Federal Risk and Authorization Management Program (FedRAMP)

Agency Implementation of FedRAMP May 2, 2013

Participants will…

• Understand what agencies must do to in order to comply with FedRAMP requirements

• See an example of how HHS has implemented FedRAMP in to agency-wide policy

2

What is FedRAMP?

3

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.

FedRAMP Policy Memo

4

OMB Policy Memo December 8, 2011

• Mandates FedRAMP compliance for all cloud services used by the Federal government • All new services acquired after June 2012 • All existing services by June 2014

• Establishes Joint Authorization Board

• CIOs from DOD, DHS, GSA • Creates the FedRAMP requirements

• Establishes PMO

• Maintained at GSA • Establishes FedRAMP processes for

agency compliance • Maintains 3PAO program

FedRAMP Policy Framework

5

eGov Act of 2002 includes Federal Information Security Management Act

(FISMA)

FedRAMP Security Requirements

Agency ATO

Congress passes FISMA

as part of 2002 eGov Act

OMB A-130 NIST SP 800-37, 800-137, 800-53

OMB A-130 provide policy,

NIST Special Publications

provide risk management

framework

FedRAMP builds upon NIST SPs

establishing common cloud

computing baseline supporting

risk based decisions

Agencies leverage FedRAMP process,

heads of agencies understand, accept

risk and grant ATOs

Cloud System Compliant with FedRAMP

• Agencies must authorize cloud systems using the FedRAMP process. This includes: – Ensuring the security package has been created using the required

FedRAMP templates – SSP, SAP, SAR

– Using the FedRAMP security control baseline and addressing ALL controls in that basline

– Using an independent assessor to test the system

• The security package for the cloud system authorization has been submitted to the FedRAMP PMO for listing in the repository

• An authorization letter for the system is on file with the FedRAMP PMO

6

June 2014 All Cloud Projects Must Meet

FedRAMP Requirements

How Should Agencies Implement FedRAMP?

• OMB Memo requires Agencies to ensure all cloud services they use meet the FedRAMP security authorization requirements.

• Agencies have many options to enforce this at an agency level: – Agency-wide policy mandating FedRAMP

• Can be through Administrator, CIO, or CISO

– Create an Agency FedRAMP Standard Operating Procedures • Can be through CIO or CISO

– Update existing Agency security processes to reflect FedRAMP requirements

• Agencies should be able to demonstrate to OMB how they are implementing FedRAMP into agency processes

7

Agency Example: HHS

• HHS recently released an Agency FedRAMP Standard Operating Procedure

• Released through HHS CISO

• Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements

8

HHS SOP: Define Actors

• Who is doing what?

• What are responsibilities of team members?

• What is hierarchy for decision making?

9

Who Will Be Involved?

HHS SOP: Authorization Process

• Detail how actors will authorize a CSP

• Integrate FedRAMP requirements in to authorization process

• Should align with current agency processes – HHS created a new SOP

specifically for FedRAMP – Agencies can choose to

update/modify/revise current SOPs or policies for security authorizations to reflect cloud systems.

10

How will FedRAMP Requirements Be Met?

HHS SOP: Submission to FedRAMP

11

• Worked with FedRAMP Team to ensure standard process aligns with PMO expectations

• Consistent with FedRAMP CONOPs.

• Includes details about initial documentation as well as periodic updates

How will Agency provide authorization to FedRAMP?

HHS SOP: Additional Guidance

12

• Add guidance in appendices to help consistency in authorizations

• Can provide additional information for agency policies relating to: – Risk acceptability criteria

– Checklists for completion

– Hierarchy of issue resolutions

– SME’s for particular areas of focus (e.g. credentialing, encryption, etc.)

Additional Agency Guidance for Authorizations

Summary

• Agencies must ensure they authorize all cloud services using the FedRAMP requirements

• Many options to enforce this.

• One example of implementing this agency-wide is HHS’s FedRAMP SOP. – Not overly complex

– Details roles, process, providing docs to FedRAMP, and gives additional guidance.

13

FedRAMP office is available to review and assist agencies in creating agency-wide policies and

SOPs for implementing FedRAMP.

www.FedRAMP.gov

Email: info@fedramp.gov

For more information, please contact us or visit us the following website:

@ FederalCloud

14