KEMBAR78
Fisma FedRAMP Drupal | PPT
Mike Lemire, profile picture
Uploaded byMike Lemire
PPT, PDF4,545 views

Fisma FedRAMP Drupal

The document discusses federal compliance standards for information systems used by the US government, including FISMA, DIACAP, and the upcoming FedRAMP. It outlines the six step process for achieving compliance: 1) categorizing the system, 2) selecting controls, 3) implementing and documenting controls, 4) assessing controls, 5) authorizing the system, and 6) ongoing monitoring. It provides an example of how a cloud service provider like Acquia can achieve compliance for their platform by documenting the controls each party is responsible for across the application, OS stack, and infrastructure layers. Finally, it lists some specific FISMA moderate controls applicable to the Drupal content management system.

Downloaded 66 times
Presenter Michael Lemire Director of Information Security michael.lemire@acquia.com
Agenda • Review Current US Government Compliance landscape • How to achieve FISMA Compliance • International and Developing Compliance Standards • How Acquia achieved a compliant ready hosting platform.
Drupal in the Federal Government • Governments are expanding use of Drupal • Drupal is open source • Cost effective vs proprietary licensed software • Proven secure • Drupal facilitates shared development between agencies • Proven • www.whitehouse.gov • www.house.gov • www.ready.gov • www.investor.gov • www.teach.gov • www.ed.gov • www.energy.gov
Current US Government Compliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment, authorization, and continuous monitoring for information systems utilized by the Federal government. FISMA - Federal Information Security Management Act of 2002. Applicable to non- DoD agencies. DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies. With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials. Time consuming, expensive
Coming Soon - FedRAMP FedRAMP - Federal Risk and Authorization Management Program • Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products. • FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012. • Based on the same NIST publications as FISMA with added controls pertinent to the cloud • FedRAMP Concept of Operations – defines how the FedRAMP process will work • http://www.gsa.gov/graphics/staffoffices/FedRAMP_CONOPS.pdf
Important NIST Publications and Standards FIPS 199 – Security categorization of the information system according to its Confidentiality, Availability and Integrity requirements • What type of data? • Importance to national security? Determine “High water mark” (low, medium, high) NIST 800-53 rev 3 – Security Controls documented in the SSP All domains of security are covered and must be documented Risk Assessment, Personnel, System Acquisition, Physical and Environmental, Contingency Planning, Configuration Management, Incident Response, Security Awareness Training, Authentication, Logging and Audit, Network Security and Encryption Rev 4 now in draft – adds add’l mobile and cloud controls NIST 800-30 – Risk Assessments Defines process for assessing risk and how to apply the process to the organizational, mission and information system levels.
Federal Compliance - High Level Process 1. Categorize the System – FIPS 199 FISMA, DIACAP and FedRAMP Process Confidentiality, Integrity, Availability 2. Select the controls – NIST 800-53 3. Implement the controls and document them -System Security Plan -Privacy Impact Assessment 4. Assess – Contract with Third Party Assessor -3PAO reviews SSP and creates STE & POA&M 5. Authorize – This package of documents submitted to the Authorizing Official who reviews, comments, asks for revisions. -grants IATC and/or ATO 6.Monitor – Continuous update to SSP , continuous mitigation of items identified in STE and POA&M
Step 1: Categorize the system –FIPS 199 Establish the “high water mark”- Low/Moderate or High
Step 2: Select the controls NIST 800-53 Revision 3 Annex 1 – Low “high water mark” Annex 2 – moderate “high water mark” Annex 3 – high “high water mark”
Step 3: Implement and document the controls The System Security Plan (SSP) -a narrative description of the system -define the “accreditation boundary” – what is it that is being authorized -describes the system and the environment where it resides .. And the controls, divided into control families: Risk Assessment (RA) Planning (PL) System and Service Acquisition (SA) Access Control (AC) Certification and Authorization (CA) Audit and Accountability (AU) Personnel Security (PS) System and Communication Protection (SC) Physical and Environmental Security (PE) Continuity Planning (CP) Configuration Management (CM) Maintenance (MA) System and Information Integrity (SI) Media Protection (MP) Incident Response (IR) Awareness and Training (AT) Identification and Authentication (IA)
Step 4: Assess The Controls (Audit) The assessment is a validation by an independent auditor that “you do what you say you do”. Guided by NIST 800-53a The third party assessor (3PAO) is tasked with reviewing the SSP and validating are those control in place. 3PAO creates Security Test & Evaluation Plan (ST&E) and the System Assessment Report (SAR) which documents the evidencing activities and results. -What is non-compliant Plan of Action Milestone (POA&M) – Lists controls which are not in place and the plan to implement those controls
Step 5: Authorize the System Finally the FISMA C&A Package is submitted to the Authorizing Official The package: • The SSP • Relevant Policies and Procedures • The FIPS 199 categorization • The SAR and ST&E • The POA&M Authorizing Official once satisfied issues Authority to Operate (ATO)
Step 6: Monitor and Update • Update the SSP as things change • Resolve issues and follow plan per POA&M • Continuous monitoring of risks • Re-authorize system every 3 years
Accomplishing Federal Compliance in the Cloud Cloud Service Providers may be responsible for the entire set of controls, or they may be shared in a Shared Responsibility Model Examples: SaaS may be built on PaaS Ex: DrupalGardens PaaS may be built on IaaS Ex: Acquia Managed Cloud Three primary layers in the shared responsibility model: •Application Layer (Drupal) •OS Stack Layer (Linux, Windows, Database, etc) •Infrastructure Layer (Datacenter, network) *Each entity must document the controls for which they are responsible for.*
Example: Acquia Managed Cloud Acquia Managed Cloud is a PaaS built on Amazon’s AWS IaaS
Example: Acquia Managed Cloud Example SSP control description: Control: (from 800-53) Control Type: Agency/Common/Hybrid Control Status: Implemented/Planned/Not Applicable Application Layer: Responsibility: Customer (Agency) Implementation Detail: Describe how the control is the responsibility of the agency. LAMP Stack Layer: Responsibility: Acquia Implementation Detail: Describe how the control is implemented Infrastructure: Responsibility: Amazon Implementation Detail: Refer to hosting provider’s SSP Acquia documents its control responsibilities in its SSP Amazon documents its control responsibilities in its SSP
FISMA Moderate Controls applicable to the Drupal layer
FISMA Moderate Controls applicable to the Drupal layer
FISMA Moderate Controls applicable to the Drupal layer How to implement these controls: -OpenPublic distribution -Drupal modules: Password Policy http://drupal.org/project/password_policy
Fisma FedRAMP Drupal

More Related Content

PDF
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
byValdez Ladd MBA, CISSP, CISA,
 
PDF
Federal Risk and Authorization Management Program (FedRAMP)
byGovCloud Network
 
PDF
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
bySchellman & Company
 
PPTX
Amped for FedRAMP
byRay Potter
 
PDF
FedRAMP 3PAO Training
by1ECG
 
PPTX
Completing fedramp-security-authorization-process
byTuan Phan
 
PDF
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
byJames W. De Rienzo
 
PPTX
stackArmor - FedRAMP and 800-171 compliant cloud solutions
byGaurav "GP" Pal
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
byValdez Ladd MBA, CISSP, CISA,
 
Federal Risk and Authorization Management Program (FedRAMP)
byGovCloud Network
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
bySchellman & Company
 
Amped for FedRAMP
byRay Potter
 
FedRAMP 3PAO Training
by1ECG
 
Completing fedramp-security-authorization-process
byTuan Phan
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
byJames W. De Rienzo
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
byGaurav "GP" Pal
 

What's hot

PDF
Fedramp developing-system-security-plan-slides
byTuan Phan
 
PDF
TrustedAgent FedRAMP Security Authorization
byTuan Phan
 
PDF
Getting started on fed ramp sec auth for csp
byTuan Phan
 
DOCX
Control Implementation Summary (CIS) Template
byGovCloud Network
 
PDF
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 
PPTX
NIST Risk Management Framework (RMF)
byJames W. De Rienzo
 
PDF
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
byJames W. De Rienzo
 
PPTX
Network Security & Assured Networks: TechNet Augusta 2015
byAFCEA International
 
PDF
Control Compliance Suite 10
bySymantec
 
PDF
Guide for Applying The Risk Management Framework to Federal Information Systems
byGuillermo Remache
 
PDF
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
byJames W. De Rienzo
 
PPTX
CMMC Certification
byControlCase
 
PPTX
IT GRC with Symantec
byArrow ECS UK
 
PDF
Symantec Control Compliance Suite 11, February 2012
bySymantec
 
PDF
Symantec control compliance suite
bySymantec
 
PPTX
Developing a Continuous Monitoring Action Plan
byTripwire
 
PDF
Cis controls v8_guide (1)
byMHumaamAl
 
PPT
Audit of it infrastructure
bypramod_kmr73
 
PDF
SuprTEK Continuous Monitoring
byTieu Luu
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
Fedramp developing-system-security-plan-slides
byTuan Phan
 
TrustedAgent FedRAMP Security Authorization
byTuan Phan
 
Getting started on fed ramp sec auth for csp
byTuan Phan
 
Control Implementation Summary (CIS) Template
byGovCloud Network
 
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 
NIST Risk Management Framework (RMF)
byJames W. De Rienzo
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
byJames W. De Rienzo
 
Network Security & Assured Networks: TechNet Augusta 2015
byAFCEA International
 
Control Compliance Suite 10
bySymantec
 
Guide for Applying The Risk Management Framework to Federal Information Systems
byGuillermo Remache
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
byJames W. De Rienzo
 
CMMC Certification
byControlCase
 
IT GRC with Symantec
byArrow ECS UK
 
Symantec Control Compliance Suite 11, February 2012
bySymantec
 
Symantec control compliance suite
bySymantec
 
Developing a Continuous Monitoring Action Plan
byTripwire
 
Cis controls v8_guide (1)
byMHumaamAl
 
Audit of it infrastructure
bypramod_kmr73
 
SuprTEK Continuous Monitoring
byTieu Luu
 
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 

Viewers also liked

PPT
Cloud Hosting for Government Agencies: Drupal Platform as a Service
byAcquia
 
PDF
2010 Secure World Boston Nist
bycandy_alexander
 
PDF
Conops v1.1 07162012_508
byTuan Phan
 
PDF
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
byAkamai Technologies
 
PPTX
A Closer Look on C&C Panels
byTandhy Simanjuntak
 
PDF
2016 Maze Live 1 GASB update
byDonald E. Hester
 
PDF
Implementing GASB 72: Fair Value Measurement and Application
byDonald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
byDonald E. Hester
 
PDF
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
byDonald E. Hester
 
PDF
2016 Maze Live Cyber-security for Local Governments
byDonald E. Hester
 
PDF
2016 Maze Live Fraud Environment
byDonald E. Hester
 
PDF
GASB 68 and 71 Planning for the Second Year
byDonald E. Hester
 
PPTX
Azure gov march 15th
byAshna Khorana, PRC
 
PDF
Building an Effective GRC Process with TrustedAgent GRC
byTuan Phan
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
byDonald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
byDonald E. Hester
 
PDF
Fed ramp agency_implementation_webinar
byTuan Phan
 
PDF
The Digital Enterprise
byBooz Allen Hamilton
 
DOCX
E authentication template 050212
byGovCloud Network
 
PDF
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
byTuan Phan
 
Cloud Hosting for Government Agencies: Drupal Platform as a Service
byAcquia
 
2010 Secure World Boston Nist
bycandy_alexander
 
Conops v1.1 07162012_508
byTuan Phan
 
Focus on Federal Risk and Authorization Management Program (FedRAMP) - Panel
byAkamai Technologies
 
A Closer Look on C&C Panels
byTandhy Simanjuntak
 
2016 Maze Live 1 GASB update
byDonald E. Hester
 
Implementing GASB 72: Fair Value Measurement and Application
byDonald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
byDonald E. Hester
 
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
byDonald E. Hester
 
2016 Maze Live Cyber-security for Local Governments
byDonald E. Hester
 
2016 Maze Live Fraud Environment
byDonald E. Hester
 
GASB 68 and 71 Planning for the Second Year
byDonald E. Hester
 
Azure gov march 15th
byAshna Khorana, PRC
 
Building an Effective GRC Process with TrustedAgent GRC
byTuan Phan
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
byDonald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
byDonald E. Hester
 
Fed ramp agency_implementation_webinar
byTuan Phan
 
The Digital Enterprise
byBooz Allen Hamilton
 
E authentication template 050212
byGovCloud Network
 
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
byTuan Phan
 

Similar to Fisma FedRAMP Drupal

PPT
M014 Confluence Presentation 08 15 06
bygbroadbent67
 
PPT
Cyber crime with privention
byManish Dixit Ceh
 
PPTX
Contract Security Officer Services
byAnthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
byDonald E. Hester
 
PPTX
DojoSec FISMA Presentation
bydanphilpott
 
PDF
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
DOC
It security-plan-template
byjbmills1634
 
PPTX
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PDF
Rmf step-3-control-selection-nist-sp-800-53r4
byJames W. De Rienzo
 
PPTX
Infosec policies to appsec standards ed final
byeadams2330
 
DOCX
Risk Assessment
byjenito21
 
DOCX
R.a 1
byjenito21
 
PPTX
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
byAdam Levithan
 
PDF
FedRAMP CSP SSP Training
by1ECG
 
PDF
Simple cloud security explanation
byindianadvisory
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPT
S nandakumar_banglore
byIPPAI
 
PPT
S nandakumar
byIPPAI
 
PPTX
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 
M014 Confluence Presentation 08 15 06
bygbroadbent67
 
Cyber crime with privention
byManish Dixit Ceh
 
Contract Security Officer Services
byAnthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
byDonald E. Hester
 
DojoSec FISMA Presentation
bydanphilpott
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
It security-plan-template
byjbmills1634
 
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 
Security Baselines and Risk Assessments
byPriyank Hada
 
Rmf step-3-control-selection-nist-sp-800-53r4
byJames W. De Rienzo
 
Infosec policies to appsec standards ed final
byeadams2330
 
Risk Assessment
byjenito21
 
R.a 1
byjenito21
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
byAdam Levithan
 
FedRAMP CSP SSP Training
by1ECG
 
Simple cloud security explanation
byindianadvisory
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
S nandakumar_banglore
byIPPAI
 
S nandakumar
byIPPAI
 
Database development and security certification and accreditation plan pitwg
byJohn M. Kennedy
 

Recently uploaded

PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
2025 October Patch Tuesday
byIvanti
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 

Fisma FedRAMP Drupal

  • 2.
    Presenter Michael Lemire Director of Information Security michael.lemire@acquia.com
  • 3.
    Agenda • Review CurrentUS Government Compliance landscape • How to achieve FISMA Compliance • International and Developing Compliance Standards • How Acquia achieved a compliant ready hosting platform.
  • 4.
    Drupal in theFederal Government • Governments are expanding use of Drupal • Drupal is open source • Cost effective vs proprietary licensed software • Proven secure • Drupal facilitates shared development between agencies • Proven • www.whitehouse.gov • www.house.gov • www.ready.gov • www.investor.gov • www.teach.gov • www.ed.gov • www.energy.gov
  • 5.
    Current US GovernmentCompliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment, authorization, and continuous monitoring for information systems utilized by the Federal government. FISMA - Federal Information Security Management Act of 2002. Applicable to non- DoD agencies. DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies. With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials. Time consuming, expensive
  • 6.
    Coming Soon -FedRAMP FedRAMP - Federal Risk and Authorization Management Program • Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products. • FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012. • Based on the same NIST publications as FISMA with added controls pertinent to the cloud • FedRAMP Concept of Operations – defines how the FedRAMP process will work • http://www.gsa.gov/graphics/staffoffices/FedRAMP_CONOPS.pdf
  • 7.
    Important NIST Publicationsand Standards FIPS 199 – Security categorization of the information system according to its Confidentiality, Availability and Integrity requirements • What type of data? • Importance to national security? Determine “High water mark” (low, medium, high) NIST 800-53 rev 3 – Security Controls documented in the SSP All domains of security are covered and must be documented Risk Assessment, Personnel, System Acquisition, Physical and Environmental, Contingency Planning, Configuration Management, Incident Response, Security Awareness Training, Authentication, Logging and Audit, Network Security and Encryption Rev 4 now in draft – adds add’l mobile and cloud controls NIST 800-30 – Risk Assessments Defines process for assessing risk and how to apply the process to the organizational, mission and information system levels.
  • 8.
    Federal Compliance -High Level Process 1. Categorize the System – FIPS 199 FISMA, DIACAP and FedRAMP Process Confidentiality, Integrity, Availability 2. Select the controls – NIST 800-53 3. Implement the controls and document them -System Security Plan -Privacy Impact Assessment 4. Assess – Contract with Third Party Assessor -3PAO reviews SSP and creates STE & POA&M 5. Authorize – This package of documents submitted to the Authorizing Official who reviews, comments, asks for revisions. -grants IATC and/or ATO 6.Monitor – Continuous update to SSP , continuous mitigation of items identified in STE and POA&M
  • 9.
    Step 1: Categorizethe system –FIPS 199 Establish the “high water mark”- Low/Moderate or High
  • 10.
    Step 2: Selectthe controls NIST 800-53 Revision 3 Annex 1 – Low “high water mark” Annex 2 – moderate “high water mark” Annex 3 – high “high water mark”
  • 11.
    Step 3: Implementand document the controls The System Security Plan (SSP) -a narrative description of the system -define the “accreditation boundary” – what is it that is being authorized -describes the system and the environment where it resides .. And the controls, divided into control families: Risk Assessment (RA) Planning (PL) System and Service Acquisition (SA) Access Control (AC) Certification and Authorization (CA) Audit and Accountability (AU) Personnel Security (PS) System and Communication Protection (SC) Physical and Environmental Security (PE) Continuity Planning (CP) Configuration Management (CM) Maintenance (MA) System and Information Integrity (SI) Media Protection (MP) Incident Response (IR) Awareness and Training (AT) Identification and Authentication (IA)
  • 12.
    Step 4: AssessThe Controls (Audit) The assessment is a validation by an independent auditor that “you do what you say you do”. Guided by NIST 800-53a The third party assessor (3PAO) is tasked with reviewing the SSP and validating are those control in place. 3PAO creates Security Test & Evaluation Plan (ST&E) and the System Assessment Report (SAR) which documents the evidencing activities and results. -What is non-compliant Plan of Action Milestone (POA&M) – Lists controls which are not in place and the plan to implement those controls
  • 13.
    Step 5: Authorizethe System Finally the FISMA C&A Package is submitted to the Authorizing Official The package: • The SSP • Relevant Policies and Procedures • The FIPS 199 categorization • The SAR and ST&E • The POA&M Authorizing Official once satisfied issues Authority to Operate (ATO)
  • 14.
    Step 6: Monitorand Update • Update the SSP as things change • Resolve issues and follow plan per POA&M • Continuous monitoring of risks • Re-authorize system every 3 years
  • 16.
    Accomplishing Federal Compliancein the Cloud Cloud Service Providers may be responsible for the entire set of controls, or they may be shared in a Shared Responsibility Model Examples: SaaS may be built on PaaS Ex: DrupalGardens PaaS may be built on IaaS Ex: Acquia Managed Cloud Three primary layers in the shared responsibility model: •Application Layer (Drupal) •OS Stack Layer (Linux, Windows, Database, etc) •Infrastructure Layer (Datacenter, network) *Each entity must document the controls for which they are responsible for.*
  • 17.
    Example: Acquia ManagedCloud Acquia Managed Cloud is a PaaS built on Amazon’s AWS IaaS
  • 18.
    Example: Acquia ManagedCloud Example SSP control description: Control: (from 800-53) Control Type: Agency/Common/Hybrid Control Status: Implemented/Planned/Not Applicable Application Layer: Responsibility: Customer (Agency) Implementation Detail: Describe how the control is the responsibility of the agency. LAMP Stack Layer: Responsibility: Acquia Implementation Detail: Describe how the control is implemented Infrastructure: Responsibility: Amazon Implementation Detail: Refer to hosting provider’s SSP Acquia documents its control responsibilities in its SSP Amazon documents its control responsibilities in its SSP
  • 19.
    FISMA Moderate Controlsapplicable to the Drupal layer
  • 20.
    FISMA Moderate Controlsapplicable to the Drupal layer
  • 21.
    FISMA Moderate Controlsapplicable to the Drupal layer How to implement these controls: -OpenPublic distribution -Drupal modules: Password Policy http://drupal.org/project/password_policy