Tuesday, November 9, 2010

Federal Risk and Authorization Management Program (FedRAMP)

On November 2, 2010 the CIO.gov (http://cio.gov/pages-nonnews.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP) announced the FedRAMP program. Its purpose is to “…provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.”

At this time FedRAMP is a proposal. It was authored by National Institute of Standards and Technology (NIST); the General Services Administration (GSA); the CIO Council and working bodies such as the Information Security and Identity Management Committee (ISIMC). FedRAMP was signed off by Vivek Kundra, the US Chief Information Officer.

The FedRAMP is designed to solve the security authorization problems for cloud computing. FedRAMP will provide a unified government-wide risk management process for cloud computing systems.

FedRAMP Security Controls & Enhancements:
1. Access Control Policy and Procedures
2. Account Management
3. Access Enforcement
4. Information Flow Enforcement
5. Least Privilege
6. Unsuccessful Login Attempts
7. System Use Notification
8. Concurrent Session Control
9. Session Lock
10. Permitted Actions Without Authentication
11. Security Attributes
12. Remote Access
13. Wireless Access
14. Access Control for Mobile Devices
15. Use of External Information Systems
16. User-Based Collaboration and Information Sharing
17. Publicly Accessible Content
18. Security Awareness and Training Policy 
19. Security Awareness
20. Security Training
21. Security Training Records
22. Contacts With Security Groups and Associations
23. Audit and Accountability Policy and Procedures
24. Auditable Events
25. Content of Audit Records
26. Audit Storage Capacity
27. Response to Audit Processing Failures
28. Audit Review, Analysis, and Reporting
29. Audit Reduction and Report Generation
30. Time Stamps
31. Protection of Audit Information
32. Non-Repudiation
33. Audit Record Retention
34.        Audit Generation
35. Security Assessment and Authorization Policies 
36. Security Assessments
37. Information System Connections
38. Plan of Action and Milestones
39. Security Authorization
40. Continuous Monitoring
41. Configuration Management Policy and Procedures
42. Baseline Configuration
43. Configuration Change Control
44. Access Restrictions for Change
45. Configuration Settings
46. Least Functionality
47. Information System Component Inventory
48. Configuration Management Plan
49. Contingency Planning Policy and Procedures
50. Contingency Plan
51. Contingency Training
52. Contingency Plan Testing and Exercises
53. Alternate Storage Site
54. Alternate Processing Site
55. Telecommunications Services
56. Information System Backup
57. Information System Recovery 
58. Reconstitution
59. Identification and Authentication Policy 
60. Device Identification and Authentication
61. Identifier Management
62. Authenticator Management
63. Authenticator Feedback
64. Cryptographic Module Authentication
65. Incident Response Policy and Procedures
66. Incident Response Training
67. Incident Response Testing and Exercises
68. Incident Handling
69. Incident Monitoring
70. Incident Reporting
71. Incident Response Assistance
72. Incident Response Plan
73. System Maintenance Policy and Procedures
74. Controlled Maintenance
75. Maintenance Tools
76. Non-Local Maintenance
77. Maintenance Personnel
78. Timely Maintenance
79. Media Protection Policy and Procedures
80. Media Access
81. Media Marking
82. Media Storage
83. Media Transport
84. Media Sanitization
85. Physical and Environmental Protection Policy 
86. Physical Access Authorizations
87. Physical Access Control
88. Access Control for Transmission Medium
89. Access Control for Output Devices
90. Monitoring Physical Access
91. Visitor Control
92. Access Records
93. Power Equipment and Power Cabling
94. Emergency Shutoff
95. Emergency Power
96. Emergency Lighting
97. Fire Protection
98. Temperature and Humidity Controls
99. Water Damage Protection
100. Delivery and Removal
101. Alternate Work Site
102. Location of Information System Components
103. Security Planning Policy and Procedures
104. System Security Plan
105. Personnel Security Policy and Procedures
106. Position Categorization
107. Personnel Screening
108. Personnel Termination
109. Personnel Transfer
110. Access Agreements
111. Third-Party Personnel Security
112. Risk Assessment Policy and Procedures
113. Risk Assessment 
114. Vulnerability Scanning
115. System and Services Acquisition Policy
116. Acquisitions
117. Information System Documentation
118. Software Usage Restrictions
119. User-Installed Software
120. External Information System Services
121. Developer Configuration Management
122. Developer Security Testing
123. Supply Chain Protection
124. System and Communications Protection
125. Denial of Service Protection
126. Boundary Protection
127. Transmission Confidentiality
128. Network Disconnect
129. Trusted Path
130. Cryptographic Key Establishment Management
131. Collaborative Computing Devices
132. Public Key Infrastructure Certificates
133. Mobile Code
134. Voice Over Internet Protocol
135. Provisioning for Name/Address Resolution
136. Thin Nodes/Thin Clients
137. Operating System-Independent Applications
138. Virtualization Techniques
139. System and Information Integrity Procedures
140. Flaw Remediation
141. Malicious Code Protection
142. Information System Monitoring
143. Security Alerts, Advisories, and Directives
144. Security functionality verification
145. Software and Information Integrity
146. Spam Protection
147. Information Input Validation
148. Error Handling
149. Information Output
150. Handling and Retention


The complexity of assuring compliance with FedRAMP security controls makes it necessary to create a Federal risk management process. If more than a dozen of vendors wish to comply with the security requirements it will take a massive effort to obtain and then to verify certification of compliance. It is not clear how the Department of Defense can manage such a transition.

It will be difficult to obtain a Federal certificate of security compliance for the 700+ large Department of Defense data centers that would ultimately migrate into cloud computing. The only viable solution is to proceed with massive consolidations of data centers.  The governance and the budget funding to accomplish such a restructuring are not in place as yet.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com