Completing The Fedramp Security Authorization Process
Tip: Highlight text to annotate itX
Event ID: 2068327
Event Started: 1/8/2013 8:30:00 PM ----------
Please stand by for realtime captions. >> Good afternoon, everyone. We will be starting
shortly. If you're having technical difficulties please call GoToWebinar at .8002636317. Select
option number two, option one and option one. We will be starting shortly.
>> good afternoon, everyone. Disses Katie Lewin, I'm starting to webinar federal risk
and authorization management plan. SCER detesting and completing the package. Welcome, everyone.
To a Mac would take the time to join us on a webinar. We will have two speakers today,
myself, Katie Lewin, who is the Director of the federal computing program at GSA and Matt
Goodrich who's the program manager for FedRAMP. This webinar is the fourth in a series of
webinars that we've been conducting. We will be covering today the completion of the FedRAMP
process of Security testing and documenting results to submitting a completed package
to the FedRAMP Security suppository. Specifically the topics we're going to cover include the
importance of the conformity assessment process, in terms of taking an accredited independent
assessor, the will of the third-party assistant organization which we are also calling the
independent assessor organization and completing discourteous assessment and testing. Planning
for testing and documenting the results. How to remediate vulnerabilities thundering testing,
to finalize your Security authorization package for submission to disk your repository and
how to provide an overview of the lifecycle for that package. Those of the topics are
going to be talking about, if you have questions please submit them as they arrive using the
chat function. We will be looking up the questions and answering them during the webinar and
their response was many questions as possible and answer them and those that we don't to
get to we will posts on the frequently asked questions section of FedRAMP.gov.
>> Today's webinar will quickly begin to review the list of topics but I wanted to remind
you what we're talking about. The FedRAMP which has been launched in June of 2012 is
a governmentwide program that provides a standardized approach to Security assessment, authorization
and continuous monitoring for cloud products and services. I'm happy to say since a last
webinar we have granted our first [Indiscernible] operate in that documentation for that ATO
is available in our secure repository. >> Just as review we have had as I said three
additional webinars, if you miss any of them if you want repeated topics, they are available
on FedRAMP.gov under the new -- news section. [Indiscernible] materials from past events.
The size of their -- I believe the recording of the webinar is also available there.
>> Let's talk about where we are. I want to orient you to the two Major topics we're going
to be talking about and FedRAMP at a test in submitting the packages to the FedRAMP
secure repository which in this diagram is a STIP 1.3. This step requires that the service
provider sought an independent assessor to perform the assessment of their Security environment.
Their independent requester is responsible for developing the Security assessment plan
performing the testing and documenting results in the Security assessment report. Templates
for these documents can be found in FedRAMP.gov. Full abilities found the assessment and a
plan to fix these whole abilities are documented in the fun action and milestones [Indiscernible]
again tablets are available at FedRAMP.gov. >> The other topic that we are going to be
talking about in terms of FedRAMP and finalizing your [Indiscernible] service providers, documentation
and secure repository is the finalization of the skirt you assessment in that step occurs
after testing has been completed. Documents that are updated to reflect testing results
and Security package documents are consolidated into a single package for submission to this
cure repository. I believe Matt is going to talk about what that really looks like and
how to do it. Most packages and repository have either an Agency granted ATO or a FedRAMP
provisional authorization so documents and secure repository have most of them have either
of those ATOs growth is also an option for cloud service providers to submit a packet
strictly to the repository. FedRAMP will support the CFP in doing this with access to this
cure repository and a secure access control [Indiscernible] of the website for CSP to
post their assessment package is. In addition, the FedRAMP project management office maintains
a list of packages available to the secure repository and ensures that this packages
remain secure and access to them is controlled. >> Access to actual Security assessment packages
is limited to federal agencies request permission from the FedRAMP EMO and we posted or will
be posting very soon I request form that asks what agencies can complete to request access
to specific CSP documentation and ATO documentation so they can review and determine whether or
not they want to leverage the ATOs that resides on the FedRAMP secure repository. CSP is the
package is an repository are required to implement a continuous monitoring program and submit
periodic updates and if you look at the documentation for FedRAMP you will be referred to the way
continuous monitoring is operating right now and you need to be on the alert because DHS
is also starting to develop additional requirements and tools to meet those requirements and they
will be issuing updates to their continuous monitoring requirements as they proceed.
>> Let's talk about [Indiscernible] nothing confusing and that the authorization level
in the secure repository. CSPs [Indiscernible] should use an independent assessor based on
the category of the package is illustrated in this chart. Packages submitted by a CSP
without an ATO, they correctly come from the CSP, do not have an ATO and packages submitted
to the FedRAMP project management office for review by the authorization point and granting
provisional authorization, those two packages require an accredited independent assessor.
OSV accredited independent assessors are available at FedRAMP.gov. Part of my presentation will
be talking to about what an accredited and accredited sister -- number that means and
how they get an accreditation. Agencies that have flexibility in using an accredited independent
assessor. Use of an accredited independent assessor's agencies to submit their ATO documentation
to the repository. So there's no additional documentation required, once the Agency grants
the ATO the package of the documentation, they submitted to a repository, we will expect
it and put it in a secure place on the repository. We encourage agencies to use accredited independent
assessors. However, is also the option for agencies to use an independent assessor that's
not accredited under the FedRAMP program. If an Agency does do this and the want to
cement the documentation to the secure repository they must submit an attestation describing
the independent and technical qualifications of the not accredited -- this an additional
step if you as an Agency grants and ATO who does not use an accredited independent assessor
legalizer value documentation on the FedRAMP secure repository.
>> What to abandon assessors do quickly and try to standardize the term on independent
assessors and as we've called him 3PAOs, but the independent assessor really is responsible
for assessment by developing the assessment plan based on FedRAMP test cases in the types
of servers, applications and databases that make up the system. They must ensure that
the test plan results are presented unbiased and accurate picture of the Security implementation
within the system and they have to demonstrate independent and that they are not developing
a system or prepare Security documentation for the same systems their sissy and I think
that's the point of this slide we have posted right now. And amendment and the demonstration
thereof is the most important are one of the most important factors in the integrity of
the FedRAMP process so independent assessors the reason we are changing the term is because
we want to make sure that CSP and agencies understand that the assessment is to independent
is not based on additional business or projects that they have concerning a particular system
that they are assessing. CSP survey to hire another organization that calls himself an
independent assessor to prepare Security documentation. But they cannot be the same one, the same
organization that is performing the assessment. Something to keep in mind that if the CSP
wants to hire an outside consultant to assist in the preparation of the documentation the
outside consultant does not have to be an accredited independent assessor and that may
give a little more flexibility in terms of the organization that CSP white might want
use to help them prepare for the assessment under FedRAMP.
>> The third-party assessment organization are accredited under something called conformity
assessment. The overriding reason for the requirements using independent assessor is
that as I said before to ensure that the CSP meets the FedRAMP's gritty requirements and
that assurance is issued or documented by an independent organization. So how are these
independent assessors accredited? We talk about this several times when we were just
rolling FedRAMP out but it is probably bears repeating that we use a process called conformity
assessment that was developed by NIST. NIST uses this conformity assessment process across
a vast range of products and services everything from literally posters to medical records
under aged just controlled. It is a very flexible process, its customizable but it is based
on standards and processes that have been proven. The process conformity assessment
evaluates the technical and managerial confidence of the independent assessor organization and
ensures that they understand and go cut implement the requirement or independence. So that's
one of the most important factors. Independent assessors must all accredited organizations.
-- >> This is a list of the credited third-party
assessment -- met you can find lists under F edRAMP.gov. Under Keeling's accredited third
PEO in this is a leakage, this is a rolling mission process so they is no closed date
when an organization can apply to become an independent accredited independent assessor.
And we started out with nine and we are now up to [Indiscernible] we will be adding more
organizations as the pass the conformity assessment process.
>> What's the relationship between the 3PAO and the -- service provider? The relationship
is preemies to body so the FedRAMP project management office really does not have a role
in that relationship. The CSP's for the most part higher [Indiscernible - Audio cutting
out] we do not make recommendations among the list of accredited independent assessors.
We feel that the list of accredited independent assessors as recommendation enough in CSPs
can pick from that list an organization that will best suit they're needs. One suggesting
that we have is that they CSP might want to interview multiple [Indiscernible - Audio
cutting out] work that an independent assessor organization can respond to either verbally
or in writing about how they would approach the assessment task. Another couple of pointers
in terms of how to pick an independent assessment organization. You probably as a CSP want to
ask the assessment organization about their experience obviously the resources they are
going to bring to [Indiscernible - Audio cutting out] that would meet the environment that
you need assessed. May be an estimate the time required and obviously an understanding
of what the requirements are. I think that it is fairly easy to do that because the requirements
are well laid out under the FedRAMP.gov website. Once the CSP chooses their independent assessor
they must formally notified the FedRAMP program [Indiscernible - Audio cutting out] you independent
assessor [Indiscernible - Audio cutting out] to notify our office and we will then say yes,
proceed. CSP Duplantis minute packages that other review levels to not me permission to
test for FedRAMP, in other words, if you're going to Agency ATO you don't have to get
permission from FedRAMP office to proceed with testing. Going to turn it over to Matt
and he's going to talk about [Indiscernible - Audio cutting out]
>> -- and how to choose the assessor to do that. Pellets put into action. Had to begin
the testing phase to demonstrate your complaints to the FedRAMP script controls. The 3PAO you
select will develop the Security assessment plan which we refer to as the Stapp. It defines
the scope of the assessment and identifies the components that will be included in the
assessment. Hardware, software, databases, applications and physical facilities. Is also
advise the testing methodology and provides a test cases used for the assessment. The
SAP contains a schedule outlining the time identifying symbols engagement for the test.
Rules engagement describe notification and disclosure between the CSP and 3PAO includes
a listing of components to be included and excluded from testing and provide instructions
on how the results of the assessment are to be encrypted and transmitted to CSP. -- signify
agreement on the terms. >> Even though 3PAO manage and complete the
testing CSP should prepare ahead of time to ensure the testing goes as smoothly as possible.
This means CSP have a little bit of work to do. CSP should give the 3PAO distinct point
of contact, actual people not a general office number or support number. The CSP should provide
at least three contacts in at least one of those contact should be at an operation centers
such as a [Indiscernible] that is staffed 24/7. The schedule for performing scans are
penetration testing shouldn't be a surprise to the CSP. 3PAO and CSPs should discuss the
testing schedule so the CSP can ensure the 3PAO well of appropriate access to a CSP environment
and personnel as needed to complete testing. As a part of this 3PAO should provide the
CSP with a list of the IP addresses where schedule originate from, the testing [Indiscernible]
as a malicious attack. Additionally, 3PAO will need access to facilities to assess fiscal
and environmental controls. CSP should provide a list of the facilities or along with their
address to the 3PAO. Sees patient also ensure the staff [Indiscernible] know when to expect
3PAO to be on-site to perform testing. This means that if there's an information needed
to grant a 3PAO access to the facilities the CSP should inform the 3PAO of these requirements
out of time. Finally, CSP and 3PAO need to review and sign off on the wills of engagement.
These rules govern how the test to be conducted in by completing before beginning the testing
both parties prevent any interruption of a CSP service. Also engagement is negotiable
and should be reviewed by the General Counsel of both 3PAO and CSP.
>> After the 3PAO has followed the night and tested the system that 3PAO must develop a
Security assessment referred to as the SAR. These are documents the test findings and
these findings a few PEO will provide analysis of the test results to determine the risk
exposure of this is the. These are also highlights ways for CSP to mitigate the maturity weaknesses
of boundary testing. Since tonight is to report on the overall risk of the CSP system the
two men serves as a primary document that the taste began -- will review to make the
decision and granting an authorization. While the 3PAO has a solar responsibility for writing
the SAR we do recommend that they CSP and EPS schedule time to review the initial draft
to ensure its accuracy before the SAR is finalized. >> After finalizing the SAR theses uses the
vulnerabilities and recommendations in the tent to create a plan of action and milestones
soother referred to as POA&M. The POA&M provides a detailed plan with the schedule of how the
CSP plants to address and pick solar buildings found during the testing phase.
>> The POA&M template contains an embedded Excel spreadsheet that CSP should use to track
and manage the program -- meds before I do. In the spreadsheet the CSP will have unique
IDs for each POA&M, description of which, description of what which this is boundary
testing details about when and how the POA&M will be close. POA&M will be updated on a
continual basis during the course of the maturity authorization and -- once every quarter. But
it may be updated anytime to reflect the addition of new vulnerabilities or the closing of a
POA&M item. Subsequent workbooks and the POA&M I used to track open new items during POA&M
updates. >> A few things to remember when developing
your POA&M to none, all findings must map to a POA&M I difficult this is compassed by
giving each POA&M item unique identifier which pairs with respective SAR finding. False-positive
should be clearly marked in the tonight but do not need today identified in the POA&M
as there's the snow remediation needed to practical positive. The man -- departure mediate
all high severity wristband for the -- CSP might also remediate within 90 days after
receiving a provisional authorization. >> Is after finalizing the SAR and POA&M it
is time to compile and submit your package. Final package will include control telling
workbook which identifies controls of an adaptive by the CSP and the control and limitation
summary [Indiscernible] resist possible for a Security control. These two documents are
hopeful for agencies leveraging the authorization because the detailed a summary fashion what
the customers responsibility as a school using the CSP service as well as what is CSP does
Devonian meeting with this gritty controls. Next ottoman is a systems cootie plan, this
is the. >> Document freeze gritty authorization. Is
describes the system and this gritty control used to protect the system. Also supported
documents Schneck may include things like the -- contingency plan, details of the country
system occurs in case of a disruption of service, the configuration management plan which identifies
how the CSP makes Ritchie changes to their operating environment and incident response
plan which explained by their actions and response to Security incidents. The focus
of this whatnot is on the file -- final documents needed to complete the package -- describing
assessment methodology followed by the 3PAO to test the controls, Security assessment
retort -- report -- the evidence and analysis and report on implementation of the controls.
And the POA&M complex action by the provider to change her limits gritty controls based
on independent assessment. The last and final document is a self attestation or declaration
of conformity which states the package represents the true inaccurate depiction of the system.
>> Before submitting documentation CSP should review the documents the special focus on
the system Security plan and ensure they are up-to-date and reflects any changes made in
either a mediating fuller abilities or in response to findings. Updates to all documents
should include adding sensitivity markings on the cover page in the footer of each document.
You may change the existing sensitivity market on a template to match your official company
sensitivity nomenclature if it stick than what's on the template. Sensitivity markets
may also be placing headers of any document and any other placement document that you
feel requires sensitivity labeling. Depending on the assessment level of your package into
the PMO or FedRAMP ISSO will work with the CSP and provide instructions on nexus and
uploading the package the FedRAMP secured repository. CSP should be aware that federal
agencies interested in acquiring the services will be able to request access to secure repository
to review the CSP package. >> Was a CSP's file is other documents and
double checked for accuracy, the last -- step is for the CSP to include a self attestation
declaration of conformity letter. This letter a test and revise the system conforms to the
FedRAMP requirements based on the assessment results and also certifies that all of orbited
controls are working. FedRAMP provides declaration of conformity letter template on Page 6 and
7 of the self attestation template on FedRAMP.gov. CSP should all -- putting on the company name
and address fill Phil and the system name and then have an authorized company official
sign and date it. The question of conformity is a document in the C's P undersides of one
sent all information submitted to FedRAMP is complete and accurate.
>> How to does an Agency use the Security authorization packets? Agencies interested
in leveraging a package will be able to search to repository for services that meet their
requirements. Only federal agencies will be able to request access to Security package
in the repository. Vendors access to the secure repository is limited to the area for storing
their own respective documentation. >> To access a package listed in the repository,
the user of the Agency must complete a FedRAMP package access request form and have their
[Indiscernible] submit the form to the FedRAMP EMO. After FedRAMP receives the form of the
PMO will perform a review provide notification of accepting or rejecting the request.
>> Delivered the package agencies must double mint customer responsibility controls and
grab them Agency ATO. CSP's are packages and his cure repository are required to maintain
a continuous monitoring program which provides a -- control limitation, -- resolution and
annual retesting. Does a detailed about continuous monitoring are available on FedRAMP.gov the
FedRAMP continuous monitoring strategy and guide.
>> In summary, the perform testing step of the FedRAMP process entered duces the independent
assessor to FedRAMP. CSP's must use an independent assessor to plan the test and develop the
SAP, perform the assessment and document the findings of that assessment and the SAR. This
is required for FedRAMP -- Security control based on. CSP must use and depend assistant
to provide independent assessment of the CSP system. Agencies and flexibility in selecting
their independent assessor -- use of the FedRAMP accredited 3PAO -- accreditation program ensures
-- independent, Audio cutting out] >> Or entity -- often a 30 on assigning severity
to findings in the job -- signed by independent [Indiscernible - Audio cutting out] -- fender
-- [Indiscernible - Audio cutting out] coming to a mutually agreeable decision on whether
meeting is that the 3PAO can justify the job finds acceptable as well.
>> What is the formal paper-based responsibility of the Agency leveraging a CSP package? That
the Agency need to go through each CSP staff for all the customer controls or is there
an Agency oriented APO form? We do not have Agency oriented APO form. Is up to each Agency
how they want to leverage the documentation and provide for their own implementation of
Security controls that their response ability of the Agency.
>> How many CSPs have started the FedRAMP process? We have an excess of 80 applications
from CSPs however, one of the [Indiscernible] how many this really translates this readiness
so every one of those applicants have been contacted and we've done a readiness assessment
with them to see how ready they are to provide the documentation, that's necessary to get
an ATO. >> Quit and that closely relates us what kind
of range of time from should be expected to go through the process and what are the key
drivers. The best way to say is the fastest review time that the government can do for
the PMO and JAB to finalize document is roughly 10 weeks, about eight to 10 weeks and that's
if we have for the documentation. The key driver is really the level of detail and readiness
of the CSP when they, and submit documents. Testing normally takes four to five days,
that's usually the average amount of time to do that and finalize document and that's
even after you created your SSP so if you SSP is not and perfect shape when it comes
to us doubly working with the FedRAMP team to update those documents. A reasonable timeframe
the fastest we are likely seen is in the six month timeframe at this point in time. That
can go longer depending on where a CSP is and actually the readiness and when they come
to FedRAMP. >> We have three questions about the requirement
to use an accredited independent third-party assessor and I will go over that again because
it somewhat confusing. If you're submitting a package for a general APO -- board you must
use an accredited independent assessor. If you are correct -- who does not have a client
at this time but want to get your documentation into the secure repository you must use an
accredited third-party assessor. Flexibility comes with if you are getting your APO doing
Agency. If the Agency wants -- does not want to use an accredited third-party assessor
so there has to be in assessment and has to be independent, that's not new, that's a new
requirement it is always been that way, however, agencies can choose not to use an accredited
independent assessor if they do they want to send the documentation to the secure repository.
Pen the Agency must a test as to the qualification and the independent of that third-party assessor.
We recommend that that be the least traveled path. It is probably easier for everyone to
use an accredited third-party assessor. However, there is that option.
>> How long does it take for 3PAO to get approved once their application is submitted to? By
now we are seeing an average turnaround time frame for first review of an application around
them two months. >> That's also on a rolling basis so some
of those take less time as the updater application or need clarifications.
>> Can [Indiscernible] inquire as to which agencies have been granted access to get that
package in the repository? >> Would basically help supervise that .bash
-- back to CSP inmate will likely be something and a regular relay of information terms of
hundred people have referred the documents but it is unlikely that CSPs will get direct
contact information for every person reviewing the documents.
>> for the six-month time frame imagine was that someone that CSP turn in their SSP to
Wendy [Indiscernible] was granted? Yes. Is not from the time the test results were completed
so that would be prohibitively long patchouli despite the whole process of proximally six
months again readiness is a key to the speed and accuracy under which this process is conducted
so the more ready a CSP is with the required level and detail of documentation the quicker
this process will go. >> Right, to add something else, this can
part the question Oryza from one test compo -- results are compared to? The fastest part
is what we just went over today is that once the SAR is finalized albeit the documentation
should be finalized and at that point we are really doing just a risk review not getting
your documentation finalized. That sort of that dust as part of that is once testing
is complete their summitry period make sure you have everything documented correctly that
when you get to testing and test results come in its -- the other side we've already reached
the [Indiscernible] in your testing. >> What are the most common hurdles, challenges
for companies going to FedRAMP and what you recommend for other companies? By now at the
beginning of this process is still an initial -- capabilities I know Matt will have more
detail but I would say that right now there is really a pattern of things that are challenging
to CSPs. For the most part lots of CSPs have different challenges. For example, some have
problems with their SSP, other have trouble with their boundaries, in other words, defining
them so that the reviews can understand them. We are saying we will be putting out best
practices and lessons learned but right now we really don't have enough data to make like
it statements about things that are particularly worrisome or difficult for every CSP as they
apply. >> I would say that something that has held
very true as we've been going forward is Section 4.3 of the guide understanding FedRAMP or
4.1 -- capabilities checklist. That gives you 12 points that you shall get to see if
you're ready to move to FedRAMP and get a provision authorization. Keep things in our
description of how you do [Indiscernible] authentication, what type of encryption you
do particularly if it is -- validated moppets approved by has to be FIPS validated. Also
disruption of your boundary and particularly when your interconnection Security RVee using
any corporate environment to do anything with part of your services and really understand
all about that and having a clear -- I think -- recognition that we've seen that's been
beneficial to some companies has some uncommon to ask -- helping to develop your SSP before
you get the testing phase because that's been awful for some people that have -- invested
money that -- something that has proven to be very hopeful [Indiscernible]
>> This is -- we are reviewing Estes be -- back correct when we could fight -- but after we
issue an APO? If you reviewing Estes be -- package that's for an Agency ATO, you can engage with
us -- you can engage with us as soon as you would like to. In order to help make sure
your meeting the number requirements and the going Ford Agency ATO. We have resources that
we can ensure that you are doing that crackly. If you're going for a job authorization you'll
be working with us as soon as you want to leverage because you have to go through us
to get access to that documentation. >> Overseas bugle Corps and no visits from
the 3PAO? An thing that we've -- that's different from how we are doing control testing to FedRAMP
them would've a lot of agencies do there is still at three-year requirement for a long
and ATO is valid for. Under [Indiscernible]. A lot of agencies have made the practice of
just retesting the controls, one third, one third, whether. FedRAMP as a defendant brooch
or look at the controls that are most likely need to be retested due to either there being
a lot of POA&Ms or just areas CSP environment that we think warrants retesting every year.
It is unclear if it would require no visits or some of those or all have to be as set
or not but it is something that will be -- basis depending on the C-SPAN environment and their
system. >> Can a list of already approved clot service
providers be shared with agencies, but the services? -- for each Agency wishing to leverage
their service? Excellent question. Right now FedRAMP has granted a provisional ATO to one
company [Indiscernible] resources because the documentation is residing in the secure
repository. The process for an Agency to leverage the services it the following, they would
get permission from us to access the documentation, review it I assume -- would be the one reviewing
it and then they would determine whether or not they would want to accept the risk of
deploying [Indiscernible] resources as described in the secure assessment documentation for
FedRAMP. Agencies we assume for the most part if the ATOs granted by the authorization board
that means they have passed the rigor of GSA, GHS and DOD. If agencies fill that one or
two more controls need to be tested and added to the requirement in order to deploy that
particular product or service they can do so. By But agencies do not have to complete
the pre-conduct the Security assessment and they can accept the documentation and these
associated risk directly from the FedRAMP joint authorization board.
>> Another one from federal Agency, does FedRAMP serve geisha mammy geared toward companies
who wish to offer class services to government agencies? Not two, FedRAMP is -- ethical to
both private and public entities alike. Government agencies who offer cloud services to other
government agencies if it is a cloud service they has to be a dumb complaint by June of
2014. So yes you would need to update to make the FedRAMP requirements.
>> The looks of most of our questions have been answered. To a mapper joining us today.
Booking for kiss you on our next webinar. >> [Event concluded]
