Risk
10/31/2013
11:50 AM
Nitin Pradhan
Nitin Pradhan
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail
100%
0%

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Explain the concept of continuous monitoring after the CSP FedRAMP authorization is secured?

Roat: To receive reauthorization of a FedRAMP provisional authorization from year to year, CSPs must monitor their security controls through monthly, quarterly and annual assessments to demonstrate that the security posture of their service offering is continuously acceptable.

Ongoing assessment of security controls results in greater transparency into the security posture of the CSP system and enables timely risk-management decisions.

Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing review of security controls enables the security authorization package to remain current, which allows agencies to make informed risk management decisions as they use cloud services.

How does launching of new services/architecture affect existing CSP FedRAMP authorization?

Roat: Changes to the CSP's offerings that are within the scope of their system and their current FedRAMP P-ATO are handled through the continuous monitoring change control process. If the new offering or architectural change represents a significant change in the system, the CSP must determine the security impact of the change, notify their ISSO before implementing the change and complete a Significant Change Security Impact Analysis form.

The planned change is reviewed by the ISSO and then forwarded to the JAB for approval. All plans for significant changes should include rationale for making the change and plans for testing prior to implementation in production.

If any anticipated change adds residual risk, changes a leveraging agency's security posture or creates other risk exposure that the JAB finds unacceptable, the provisional authorization could be revoked. The P-ATO could also be revoked if the change is made without prior approval.

A CSP that launches a new service or a new architecture that is not in the scope of the FedRAMP P-ATO may be required to submit this new service for a separate FedRAMP JAB review.

Explain the role and responsibilities of the 3PAOs.

Roat: Third-party assessment organizations (3PAOs) perform initial and periodic assessment of the cloud service provider's systems according to FedRAMP requirements. They also provide evidence of compliance and play an ongoing role in ensuring CSPs continue to meet requirements. Once engaged with a CSP, 3PAOs develop security assessment plans, perform testing of cloud security controls and develop security assessment reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

In the security assessment process, FedRAMP requires that CSP services and systems be assessed by an accredited 3PAO. Accredited 3PAOs are required to meet the ISO/IEC 17020:1998 standards for independence and managerial competence and meet FedRAMP requirements for technical FISMA competence through demonstrated expertise in assessing cloud-based solutions.

Are there any publicly available pricing, rating or backlog details available for the existing 3PAOs?

Roat: The pricing for the 3PAO's services is negotiated between the cloud service provider and the 3PAO and is not available through FedRAMP.

3PAOs are not rated; however, any complaints about performance are tracked through the accreditation process, and a lack of performance could result in the loss of the 3PAO's accreditation.

Explain the upcoming privatization and expansion of 3PAOs certification.

Roat: As outlined in the FedRAMP concept of operations and the 3PAO program description, the transition to a privatized accreditation body for 3PAO's was planned from the start of FedRAMP.

A2LA was selected through an open process for selecting accreditation bodies with the experience and knowledge to accredit 3PAOs that perform assessment of cloud systems.

A2LA is a signatory of the International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition Arrangement (MRA). The MRA acts as an internationally recognized "stamp of approval" to demonstrate compliance against agreed standards and requirements.

Having A2LA as the accreditation body will allow for more in-depth analysis of 3PAO applicant's conformance to inspection and information security standards, making the process more rigorous. Having a privatized body also provides a means of costs savings, as the government does not have to provide the resources to perform the accreditation.

The FedRAMP PMO retains oversight and governance for the accreditation process including final approval of 3PAOs.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

 
WKash
50%
50%
WKash,
User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?