Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Fed ramp agency_implementation_webinar
1. Federal Risk and Authorization
Management Program
(FedRAMP)
Agency Implementation
of FedRAMP
May 2, 2013
2. Participants will…
• Understand what agencies must do to in order to
comply with FedRAMP requirements
• See an example of how HHS has implemented
FedRAMP in to agency-wide policy
2
3. What is FedRAMP?
3
FedRAMP is a government-wide program that provides
a standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services.
This approach uses a “do once, use
many times” framework that will save
cost, time, and staff required to
conduct redundant agency security
assessments.
4. FedRAMP Policy Memo
4
OMB Policy Memo
December 8, 2011
• Mandates FedRAMP compliance for all
cloud services used by the Federal
government
• All new services acquired after June 2012
• All existing services by June 2014
• Establishes Joint Authorization Board
• CIOs from DOD, DHS, GSA
• Creates the FedRAMP requirements
• Establishes PMO
• Maintained at GSA
• Establishes FedRAMP processes for
agency compliance
• Maintains 3PAO program
5. FedRAMP Policy Framework
5
eGov Act of 2002 includes
Federal Information Security Management Act
(FISMA)
FedRAMP Security
Requirements
Agency
ATO
Congress passes FISMA
as part of 2002 eGov Act
OMB A-130
NIST SP 800-37, 800-137, 800-53
OMB A-130 provide policy,
NIST Special Publications
provide risk management
framework
FedRAMP builds upon NIST SPs
establishing common cloud
computing baseline supporting
risk based decisions
Agencies leverage FedRAMP process,
heads of agencies understand, accept
risk and grant ATOs
6. Cloud System Compliant with FedRAMP
• Agencies must authorize cloud systems using the FedRAMP
process. This includes:
– Ensuring the security package has been created using the required
FedRAMP templates – SSP, SAP, SAR
– Using the FedRAMP security control baseline and addressing ALL
controls in that basline
– Using an independent assessor to test the system
• The security package for the cloud system authorization has
been submitted to the FedRAMP PMO for listing in the
repository
• An authorization letter for the system is on file with the
FedRAMP PMO
6
June 2014 All Cloud Projects Must Meet
FedRAMP Requirements
7. How Should Agencies Implement FedRAMP?
• OMB Memo requires Agencies to ensure all cloud services
they use meet the FedRAMP security authorization
requirements.
• Agencies have many options to enforce this at an agency
level:
– Agency-wide policy mandating FedRAMP
• Can be through Administrator, CIO, or CISO
– Create an Agency FedRAMP Standard Operating Procedures
• Can be through CIO or CISO
– Update existing Agency security processes to reflect FedRAMP
requirements
• Agencies should be able to demonstrate to OMB how they are
implementing FedRAMP into agency processes
7
8. Agency Example: HHS
• HHS recently released an
Agency FedRAMP Standard
Operating Procedure
• Released through HHS CISO
• Defines how HHS will
authorize cloud services to
ensure they meet FedRAMP
requirements
8
9. HHS SOP: Define Actors
• Who is doing what?
• What are
responsibilities of
team members?
• What is hierarchy for
decision making?
9
Who Will Be
Involved?
10. HHS SOP: Authorization Process
• Detail how actors will authorize
a CSP
• Integrate FedRAMP
requirements in to authorization
process
• Should align with current agency
processes
– HHS created a new SOP
specifically for FedRAMP
– Agencies can choose to
update/modify/revise current
SOPs or policies for security
authorizations to reflect cloud
systems.
10
How will FedRAMP
Requirements Be Met?
11. HHS SOP: Submission to FedRAMP
11
• Worked with FedRAMP Team
to ensure standard process
aligns with PMO expectations
• Consistent with FedRAMP
CONOPs.
• Includes details about initial
documentation as well as
periodic updates
How will Agency provide
authorization to FedRAMP?
12. HHS SOP: Additional Guidance
12
• Add guidance in appendices
to help consistency in
authorizations
• Can provide additional
information for agency
policies relating to:
– Risk acceptability criteria
– Checklists for completion
– Hierarchy of issue resolutions
– SME’s for particular areas of focus
(e.g. credentialing, encryption, etc.)
Additional Agency Guidance
for Authorizations
13. Summary
• Agencies must ensure they authorize all cloud services using
the FedRAMP requirements
• Many options to enforce this.
• One example of implementing this agency-wide is HHS’s
FedRAMP SOP.
– Not overly complex
– Details roles, process, providing docs to FedRAMP, and gives additional
guidance.
13
FedRAMP office is available to review and assist
agencies in creating agency-wide policies and
SOPs for implementing FedRAMP.