Risk
10/31/2013
11:50 AM
Nitin Pradhan
Nitin Pradhan
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Explain the concept of continuous monitoring after the CSP FedRAMP authorization is secured?

Roat: To receive reauthorization of a FedRAMP provisional authorization from year to year, CSPs must monitor their security controls through monthly, quarterly and annual assessments to demonstrate that the security posture of their service offering is continuously acceptable.

Ongoing assessment of security controls results in greater transparency into the security posture of the CSP system and enables timely risk-management decisions.

Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing review of security controls enables the security authorization package to remain current, which allows agencies to make informed risk management decisions as they use cloud services.

How does launching of new services/architecture affect existing CSP FedRAMP authorization?

Roat: Changes to the CSP's offerings that are within the scope of their system and their current FedRAMP P-ATO are handled through the continuous monitoring change control process. If the new offering or architectural change represents a significant change in the system, the CSP must determine the security impact of the change, notify their ISSO before implementing the change and complete a Significant Change Security Impact Analysis form.

The planned change is reviewed by the ISSO and then forwarded to the JAB for approval. All plans for significant changes should include rationale for making the change and plans for testing prior to implementation in production.

If any anticipated change adds residual risk, changes a leveraging agency's security posture or creates other risk exposure that the JAB finds unacceptable, the provisional authorization could be revoked. The P-ATO could also be revoked if the change is made without prior approval.

A CSP that launches a new service or a new architecture that is not in the scope of the FedRAMP P-ATO may be required to submit this new service for a separate FedRAMP JAB review.

Explain the role and responsibilities of the 3PAOs.

Roat: Third-party assessment organizations (3PAOs) perform initial and periodic assessment of the cloud service provider's systems according to FedRAMP requirements. They also provide evidence of compliance and play an ongoing role in ensuring CSPs continue to meet requirements. Once engaged with a CSP, 3PAOs develop security assessment plans, perform testing of cloud security controls and develop security assessment reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

In the security assessment process, FedRAMP requires that CSP services and systems be assessed by an accredited 3PAO. Accredited 3PAOs are required to meet the ISO/IEC 17020:1998 standards for independence and managerial competence and meet FedRAMP requirements for technical FISMA competence through demonstrated expertise in assessing cloud-based solutions.

Are there any publicly available pricing, rating or backlog details available for the existing 3PAOs?

Roat: The pricing for the 3PAO's services is negotiated between the cloud service provider and the 3PAO and is not available through FedRAMP.

3PAOs are not rated; however, any complaints about performance are tracked through the accreditation process, and a lack of performance could result in the loss of the 3PAO's accreditation.

Explain the upcoming privatization and expansion of 3PAOs certification.

Roat: As outlined in the FedRAMP concept of operations and the 3PAO program description, the transition to a privatized accreditation body for 3PAO's was planned from the start of FedRAMP.

A2LA was selected through an open process for selecting accreditation bodies with the experience and knowledge to accredit 3PAOs that perform assessment of cloud systems.

A2LA is a signatory of the International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition Arrangement (MRA). The MRA acts as an internationally recognized "stamp of approval" to demonstrate compliance against agreed standards and requirements.

Having A2LA as the accreditation body will allow for more in-depth analysis of 3PAO applicant's conformance to inspection and information security standards, making the process more rigorous. Having a privatized body also provides a means of costs savings, as the government does not have to provide the resources to perform the accreditation.

The FedRAMP PMO retains oversight and governance for the accreditation process including final approval of 3PAOs.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

 
WKash
50%
50%
WKash,
User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.