Cloud Computing has been slowly but surely moving towards the federal government over the past few years. More and more agencies are starting to see the drastic cost and efficiency benefits of the cloud over On Premise or Co-location hosting. Among some of the factors that caused reluctant adoption, security seemed to be the most visible. The FedRAMP Program addresses the new risks and security concerns that are associated with this new technology.
On December 8, 2011, the Federal Chief Information Officer issued a memo addressing the importance of security for cloud computing within the federal space. The Federal Risk and Authorization Management Program (FedRAMP) was developed to provide a cost-effective, risk-based approach for the adoption and use of cloud services within the federal space. FedRAMP sets forth guidelines and requirements for agencies and vendors to adequately assess, authorize, and monitor cloud services and products throughout its lifecycle.
FedRAMP Timeline & Relevance
- Currently, FedRAMP is still in the pre-launch phase. This time is being utilized to educate members of the private and federal community on the benefits of cloud computing and the importance of securing the cloud as well. Additionally, this time is also being utilized to address any related questions or concerns prior to going operational.
- The initial launch of FedRAMP is officially scheduled for June 2012. FedRAMP will be applicable for all government agencies implementing cloud computing technology. FedRAMP is also applicable to all industry cloud service providers that will be hosting government data.
- In fiscal year 2013, FedRAMP will have a more open and diverse set of offerings as the government continues to learn best practices for cloud implementation.
- In fiscal year 2014, FedRAMP will reach a more sustainable operating level with the program operating in tandem with previously published security controls.
FedRAMP Third Party Assessment Organization (3PAO)
FedRAMP will use a conformity assessment process to demonstrate that cloud computing services offered by Cloud Service Providers (CSP) meet specified security requirements. This assessment will be conducted in accordance with the latest revision of NIST 800-53 security control standards and the additional FedRAMP controls issued by GSA.
FedRAMP A&A Package Preparation & Security Testing
FedRAMP requires for all federal agencies and their respective Cloud Providers to submit documentation outlining their cloud computing capability and associated security measures that are implemented. This Assessment and Authorization (A&A) process will include a Security Plan which will provide a description of the system including but not limited to, its purpose, location, and technical capabilities. Additionally, the Security Plan will also contain implementation statements addressing how the system is compliant with the controls listed within the 800-53. Alongside the Security Plan, the A&A package will also include but not limited to an organizational Contingency Plan/Disaster Recovery Plan, Configuration Management Plan, Risk Assessment, and Security Assessment Report.
FedRAMP also requires that all cloud computing systems within the federal space conduct security testing on the system to ensure that its security features are functioning as documented within the Security Plan. These systems will be accountable for conducting the necessary technical scans and analysis as well as conducting the manual assessments of the 800-53 security controls and the additional FedRAMP Security Controls. The manual testing of these controls will consist of the examination, interview, and testing of key personnel and components to validate the implementation statements addressed within the Security Plan are accurate and operating as intended. All results of these tests will be documented within the Security Assessment Report, and Risk Assessment. All vulnerabilities found during the testing will be tracked as an item within the Plan of Action and Milestone.
Cloud Security Advisory Gap Analysis Services
In the realm of compliance, there are a lot of little things which are required to provide a complete and accurate package. For example, in order to conduct the testing of the 800-53 controls and the FedRAMP controls, there are various artifacts that will need to be in place in order for the organization to validate compliance with NIST standards. Earthling Security has developed a method for conducting a Gap analysis on cloud systems deriving from various guidelines and methods, as well as from related experience. Our approach consists of thoroughly reviewing any current documentation in place, including policies and procedures and aligning them according to the latest FedRAMP and NIST standards. Ask about our Gap Analysis Methodology!
FedRAMP CONOPS Continuous Monitoring
Earthling Security has established a Continuous Monitoring Program that accounts for all the repeatable processes and reporting per the FedRAMP CONOPS requirements. Standard Operating Procedures are simplified by identifying the NIST SP 800-53A validation points as well as the GSA reporting frequencies.
Technology is always rapidly changing in our world. Along with the new technology comes new threats and new guidelines on how to protect against them. This has been the case with the new move to cloud computing and FedRAMP.
Earthling Security has been intricately involved in keeping abreast of all the latest technology and associated guidelines that have appeared. Earthling Security offers a training curriculum that includes the latest guidance provided by NIST and FedRAMP as well as industry best practices. This training curriculum covers all aspects of cloud security for both private and government sectors. Lastly, Earthling Security also provides training courses in the Certificate of Cloud Security Knowledge Exam (CCSK).
The Earthling Difference
- Trust: As a small business we fuse our staff with an acute clarity on our core business philosophy. Trust. As a security consulting firm, we stay very conscious of the ethical road and combing that with extraordinary talent and an obsession for customer satisfaction that we feel outweighs our competition significantly.
- Industry: Earthling Security has been a steady presence within the federal sector for over 10 years working on various projects. These projects include Security Architecture (for cloud and traditional networks), Forensics and eDiscovery, Governance and Compliance, Security Operations Center (SOC) Management, and Virtualization Security. This combined experience within the various realms of security makes Earthling Security a very versatile company that can assist in not only select portions of your security program, but your program as a whole.
- Expertise: Earthling Security consultants have a wide range and strong depth of skill sets. With over 50 years of combined experience in the various aspects of security, Earthling Security focuses on providing its customers with not just security but business solutions. Our criteria? We pick Leaders. Best of breed thinkers and business and solution architects.
- Credentials: We are obsessed with education and learning. Earthling Security maintains on staff personnel who are highly aggressive learners that have extensive experience and various certifications. Some of the certifications we ‘encourage’ are to ISC2 CAP, ISC2 CISSP, CSA CCSK, VMWare VCP and Certified Ethical Hacker (CEH).
- Educators: We offer training classes on security and professional certification preparation for the ISC2 CISSP & ISC2 CAP. Earthling Security has also put together the Federal Cloud Security Professional training course which covers Cloud Computing Architecture concepts, FISMA and FedRAMP, and performs an anatomy of an Infrastructure-as-a-Service (i.e. Amazon Web Services (AWS) in a federal environment). For agencies, as well as Independent Software Vendors looking to provide offerings to the Public Sector, our FedRAMP Training is essential.
- Experienced FedRAMP 3PAO: Earthling Security is highly involvedevolved in vetting and researching cloud security and compliance in the federal government. We have extensive and unique experience with major players in the Federal Government as well as various Cloud Service Providers. Earthling Security also successfully submitted it’s Application Package as a first tier registrant (prior to the January 20, 2012 deadline) to GSA.
- Cloud Tools: Earthling Security’s Cloud IntelTree is a Cloud Planning and decision workflow tool that assists customers to understand the various options in architecture, vendors, cost and design prior to engaging compliance review, and finally migration. FedRAMP A&A Manager is a compliance management tool for Cloud accreditation packages. This tool is design to highlight all of the cloud related controls and security documents for both FedRAMP as well as FISMA (We recommend our Cloud IntelTree to help customers understand the difference!)
- Extensive Experience in Cloud Security Architecture: Earthling Security staff has extensive expertise in Cloud architecture and Security Operations in the Cloud some our highlight projects have involved Virtualization Security, eDiscovery in the Cloud, Incident Response and Provider Security Reviews.