FedRAMP is the federal government's risk and security assessment program for cloud-based services as part of the cloud-first initiative, and is designed to make the assessment process more efficient by providing a "do once, use many times" framework.
If you work with or want to work with federal agencies, your organization will need to be FedRAMP compliant.
On this webinar, you will:
• Learn the background and overview of the FedRAMP program
• Take a deep dive of the assessment process
• Discover the benefits and challenges companies experience during the assessment process
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessments
1. Webinar – What you should know about FedRAMP assessments | 1
Work with Federal Agencies?
Here's What You Should Know About
FedRAMP Assessments
2. Webinar – What you should know about FedRAMP assessments | 2
Contents
• FedRAMP Overview
• Setting the Stage
• Assessment Process
• Additional Topics and Summary
3. Webinar – What you should know about FedRAMP assessments | 3
What is
FedRAMP?
4. Webinar – What you should know about FedRAMP assessments | 4
What is FedRAMP?
The Federal Risk and Authorization Management
Program (FedRAMP) is a government-wide program that
provides a standardized approach to security
assessment, authorization, and continuous monitoring
for cloud products and services. This approach uses a
“do once, use many times” framework that saves cost,
time, and staff required to conduct redundant agency
security assessments.
Launched in July 2012
FedRAMP replaces what was previously a decentralized authority to operation (ATO)
model where each agency performed their own assessment
5. Webinar – What you should know about FedRAMP assessments | 5
Understanding FISMA vs. FedRAMP
Is a: Applies to: Utilizes for guidance: Assessed by:
FISMA
Law Government agencies FIPS 199
FIPS 200
NIST SP 800-53
An agency, which may
use or rely on the work
of an outside auditor
FedRAMP
Program for
managing
assessments and
ongoing compliance
Cloud providers that
host or plan to host for
government agencies
FedRAMP modified NIST
800-53 standards
FedRAMP specific
deliverables and templates
An accredited Third
Party Assessment
Organization (3PAO)
While often confused, FISMA is a law for agencies, FedRAMP is an audit
program for cloud service providers (CSPs)
6. Webinar – What you should know about FedRAMP assessments | 6
Setting The Stage:
Scope & Agency Involvement
7. Webinar – What you should know about FedRAMP assessments | 7
First Decision
JAB vs Agency Sponsor
• Option 1 - JAB Provisional Authorization (P-ATO)
– FedRAMP Ready Assessment Required
– Documentation reviewed by GSA, DoD, and DHS
– Pros: Perceived as government-wide; No Agency
Sponsor Required
– Con: Lengthier process
8. Webinar – What you should know about FedRAMP assessments | 8
First Decision
JAB vs Agency Sponsor
• Option 2 - Agency Authority to Operate (ATO)
– All documentation reviewed by single agency
– Most common approach
9. Webinar – What you should know about FedRAMP assessments | 9
Estimated Timeframes (Provided by FedRAMP PMO)
System
Security Plan
Security
Assessment
Plan
Testing
SAR & POA&M
Review
Authorize
System
Security Plan
Security
Assessment
Plan
Testing
SAR & POA&M
Review
Authorize
Quality of documentation will determine length of time
and possible cycles throughout the entire process
JAB
P-ATO
Agency
ATO
6 months +
4 months +
10. Webinar – What you should know about FedRAMP assessments | 10
Cloud Delivery Models Drive Scope
https://www.e-education.psu.edu/cloudGIS/node/91
Cloud IaaS Provider Responsibilities
Leveraging a FedRAMP
Authorized IaaS provider allows
a SaaS provider to “carve out”
those controls and only audit
against that which is their
responsibility.
11. Webinar – What you should know about FedRAMP assessments | 11
The System Security Plan (SSP)
• Template available on www.fedramp.gov
• Average 400-500 pages in length
• Key Components:
– System boundaries
– Detailed control descriptions for each of the NIST 800-53 control
families (section 13+)
The CSP is 100% responsible for documenting the SSP and
maintaining the controls on an ongoing basis.
12. Webinar – What you should know about FedRAMP assessments | 12
The Assessment
Process
13. Webinar – What you should know about FedRAMP assessments | 13
The 3PAO Assessment Process
• Two stages: Planning (SAP); Testing (SAR)
• Assessment activities include:
– Credentialed vulnerability scanning / observation
– Penetration testing
– Manual controls inspection including interviews,
documentation review, and technical configuration
review
• Findings and communication
– Real-time documentation and coordination between
3PAO and CSP
– Development of POAMs by CSP
14. Webinar – What you should know about FedRAMP assessments | 14
Continuous Monitoring
• 97 core controls for moderate + Agency
specified ~ 50% controls
• What happens after ATO
15. Webinar – What you should know about FedRAMP assessments | 15
Continuous Monitoring
• Control requirements
– Continuous
– Weekly (e.g. log monitoring)
– Monthly (e.g. scanning)
– Quarterly (e.g. account review)
– Annually
16. Webinar – What you should know about FedRAMP assessments | 16
Continuous Monitoring
• 3PAO annual assessment
– Assess core controls + % of all other controls (Agency-specified)
– Review POAMs
– Scanning (and/or observation of scanning)
– Penetration testing
17. Webinar – What you should know about FedRAMP assessments | 17
Additional Topics
and Summary
18. Webinar – What you should know about FedRAMP assessments | 18
FedRAMP+ & ITAR
• Department of Defense
– DoD uses a FedRAMP + model w/ DoD SRG/STIG guidance
– FedRAMP controls plus additional controls at designated levels
• Level 2 is aligned w/ FedRAMP
• Level 4 adds an incremental 35 controls
• NIST 800-171
– Standards for Controlled Unclassified Information (CUI)
– Aimed primarily at contractors
• ITAR
– Some agencies require only US persons access to federal systems
– While not a requirement for FedRAMP some systems and support models
are built for ITAR compliance
19. Webinar – What you should know about FedRAMP assessments | 19
1H 2016 Updates
• Current State:
– 31 JAB ATOs (4-High)
– 45 CSPs granted an initial Agency ATO
• For example, AWS GovCloud has received 15 individual Agency
authorizations for the same system
• FedRAMP Ready launched as part of the FedRAMP
Accelerated process for JAB
• High baseline launched
• New Templates
20. Webinar – What you should know about FedRAMP assessments | 20
Learn more:
www.schellmanco.com/fedramp