Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/31/2013
11:50 AM
Nitin Pradhan
Nitin Pradhan
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Explain the concept of continuous monitoring after the CSP FedRAMP authorization is secured?

Roat: To receive reauthorization of a FedRAMP provisional authorization from year to year, CSPs must monitor their security controls through monthly, quarterly and annual assessments to demonstrate that the security posture of their service offering is continuously acceptable.

Ongoing assessment of security controls results in greater transparency into the security posture of the CSP system and enables timely risk-management decisions.

Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing review of security controls enables the security authorization package to remain current, which allows agencies to make informed risk management decisions as they use cloud services.

How does launching of new services/architecture affect existing CSP FedRAMP authorization?

Roat: Changes to the CSP's offerings that are within the scope of their system and their current FedRAMP P-ATO are handled through the continuous monitoring change control process. If the new offering or architectural change represents a significant change in the system, the CSP must determine the security impact of the change, notify their ISSO before implementing the change and complete a Significant Change Security Impact Analysis form.

The planned change is reviewed by the ISSO and then forwarded to the JAB for approval. All plans for significant changes should include rationale for making the change and plans for testing prior to implementation in production.

If any anticipated change adds residual risk, changes a leveraging agency's security posture or creates other risk exposure that the JAB finds unacceptable, the provisional authorization could be revoked. The P-ATO could also be revoked if the change is made without prior approval.

A CSP that launches a new service or a new architecture that is not in the scope of the FedRAMP P-ATO may be required to submit this new service for a separate FedRAMP JAB review.

Explain the role and responsibilities of the 3PAOs.

Roat: Third-party assessment organizations (3PAOs) perform initial and periodic assessment of the cloud service provider's systems according to FedRAMP requirements. They also provide evidence of compliance and play an ongoing role in ensuring CSPs continue to meet requirements. Once engaged with a CSP, 3PAOs develop security assessment plans, perform testing of cloud security controls and develop security assessment reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

In the security assessment process, FedRAMP requires that CSP services and systems be assessed by an accredited 3PAO. Accredited 3PAOs are required to meet the ISO/IEC 17020:1998 standards for independence and managerial competence and meet FedRAMP requirements for technical FISMA competence through demonstrated expertise in assessing cloud-based solutions.

Are there any publicly available pricing, rating or backlog details available for the existing 3PAOs?

Roat: The pricing for the 3PAO's services is negotiated between the cloud service provider and the 3PAO and is not available through FedRAMP.

3PAOs are not rated; however, any complaints about performance are tracked through the accreditation process, and a lack of performance could result in the loss of the 3PAO's accreditation.

Explain the upcoming privatization and expansion of 3PAOs certification.

Roat: As outlined in the FedRAMP concept of operations and the 3PAO program description, the transition to a privatized accreditation body for 3PAO's was planned from the start of FedRAMP.

A2LA was selected through an open process for selecting accreditation bodies with the experience and knowledge to accredit 3PAOs that perform assessment of cloud systems.

A2LA is a signatory of the International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition Arrangement (MRA). The MRA acts as an internationally recognized "stamp of approval" to demonstrate compliance against agreed standards and requirements.

Having A2LA as the accreditation body will allow for more in-depth analysis of 3PAO applicant's conformance to inspection and information security standards, making the process more rigorous. Having a privatized body also provides a means of costs savings, as the government does not have to provide the resources to perform the accreditation.

The FedRAMP PMO retains oversight and governance for the accreditation process including final approval of 3PAOs.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

 
WKash
50%
50%
WKash,
User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting