PAGE[classification marking]www.fedramp.gov[classification marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 www.fedramp.gov.

Slides:



Advertisements
Similar presentations
1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman,
Advertisements

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
PAGE Quick Guide to the FedRAMP Readiness Process 1 August 2014 Presented by: FedRAMP PMO
Public Key Infrastructure (PKI) Hosting Services.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
PAGE Agency ATO Quick Guide 1 December 23,
Cybersecurity Blueprints
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
CSBG Application Process
SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.
Conformity Assessment: activities & systems
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
PAGE Agency ATO Quick Guide 1 May 1,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Complying With The Federal Information Security Act (FISMA)
FedRAMP Federal Risk and Authorization Management Program Industry Day June 4, 2014 Industry Day.
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Security and Privacy Services Cloud computing point of view October 2012.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Federal IT Security Professional - Auditor
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Larry L. Johnson Federal Transition Framework.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Business and Systems Aligned. Business Empowered. TM Federal Identity Management Handbook May 5, 2005.
PAGE Agency ATO Quick Guide 1 September 21,
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
HSPD-12 Identity Management Initiative Carol Bales Senior Policy Analyst United States Office of Management and Budget North American Day 2006.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Security Checklists for IT Products. Agenda Overview of Checklist Program Discussion of Operational Procedures Current Status Next Steps.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
Assessment and Authorization– Module 5 (combined with Module 6)
Cloud Computing Use Case Draft v2.
NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.
Framework and Toolkit for UN Coherence, Effectiveness and Relevance at Country Level: Step 8 – Communicate about change.
FISMA 101.
Assessment and Authorization– Module 5 (combined with Module 6)
FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.
SaaS Working Group Meeting Cloud Assessments Industry Day February, 2016 John Connor, IT Security Specialist, OISM, NIST Background Photo - JILA.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
This is a customer facing presentation that you can use to present the your assessment findings, recommendations, options, benefits and requirements. This.
1DoD Cloud Computing Read the provided excerpts from - The “25 Point Implementation Plan to Reform Federal IT” - DoD Cloud Computing Strategy - The National.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
The Cloud Abides The Challenges of Cloud Migration and Acquisition
Agency ATO Quick Guide September 21, 2015
Security Checklists for IT Products
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Matthew Christian Dave Maddox Tim Toennies
Phase 1 Tollgate Review Discussion Template
NCHER Knowledge Symposium Federal Contractor/TPS Session
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Presentation transcript:

PAGE[classification marking] marking] FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14,

PAGE[classification marking] marking] 1 FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December FedRAMP is the first government-wide security authorization program for FISMA – mandatory for all agencies and all cloud services FedRAMP’s framework is being modeled in other government security programs (mobile, data) and by other countries (Canada, UK, EU, China) FedRAMP’s focus is to ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems, key of which is re-use Conservative cost estimates for FedRAMP is $40M for the govt alone Pre-FedRAMP FedRAMP Model

PAGE[classification marking] marking] 2 FedRAMP Overview Current Statistics Authorizations JAB P-ATOs - 15 –Includes services from IBM, Microsoft, Akamai, HP, Lockheed Martin Agency ATOs - 11 –Includes Amazon, AINs, USDA, Micropact, Salesforce In Process CSPs JAB P-ATO – 15 Includes services from Dell, SecureKey, Oracle, Amazon, Microsoft, IT-CNP, IBM Agency ATOs – 23 Includes Microsoft, Google, Adobe, IBM, Oracle, Verizon

PAGE[classification marking] Agency ATO Quick Guide

PAGE[classification marking] 4 The agency ATO process should follow the FedRAMP Security Assessment Framework (SAF) The SAF is based on the NIST Risk Management Framework The FedRAMP Security Assessment Framework is a available at FedRAMP.gov on the Templates and Key Documents webpageFedRAMP Security Assessment Framework Agency ATO Guide FedRAMP Security Assessment Framework

PAGE[classification marking] SAP Testi ng Agency ATO Guide Timeline for the SAF JAB P-ATOs Agency ATOs 5 CSP Supplied AssessMonitorAuthorize SSP ConMon Reports SAR POA M Documen t NIST RMF 1, 2, 3 NIST RMF 4NIST RMF 5NIST RMF 6 9+ mo s 5+ mo s 3+ mo s 5

PAGE[classification marking] TRUSTED INTERNATE CONNECTIONS (TIC) CSPs are required to support agency TIC implementations –CSPs do not host TIC components in their environments FEDERAL INFORMATION PROCESSING STANDARD (FIPS) PUB CSPs are required to implement only FIPS Pub for all cryptographic implementations –External interfaces with Federal customers PERSONAL IDENTITY VERIFICATION (PIV) Agencies are required to use PIV for multi-factor authentication –CSPs are required to support PIV as a multi-factor solution Agency ATO Guide Considerations During SAF 6

PAGE[classification marking] 7 ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage We suggest that you use the Test Cases that we released in Excel format for public comment: ent/rev-4-test-case- workbook ent/rev-4-test-case- workbook Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) ATO Letter Cert Letter FedRAMP Templates Available: FIPS 199 Control Implementation Summary (CIS) System Security Plan Information System Security Policy User Guide E-Authentication Template Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) Rules of Behavior (ROB) IT Contingency Plan Agency ATO Guide Document Checklist – Templates Available

PAGE[classification marking] 8 The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness The documents listed on this slide do not have an FedRAMP template No Template Available: Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan Agency ATO Guide Document Checklist – Docs w/o Templates

PAGE[classification marking] GRANTING AN AUTHORITY TO OPERATE (ATO) Once a review is complete, an authorization should be granted and provided to the FedRAMP PMO Authorization for Cloud Providers should not be tied to individual Applications or Platforms –CSPs are intended for multiple tenants, use by different customers –Authorizations should be viewed as building blocks For Microsoft packages, consuming agencies will need to leverage all of the packages that relate to the service being consumed –e.g. GFS, Azure, O365 Customer Agencies will ALWAYS have some responsibility for controls –e.g. an agency will always have to enforce 2 factor authentication Agency ATO Guide Granting an ATO 9

PAGE[classification marking] 10 Included with the authorization package should be a Certification Letter and ATO Memo detailing your agency’s authorization. A sample Certification Letter is attached below: You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpageFedRAMP ATO Memo Template Agency ATO Guide Sample ATO and Cert Letter Template

PAGE[classification marking] FedRAMP Development Updates

PAGE[classification marking] STAKEHOLDER DEVELOPMENT CISO Organizations (DoD, VA, DHS, DOJ, HHS) –Represent 75% of all High Systems NIST Cloud Security Working Group FedRAMP Development Updates High Baseline 12 PATH FORWARD Public Comment Period (two iterations) Internal Government vetting (in addition to wider public comment period) Release January 2015 Finalization (tentative) by end of CY2015 Number of Controls

PAGE[classification marking] FedRAMP Development Update Procurement Guidance 13 OMB’s FedRAMP Memo requires agencies to enforce FedRAMP via contractual provisions. Agencies are implementing FedRAMP via contractual provisions inconsistently and in ways that are overly restrictive. Agencies need more directed, specific, and authoritative guidance on how to appropriately include FedRAMP in their contracts. Working with OMB to develop joint OFPP and eGov guidance to agencies. –USG should foster a competitive marketplace of cloud providers - both new and established –Agencies must be willing to undertake authorizations as with any FISMA system – cloud and non-cloud

PAGE[classification marking] marking] 14 FedRAMP Development Update FedRAMP Forward: Two Year Priorities FedRAMP FORWARD Provide stakeholders with the PMO’s key objectives over the next two years. Plan addresses prioritizes activities for thoughtful, deliberate, and effective growth. Addresses key program issues with a roadmap of regular outputs to keep stakeholders engaged and informed KEY OUTCOMES Baseline metrics not restricted to PortfolioStat Training modules for FedRAMP FedRAMP agency working groups Creation of automation requirements Re-use of other industry standards within FedRAMP FedRAMP overlays that allow for compliance with other IT initiatives like TIC, IPv6, HSPD-12. Creation of a high baseline

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.