-DSS) o Health Insurance Portability and Accountability Act (HIPPA) o Health Information Trust Alliance (HITRUST) Federal Risk and Authorization Management Program (FedRAMP) – High, Moderate, Low DISA Cloud Computing and Security Requirements Guide (SRG) – IL2, IL4, IL5, IL6 Flashlight Image © Robertsrob | Dreamstime.com
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T In God we trust. All others, we virus scan
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security Myths o Passwords make us secure… o We virus check and vulnerability scans, we are safe… o We can wait to the end of the development cycle to meet with the accreditor… o You can trust any reputable source… “especially Open Source” o All AWS Services in every region are accredited… o My data is backed-up, we are good… o When in doubt, penetration test…
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security o Penetration testing is just one tool o Promote best practices for security o Consider AWS Well Architected o Involve the security team o Available vs accredited vs approved o Backup is practice, restore is show
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths ATO (Authorization to Operate) and Sponsors: o I can, and should, attain a FedRAMP/DoD ATO before I have secured customers that require it. o The sponsoring agency accepts the risk of the system/cloud service for the entire government. o A Joint Authorization Board (JAB) ATO means any federal or DoD agency/organization can use my workload/system immediately. o FedRAMP applies to state and local government, education, or nonprofit.
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths Amazon Linux: o We can use Amazon Linux for any federal workload. Pen testing External Services and Data: o I cannot connect my AWS FedRAMP-authorized boundary to non-authorized FedRAMP external service providers. o I can use AWS services in AWS US East/West or AWS GovCloud (US).
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths FIPS Encryption: o I can get a FedRAMP ATO without my encryption being FIPS 140-2 Validated. o FIPS 140-2 compliant cryptography satisfies FedRAMP and DoD encryption controls. Showstoppers: o FedRAMP has some frequent criteria that are considered to be showstoppers if they are not met.
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP o ATO and the Sponsor process o FIPS 140-2 Validated encryption vs. FIPS Compliant encryption o Amazon Linux o External Services and AWS Services o FedRAMP Showstoppers https://www.fedramp.gov/assets/resources/documents/CSP_A _FedRAMP_Authorization_Boundary_Guidance.pdf https://aws.amazon.com/compliance/services-in-scope/
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) Myths AWS GovCloud (US) Overview o Deploy in AWS GovCloud (US) = Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads can “ONLY” be authorized in AWS GovCloud (US). o To get FedRAMP, you need to be in AWS GovCloud (US).
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) o Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads o To get FedRAMP, you need to be in AWS GovCloud (US)
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD Provisional Authority (PA) and Sponsors: o DoD Defense Security/Cybersecurity Authorization Working Group (DSAWG) is the same as the FedRAMP JAB. o Achieving a DISA IL4/IL5 PA is a long process. o DISA will give me IL2 reciprocity once I achieve my FedRAMP Moderate ATO.
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD citizenship requirements: o DoD requires the same personnel requirements as FedRAMP DoD Showstoppers: o DoD has some frequent criteria that are considered to be showstoppers if they are not met
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA o DoD and FedRAMP Moderate reciprocity o DoD personnel requirements o DoD showstoppers DoD SRG
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Path to DoD Impact Level Provisional Authorization CSP has FedRAMP JAB P-ATO CSP has FedRAMP Non- DoD Agency P-ATO DoD assessed PA  CSP has achieved a FedRAMP JAB P-ATO which can be leveraged for reciprocity.  Easiest route to get DoD PA as the CSP is engaged in continuous monitoring through FedRAMP and has satisfied the FedRAMP baseline controls.  CSP has achieved a FedRAMP P- ATO with a non-DoD agency.  A 3PAO is required to review the agency FedRAMP Baseline and ensure the security controls have been satisfied for reciprocity.  Slightly more difficult due to the DoD not validating the FedRAMP baseline and the responsibility of continuous monitoring must be negotiated between the DoD and the FedRAMP agency Sponsor.  The 3PAO will work with a DoD authorized assessment organization to perform the assessment of the CSP hand-in- hand.  The FedRAMP Baseline and the DoD Impact Level overlays are required to be assessed.  Most difficult route to take by a CSP as the FedRAMP baseline has not been previously assessed or authorized. Also, it requires the DoD sponsor to take responsibility for all continuous monitoring duties.
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T US Intelligence Community Myths o C2S is a cloud...C2S is a Region… o The government has firewalls between their classified networks and the Internet o All IC Agencies use the same Linux baseline o My product needs an ICD-503 ATO (just like a FedRAMP ATO) o Our product is used in production at Agency XYZ in the C2S Top Secret Region, so we are approved everywhere, right?
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS & IC Marketplace Myths o Rules for AWS Marketplace for AWS GovCloud (US) and IC Marketplace are the same o I need FedRAMP to be in o IC Marketplace o AWS GovCloud (US) Marketplace o My company has a DoD Facility Clearance, so we will automatically be approved to Publish in the IC Marketplace o ICD-503 Accreditation is a pre-requisite for IC Marketplace
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T C2S and IC Marketplac e o C2S is a contract available to the IC o Title 50 of US Code defines the US IC o Each government agency has their own approval authority o Like FedRAMP and DoD SRG, ICD-503 is based on NIST SP800-53 controls o Ping icmp@amazon.com for details on IC Marketplace
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Other DoD Security Myths o A classified application shared by NCIS in collaboration with agency XYZ (part of the Intel community) needs to be compliant under: CJIS + ICD-503 + DoD SRG? o Our Agency can’t use AWS GovCloud (US) because we have users who are deployed OCONUS
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images Benchmarks: o Anyone can use CIS Benchmarks for consulting or their organization’s commercially-available tools. o The easiest way to harden a virtual machine image is to configure it myself or there is no easy way to secure an OS in the cloud. Secure Architectures: o Security baselines are set by AWS in a customer account.
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images o In order to use the CIS Benchmarks commercially, you must be a CIS SecureSuite Member o CIS Hardened Images are preconfigured to the security recommendations of the CIS Benchmarks o The CIS AWS Foundations Benchmark helps you address security and compliance considerations by building foundational security into your account and monitoring critical resources
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards - Gene Spafford
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Best URLs Ever! AWS Government https://aws.amazon.com/government-education/government Compliance https://aws.amazon.com/compliance AWS GovCloud (US) https://aws.amazon.com/govcloud-us AWS Marketplace https://aws.amazon.com/marketplace
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS Whitepapers Introduction to AWS Security & Security Processes AWS Security Best Practices AWS Well-Architected Framework: Security Pillar Cloud Adoption Framework: Security Perspective Overviews of AWS Security (6) Securing Data at Rest with Encryption Security at Scale - Governance in AWS - Logging in AWS https://aws.amazon.com/security/security-resources/
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST Cyber Security Framework Mapping of NIST CSF to AWS Services and Features Describes whether a concern is addressed by AWS or the Customer https://aws.amazon.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Handy Email Aliases AWS GovCloud Business Development govcloud-bd@amazon.com AWS GovCloud Marketplace govcloudmp@amazon.com IC Marketplace icmp@amazon.com ATO on AWS ATOonAWS@amazon.com Worldwide Public Sector Emerging Partner Team aws-wwps-emerging-pdr@amazon.com
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T R E: I N F O R C E https://reinforce.awsevents.com/
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295436 – Authority to Operate on AWS: Compliance as Code Ted Steffan and Tim Sandage/AWS 299937 – Security & Identify: the Continuous Mitigation & Diagnostic Journey on AWS Darren House/AWS and John Nemoto/CGI Federal
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 316557 – Achieve Compliance with Security by Default and by Design Andrew Plato/Anitian and Ignacio Martinez/Smartsheet 317684 – Hyperscale Security Data for Continuous Risk Monitoring Stephen Horvath and Amit Patel/Telos 302828 – Accelerate ATO & Simplify Compliance Through Automation Josh Hammer/AWS and Scott Horton/Palo Alto Networks
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295507 – AWS Secret Region – Lessons Learned or DevSecOps Tyler Hayley/Joint Special Operations Command 302830 – Beyond Security Automation: How to Move Past Developing Ad-hoc Tools and Make Tools that Develop Automatically Brad Dispensa/AWS 316600 – Container Security and Avoiding the 2am Call Len Henry and Ramesh Jetty/AWS
  39. 39. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Toby Zellers & Tim Sandage zellerst@amazon.com sandaget@amazon.com There is no such thing as perfect security, only varying levels of insecurity Salman Rushdie
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

Software developers wishing to offer their commercial products to the U.S. Government face a dizzying array of compliance programs. Understanding FISMA, FedRAMP, DoD SRG, ICD-503, CJIS, and even HIPAA is critical to delivering value to the mission, and are dependent on the specific workload and the customer. This session will de-mystify compliance, starting with foundation of "NIST 800.-53", and helping a solution provider understand the range of requirements from "NIST Cybersecurity Framework" to "NIST 800-171", and who is responsible for providing the body of evidence and achieving accreditations.

Vistas

Total de vistas

415

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

0

Compartidos

0

Comentarios

0

Me gusta

0

×