SlideShare a Scribd company logo

Fed ramp agency_implementation_webinar

Tuan Phan
Tuan Phan

FedRAMP PMO discussed how a HHS able to incorporate FedRAMP policies and procedures into its cybersecurity practice.

Technology
1 of 14
Download to read offline
Federal Risk and Authorization Management Program (FedRAMP) Agency Implementation of FedRAMP May 2, 2013
Participants will… • Understand what agencies must do to in order to comply with FedRAMP requirements • See an example of how HHS has implemented FedRAMP in to agency-wide policy 2
What is FedRAMP? 3 FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
FedRAMP Policy Memo 4 OMB Policy Memo December 8, 2011 • Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014 • Establishes Joint Authorization Board • CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements • Establishes PMO • Maintained at GSA • Establishes FedRAMP processes for agency compliance • Maintains 3PAO program
FedRAMP Policy Framework 5 eGov Act of 2002 includes Federal Information Security Management Act (FISMA) FedRAMP Security Requirements Agency ATO Congress passes FISMA as part of 2002 eGov Act OMB A-130 NIST SP 800-37, 800-137, 800-53 OMB A-130 provide policy, NIST Special Publications provide risk management framework FedRAMP builds upon NIST SPs establishing common cloud computing baseline supporting risk based decisions Agencies leverage FedRAMP process, heads of agencies understand, accept risk and grant ATOs
Cloud System Compliant with FedRAMP • Agencies must authorize cloud systems using the FedRAMP process. This includes: – Ensuring the security package has been created using the required FedRAMP templates – SSP, SAP, SAR – Using the FedRAMP security control baseline and addressing ALL controls in that basline – Using an independent assessor to test the system • The security package for the cloud system authorization has been submitted to the FedRAMP PMO for listing in the repository • An authorization letter for the system is on file with the FedRAMP PMO 6 June 2014 All Cloud Projects Must Meet FedRAMP Requirements
How Should Agencies Implement FedRAMP? • OMB Memo requires Agencies to ensure all cloud services they use meet the FedRAMP security authorization requirements. • Agencies have many options to enforce this at an agency level: – Agency-wide policy mandating FedRAMP • Can be through Administrator, CIO, or CISO – Create an Agency FedRAMP Standard Operating Procedures • Can be through CIO or CISO – Update existing Agency security processes to reflect FedRAMP requirements • Agencies should be able to demonstrate to OMB how they are implementing FedRAMP into agency processes 7
Agency Example: HHS • HHS recently released an Agency FedRAMP Standard Operating Procedure • Released through HHS CISO • Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements 8
HHS SOP: Define Actors • Who is doing what? • What are responsibilities of team members? • What is hierarchy for decision making? 9 Who Will Be Involved?
HHS SOP: Authorization Process • Detail how actors will authorize a CSP • Integrate FedRAMP requirements in to authorization process • Should align with current agency processes – HHS created a new SOP specifically for FedRAMP – Agencies can choose to update/modify/revise current SOPs or policies for security authorizations to reflect cloud systems. 10 How will FedRAMP Requirements Be Met?
HHS SOP: Submission to FedRAMP 11 • Worked with FedRAMP Team to ensure standard process aligns with PMO expectations • Consistent with FedRAMP CONOPs. • Includes details about initial documentation as well as periodic updates How will Agency provide authorization to FedRAMP?
HHS SOP: Additional Guidance 12 • Add guidance in appendices to help consistency in authorizations • Can provide additional information for agency policies relating to: – Risk acceptability criteria – Checklists for completion – Hierarchy of issue resolutions – SME’s for particular areas of focus (e.g. credentialing, encryption, etc.) Additional Agency Guidance for Authorizations
Summary • Agencies must ensure they authorize all cloud services using the FedRAMP requirements • Many options to enforce this. • One example of implementing this agency-wide is HHS’s FedRAMP SOP. – Not overly complex – Details roles, process, providing docs to FedRAMP, and gives additional guidance. 13 FedRAMP office is available to review and assist agencies in creating agency-wide policies and SOPs for implementing FedRAMP.
www.FedRAMP.gov Email: info@fedramp.gov For more information, please contact us or visit us the following website: @ FederalCloud 14

Recommended

Risk Based Inspection Services
Risk Based Inspection ServicesRisk Based Inspection Services
Risk Based Inspection ServicesKeel Solution
 
LabTech Fast Track Solutions
LabTech Fast Track SolutionsLabTech Fast Track Solutions
LabTech Fast Track Solutionskevingib
 
ARC 4.1 Flyer
ARC 4.1 FlyerARC 4.1 Flyer
ARC 4.1 FlyerROBERT LEVINE
 
Accounting System Compliance for Non-Accountants
Accounting System Compliance for Non-AccountantsAccounting System Compliance for Non-Accountants
Accounting System Compliance for Non-AccountantsRobert E Jones
 
March-08_at-a-glance_final
March-08_at-a-glance_finalMarch-08_at-a-glance_final
March-08_at-a-glance_finalAnil Saxena
 
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...Jade Global
 
What qppvs need to know about computer system validation for phv systems.
What qppvs need to know about computer system validation for phv systems.What qppvs need to know about computer system validation for phv systems.
What qppvs need to know about computer system validation for phv systems.ARITHMOS
 
Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Bhavesh Shukla
 

Recommended

Risk Based Inspection Services
Risk Based Inspection ServicesRisk Based Inspection Services
Risk Based Inspection ServicesKeel Solution
 
LabTech Fast Track Solutions
LabTech Fast Track SolutionsLabTech Fast Track Solutions
LabTech Fast Track Solutionskevingib
 
ARC 4.1 Flyer
ARC 4.1 FlyerARC 4.1 Flyer
ARC 4.1 FlyerROBERT LEVINE
 
Accounting System Compliance for Non-Accountants
Accounting System Compliance for Non-AccountantsAccounting System Compliance for Non-Accountants
Accounting System Compliance for Non-AccountantsRobert E Jones
 
March-08_at-a-glance_final
March-08_at-a-glance_finalMarch-08_at-a-glance_final
March-08_at-a-glance_finalAnil Saxena
 
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...
Coordinate Governance, Risk, and Compliance with Enterprise Service Managemen...Jade Global
 
What qppvs need to know about computer system validation for phv systems.
What qppvs need to know about computer system validation for phv systems.What qppvs need to know about computer system validation for phv systems.
What qppvs need to know about computer system validation for phv systems.ARITHMOS
 
Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Apac 2015 minimizing integrity failure r02
Apac 2015 minimizing integrity failure r02Bhavesh Shukla
 
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalTuan Phan
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C PanelsTandhy Simanjuntak
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508Tuan Phan
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelFocus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelAkamai Technologies
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Azure gov march 15th
Azure gov march 15thAzure gov march 15th
Azure gov march 15thAshna Khorana, PRC
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesTuan Phan
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212GovCloud Network
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP DrupalMike Lemire
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training1ECG
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
FedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High RequirementsFedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High RequirementsAmazon Web Services
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 

More Related Content

Viewers also liked

March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalTuan Phan
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508Tuan Phan
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelFocus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelAkamai Technologies
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesTuan Phan
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212GovCloud Network
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP DrupalMike Lemire
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training1ECG
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
FedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High RequirementsFedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High RequirementsAmazon Web Services
 

Viewers also liked (20)

March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C Panels
 
Conops v1.1 07162012_508
Conops v1.1 07162012_508Conops v1.1 07162012_508
Conops v1.1 07162012_508
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelFocus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Azure gov march 15th
Azure gov march 15thAzure gov march 15th
Azure gov march 15th
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRC
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP Drupal
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
FedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High RequirementsFedRAMP High & AWS GovCloud (US): FISMA High Requirements
FedRAMP High & AWS GovCloud (US): FISMA High Requirements
 

Similar to Fed ramp agency_implementation_webinar

FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsGovCloud Network
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Amazon Web Services
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Amazon Web Services
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Managementjadams6
 
How Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsHow Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsWorksoft
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Running head  SIMPLIFIED PROJECT PLAN .docx
Running head  SIMPLIFIED PROJECT PLAN .docxRunning head  SIMPLIFIED PROJECT PLAN .docx
Running head  SIMPLIFIED PROJECT PLAN .docxrtodd599
 
Governance webinar 09062016
Governance webinar 09062016Governance webinar 09062016
Governance webinar 09062016Thierry RAMON
 
Governance webinar 09062016
Governance webinar 09062016Governance webinar 09062016
Governance webinar 09062016Thierry RAMON
 
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Montrium
 
Policy Guided Fulfillmentof Murano Applications
Policy Guided Fulfillmentof Murano ApplicationsPolicy Guided Fulfillmentof Murano Applications
Policy Guided Fulfillmentof Murano Applicationsrpospisil
 
Making the Move to an Enterprise Clinical Trial Management System
Making the Move to an Enterprise Clinical Trial Management SystemMaking the Move to an Enterprise Clinical Trial Management System
Making the Move to an Enterprise Clinical Trial Management SystemPerficient
 
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...Amazon Web Services
 
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdfSabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdfBrion Carroll (II)
 
Strengthen your Foundations
Strengthen your FoundationsStrengthen your Foundations
Strengthen your FoundationsRay Février
 
The ABCs of Clinical Trial Management Systems
The ABCs of Clinical Trial Management SystemsThe ABCs of Clinical Trial Management Systems
The ABCs of Clinical Trial Management SystemsPerficient, Inc.
 

Similar to Fed ramp agency_implementation_webinar (20)

FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conops
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Management
 
How Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsHow Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP Projects
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
Running head  SIMPLIFIED PROJECT PLAN .docx
Running head  SIMPLIFIED PROJECT PLAN .docxRunning head  SIMPLIFIED PROJECT PLAN .docx
Running head  SIMPLIFIED PROJECT PLAN .docx
 
Governance webinar 09062016
Governance webinar 09062016Governance webinar 09062016
Governance webinar 09062016
 
Governance webinar 09062016
Governance webinar 09062016Governance webinar 09062016
Governance webinar 09062016
 
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
Document Management in the Life Sciences - New Horizons for Small-Medium Ente...
 
Policy Guided Fulfillmentof Murano Applications
Policy Guided Fulfillmentof Murano ApplicationsPolicy Guided Fulfillmentof Murano Applications
Policy Guided Fulfillmentof Murano Applications
 
Making the Move to an Enterprise Clinical Trial Management System
Making the Move to an Enterprise Clinical Trial Management SystemMaking the Move to an Enterprise Clinical Trial Management System
Making the Move to an Enterprise Clinical Trial Management System
 
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...
FedRAMP Accelerated: An Update with GSA & cloud.gov | AWS Public Sector Summi...
 
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdfSabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
 
Strengthen your Foundations
Strengthen your FoundationsStrengthen your Foundations
Strengthen your Foundations
 
The ABCs of Clinical Trial Management Systems
The ABCs of Clinical Trial Management SystemsThe ABCs of Clinical Trial Management Systems
The ABCs of Clinical Trial Management Systems
 

More from Tuan Phan

Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Tuan Phan
 
Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513Tuan Phan
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspTuan Phan
 
Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712Tuan Phan
 
Completing fedramp-security-authorization-process
Completing fedramp-security-authorization-processCompleting fedramp-security-authorization-process
Completing fedramp-security-authorization-processTuan Phan
 

More from Tuan Phan (6)

Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213Guide to understanding_fed_ramp_042213
Guide to understanding_fed_ramp_042213
 
Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513Guide to understanding_fed_ramp_032513
Guide to understanding_fed_ramp_032513
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
 
Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712Continuous monitoring strategy_guide_072712
Continuous monitoring strategy_guide_072712
 
Completing fedramp-security-authorization-process
Completing fedramp-security-authorization-processCompleting fedramp-security-authorization-process
Completing fedramp-security-authorization-process
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

Fed ramp agency_implementation_webinar

  • 1. Federal Risk and Authorization Management Program (FedRAMP) Agency Implementation of FedRAMP May 2, 2013
  • 2. Participants will… • Understand what agencies must do to in order to comply with FedRAMP requirements • See an example of how HHS has implemented FedRAMP in to agency-wide policy 2
  • 3. What is FedRAMP? 3 FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
  • 4. FedRAMP Policy Memo 4 OMB Policy Memo December 8, 2011 • Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014 • Establishes Joint Authorization Board • CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements • Establishes PMO • Maintained at GSA • Establishes FedRAMP processes for agency compliance • Maintains 3PAO program
  • 5. FedRAMP Policy Framework 5 eGov Act of 2002 includes Federal Information Security Management Act (FISMA) FedRAMP Security Requirements Agency ATO Congress passes FISMA as part of 2002 eGov Act OMB A-130 NIST SP 800-37, 800-137, 800-53 OMB A-130 provide policy, NIST Special Publications provide risk management framework FedRAMP builds upon NIST SPs establishing common cloud computing baseline supporting risk based decisions Agencies leverage FedRAMP process, heads of agencies understand, accept risk and grant ATOs
  • 6. Cloud System Compliant with FedRAMP • Agencies must authorize cloud systems using the FedRAMP process. This includes: – Ensuring the security package has been created using the required FedRAMP templates – SSP, SAP, SAR – Using the FedRAMP security control baseline and addressing ALL controls in that basline – Using an independent assessor to test the system • The security package for the cloud system authorization has been submitted to the FedRAMP PMO for listing in the repository • An authorization letter for the system is on file with the FedRAMP PMO 6 June 2014 All Cloud Projects Must Meet FedRAMP Requirements
  • 7. How Should Agencies Implement FedRAMP? • OMB Memo requires Agencies to ensure all cloud services they use meet the FedRAMP security authorization requirements. • Agencies have many options to enforce this at an agency level: – Agency-wide policy mandating FedRAMP • Can be through Administrator, CIO, or CISO – Create an Agency FedRAMP Standard Operating Procedures • Can be through CIO or CISO – Update existing Agency security processes to reflect FedRAMP requirements • Agencies should be able to demonstrate to OMB how they are implementing FedRAMP into agency processes 7
  • 8. Agency Example: HHS • HHS recently released an Agency FedRAMP Standard Operating Procedure • Released through HHS CISO • Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements 8
  • 9. HHS SOP: Define Actors • Who is doing what? • What are responsibilities of team members? • What is hierarchy for decision making? 9 Who Will Be Involved?
  • 10. HHS SOP: Authorization Process • Detail how actors will authorize a CSP • Integrate FedRAMP requirements in to authorization process • Should align with current agency processes – HHS created a new SOP specifically for FedRAMP – Agencies can choose to update/modify/revise current SOPs or policies for security authorizations to reflect cloud systems. 10 How will FedRAMP Requirements Be Met?
  • 11. HHS SOP: Submission to FedRAMP 11 • Worked with FedRAMP Team to ensure standard process aligns with PMO expectations • Consistent with FedRAMP CONOPs. • Includes details about initial documentation as well as periodic updates How will Agency provide authorization to FedRAMP?
  • 12. HHS SOP: Additional Guidance 12 • Add guidance in appendices to help consistency in authorizations • Can provide additional information for agency policies relating to: – Risk acceptability criteria – Checklists for completion – Hierarchy of issue resolutions – SME’s for particular areas of focus (e.g. credentialing, encryption, etc.) Additional Agency Guidance for Authorizations
  • 13. Summary • Agencies must ensure they authorize all cloud services using the FedRAMP requirements • Many options to enforce this. • One example of implementing this agency-wide is HHS’s FedRAMP SOP. – Not overly complex – Details roles, process, providing docs to FedRAMP, and gives additional guidance. 13 FedRAMP office is available to review and assist agencies in creating agency-wide policies and SOPs for implementing FedRAMP.
  • 14. www.FedRAMP.gov Email: info@fedramp.gov For more information, please contact us or visit us the following website: @ FederalCloud 14