FedRAMP Agency Compliance and Implementation Workshop

FedRAMP Agency Compliance and Implementation Workshop

Agency Workshop FedRAMP Compliance and Implementation March 18, 2013 1 Welcome Dave McClure Federal Risk and Authorization Associate Administrator Office of Citizen Services and Innovative Technologies Management Program (FedRAMP) 2 Session Purpose and Outcomes Purpose Detail agency FedRAMP compliance and implementation requirements

Outcomes Understand FedRAMP its processes, benefits, and key players Ability to explain agency FedRAMP requirements Understand the different FedRAMP assessment paths Clarity on how an agency complies with FedRAMP requirements for existing and planned cloud systems 3 Agenda Topic Speaker Time Welcome Cloud and FedRAMP Overview FedRAMP Responsibilities and Compliance Cloud Inventory Implementation: Planning Phase Questions and Answers BREAK Implementation: Assessment Phase

Implementation: Customer Controls & Authorization Ongoing Assessment & Authorization Wrap-up and Questions and Answers Dave McClure Katie Lewin Maria Roat Maria Roat Matthew Goodrich 9:00 9:10 9:10 9:20 9:20 9:35 9:35 9:40 9:40 10:10 10:10 10:30 10:30 10:40 10:40 11:10 11:10 11:20 Matthew Goodrich Maria Roat Maria Roat

11:20 11:30 11:30 12:00 4 Cloud and FedRAMP Overview Federal Risk and Authorization Katie Lewin Federal Cloud Computing Initiative Management Program Office of Citizen Services and Innovative Technologies (FedRAMP) 5 Cloud: A Fundamental Shift in IT $80 Billion $20 Billion m pu di

en Co Sp T in go n Cl ou d ra lI nd ta lF ed

e tia lS pe As a Service Purchase Near Instantaneous Capacity Adjustments Responsiveness To From Owner to Service Private Sector Innovation Entrepreneurial Culture Emerging Technologies en Agility Po t Innovation

ng Improved Asset Utilization Aggregated Demand Improved Productivity tin g Efficiency Source: www.cio.gov 6 Administrations Drive to the Cloud The Administrations Federal Cloud Computing Strategy requires agencies to default to cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists however, the move to the cloud requires a dramatic shift in the way Federal agencies buy IT from capital expenditures to operating expenditures. With this shift comes a learning curve as the government

analyzes how to best procure this new service-based model. . . . -Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 7 Federal Timeline for Cloud Cloud First 25 Point Plan to Reform Federal IT FedRAMP Policy Memo December 9, 2010 December 8, 2011 2010 2011

2012 Future Federal Cloud Computing Strategy Creating Effective Cloud Computing Contracts February 8, 2011 February 24, 2012 8 Federal Cloud Computing Program To foster the adoption of cloud across the Federal government and to address obstacles to cloud adoption New Information Portal & Collaboration Website

Blanket Purchase Agreements Infrastructure as a Service Email as a Service cloud.cio.gov (coming soon) 9 What is FedRAMP? FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a do once, use many times framework that will save cost, time, and staff required to conduct redundant agency security assessments. 10

Federal Cloud Computing Initiative and FedRAMP Timeline April 2009 Cloud Computing Program Management Office Established July Sept. 2010 FedRAMP Concept Vetted with Industry & Government February 2010 Feb Mar 2011 FedRAMP Concept, Controls, & Templates Released

Apr June 2011 June 2010 FedRAMP Drafts Initial Baseline Security Working Group Established Q1 09 Q2 09 Q3 09 Q4 09 Over 1,200 public comments received Federal Cloud Computing Strategy Published

Q1 10 Q2 10 Q3 10 Q4 10 Q1 11 January 2013 Q2 11 December 2012 JAB Grants 1st Provisional Authorization FedRAMP CONOPS Published 3PAO Concept

Planned Q3 11 JAB Grants 2nd Provisional Authorization February 2012 July Sept. 2011 December 2010 Cloud Computing Program Launched Executive Steering Committee Established December 2011 Executive Team FedRAMP Policy Solidifies Tiger signed

Team Recommendations January 2011 March 2009 FedRAMP Launches Initial Operational Capability November 2010 FedRAMP Concept Announced October 2009 June 2012 Government Tiger Teams Review Comments Q4 11

May 2012 3PAOs Accredited Q1 12 Q2 12 Q3 12 Q4 12 Q1 13 11 Key Benefits Re-use of existing security assessments across agencies Savings in cost, time and resources do once, use many times Risk based not compliance based Transparency between government and cloud service providers Transparency

trust, reliability, consistency, and quality of the Federal security authorization process 12 FedRAMP Responsibilities & Compliance Federal Risk and Authorization Maria Roat FedRAMP Director Management Program Office of Citizen Services and Innovative Technologies (FedRAMP) 13 FedRAMP Policy Memo December 8, 2011 OMB Policy Memo

Establishes Federal policy for the protection of Federal information in cloud services Describes the key components of FedRAMP and its operational capabilities Defines Executive department and agency responsibilities in developing, implementing, operating and maintaining FedRAMP Defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services 14 FedRAMP Key Players Federal Agencies JAB (DOD, DHS, GSA) PMO- GSA Technical Advisor NIST Continuous Monitoring - DHS Cloud Service Provider Independent Assessor Provides Cloud IT Services with a

provisional authorization granted by FedRAMP JAB Performs initial and periodic assessment of security and privacy controls deployed in Cloud information systems Responsibilities established by the December 8, 2011 OMB Policy Memo 15 Responsibilities of Key Parties Federal Agencies Cloud Service Provider Independent Assessor Require CSPs to meet FedRAMP requirements via contractual provisions Submit security assessment documentation and query FedRAMP repository for existing documentation Implement customer responsibility controls Establish and implement continuous monitoring plans through incident response and mitigation capabilities

Submit application for FedRAMP authorization Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls Create, submit and maintain authorization packages Provide Continuous Monitoring reports and updates to FedRAMP and leveraging agencies Conduct Assessment of CSP Security Control Implementation Generate Security Assessment Reports and associated evidence Maintain independence from CSP 16 FedRAMP Relationship to the NIST Risk Management Framework Agency CSP 6. Monitor Security Controls 1. Categorize the

Information System -Low Impact -Moderate Impact - Continuous Monitoring JAB / Agency 5. Authorize Information System -Provisional Auth. -Agency ATO NIST Risk Management Framework CSP and 3PAO Agency 2. Select the Controls -FedRAMP Low or

Moderate Baseline CSP 3. Implement Security Controls -Describe in SSP 4. Assess the Security Controls -FedRAMP Accredited 3PAO 17 Complying with FedRAMP Policy All assessments of cloud-based products and services must use the FedRAMP security requirements: baseline set of controls and all FedRAMP templates All assessments do not require a provisional ATO granted by the JAB Agencies can continue to grant their own ATOs without JAB sign-off

CSPs can submit FedRAMP compliant packages to agencies requesting an ATO All assessment documentation must be submitted to FedRAMP PMO for inclusion in the secure repository Agencies must leverage existing FedRAMP ATOs found in the FedRAMP repository June 2014 All Cloud Projects Must Meet FedRAMP Requirements 18 Exception Guidance Private cloud deployments Implemented within a Federal facility Operated solely for the use of the Executive Department or Agency Not providing cloud services from the system to any external entities Bureaus, components or subordinate organizations within an agency are considered external entities

Cloud systems at a FIPS 199 Impact Level of High Cloud systems exempt from FedRAMP requirements must continue to comply with FISMA requirements and appropriate NIST security standards and guidelines 19 Cloud Inventory Federal Risk and Authorization Maria Roat FedRAMP Director Management Program Office of Citizen Services and Innovative Technologies (FedRAMP) 20 Conducting the Inventory April 2013 Portfolio Stat online data call will gather information on agency cloud deployments Agencies will report information on their FIPs 199 low and moderate impact cloud deployments being implemented or planned

Agency POC CSP Detail : Name, Service Name, Brief Description, Service Model, Deployment Model, Assessor, FIPS 199 level Implementation detail 21 FedRAMP Inventory Questions Fully Implemented Do you have an Authority to Operate (ATO) for the system? Have you performed a security controls gap analysis against the FedRAMP baseline controls? Were FedRAMP requirements met? How were FedRAMP requirements met? FedRAMP Requirements Not Met What is the rationale for being unable to meet FedRAMP requirements? Have you initiated discussions with the cloud system owner to review missing FedRAMP security controls? How do you plan on meeting FedRAMP requirements in the future? When will your agencys use of this system be compliant with FedRAMP requirements? 22 Plans for Cloud Inventory Effort

Identify synergies between agency cloud portfolios Connect organizations using the same cloud service provider (CSP) to provide the same or similar cloud service Promote special interest groups of agencies using the same cloud service to establish an organized approach for requesting the CSP implement FedRAMP baseline controls Prioritize services to receive a Joint Authorization Board provisional authorization Assess FedRAMP applications and documentation received as compared to agency cloud portfolios 23 FedRAMP Implementation Planning Phase Federal Risk and Authorization Management Program Matthew Goodrich FedRAMP Program Manager (FedRAMP) Office of Citizen Services and Innovative Technologies 24

Three Phases of Implementation Phase Planning Assessment Customer Controls & Authorization Description What path will my agency use to establish or implement a cloud service that is FedRAMP compliant? What is my agencys role in assessing the cloud service? How does my agency add additional controls and authorize the system? 25 Planning Phase Purpose and Key Steps Purpose Determine the agencys path for meeting FedRAMP

requirements Key Steps 1. Incorporate FedRAMP requirements into contract clauses 2. Identify if FedRAMP security assessment package available to leverage 3. Gain access to the FedRAMP secure repository to review security assessment documentation 4. Determine FedRAMP implementation path 5. Alert FedRAMP PMO of implementation path 26 FedRAMP Contract Language Planning Phase FedRAMP is the implementation of FISMA and applicable NIST security standards and guidelines, commonly found in existing procurements FedRAMP contract language available at www.fedramp.gov Standard Contract Language Designed for agencies to leverage for use within cloud procurements Templates help agencies address: requirement to be FedRAMP compliant FedRAMP privacy requirements FedRAMP security assessment process

requirements authorization of system requirement FedRAMP ongoing assessment and authorization requirement Control Specific Language Agencies should not: govern how the providers administrative end user accounts are managed or authenticated specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumers implementation Some controls that may need additional clauses Data Jurisdiction Audit Retention Incident Reporting Personnel

Screening Boundary Protection Media Transport Info at Rest Identification Authentication 27 FedRAMP Website Planning Phase Create www.fedramp.gov Leverage Website lists CSPs with security assessment documentation

available in the FedRAMP secure repository CSP Name Service Name Service Description ATO Date FIPS 199 Level Repository Level Service Model 3PAO Deployment Model 28 Access Secure Repository Planning Phase 1. Identify package for review based on website listing 2. Complete FedRAMP Package

Access Request form Supervisor must signoff on form FedRAMP will provide notification of acceptance or rejection of request Must demonstrate a need to view the package 3. Receive access to OMB MAX folder corresponding to security assessment package for cloud service Access granted on a per person per package basis 29 Leverage an Authorization Planning Phase

FedRAMP maintains a repository of standardized security assessment packages Agencies can leverage to make their own risk-based decisions to grant an ATO for a cloud solution for their Agency. This repository is key to the do once, use many times approach. Review Completed Assessed by Authorization CSP CSP Supplied, not yet reviewed Accredited 3PAO Candidate for Authorization Agency

Agency reviewed Optional Accredited 3PAO Agency ATO JAB FedRAMP ISSO & JAB reviewed Accredited 3PAO FedRAMP PA & Agency ATO Speed to Enter Repository Increased Increased Level Level of of review review

Level 30 Package Types Impact on Agency Responsibilities Planning Phase Agency Responsibility Accept risks and issue authority to operate Review documentation for both completeness and accuracy Submit annual assessment to the FedRAMP PMO Provide continuous monitoring based on FedRAMP requirements Repository level CSP Agency JAB

Review 31 Initial Review of Leveraged Documentation Planning Phase Control Tailoring Workbook (CTW) and Control Implementation Summary (CIS) are good documents to assess the extent to which the cloud solutions security control implementation will meet your agencys needs and ability to leverage corresponding security assessment packages CTW identifies controls that have been adapted by the

cloud service provider CIS identifies who is responsible for each security control Documents summarize what a customers responsibility is in securely using a CSPs services as well as what a CSP does to meet FedRAMP security controls 32 Existing Agency ATO Migration Path Planning Phase Agency updates existing security assessment to meet FedRAMP requirements An agency must Provide own resources and bear all costs for the development of the package and ongoing use of the system Perform gap analysis of missing controls against the FedRAMP baseline Consider modifying existing contract to specifically stipulate FedRAMP Compliance Obtain commitment and compliance schedule for CSP to meet FedRAMP control requirements Migrate existing security package documents to required FedRAMP templates 33

Alert FedRAMP PMO Planning Phase Yes Leverage Existing Security Assessment Package Check with FedRAMP PMO (repository) for existing CSP Security Assessment Package No Follow FedRAMP Security Assessment Process, Send package to FedRAMP Alert FedRAMP PMO of Planned Compliance Path 34

Questions and Answers 35 BREAK 36 FedRAMP Implementation Assessment Phase Federal Risk and Authorization Management Program Matthew Goodrich FedRAMP Program Manager (FedRAMP) Office of Citizen Services and Innovative Technologies 37 Assessment Phase Purpose and Key Steps Purpose: Develop or review security assessment

documentation required to make a risk-based decision to authorize the cloud service for use at your agency Key Steps 1) Document security controls 2) Perform security tests 3) Finalize security assessment package 38 Document Security Controls Assessment Phase Document Controls 1. Understand FedRAMP controls 2. Address and document how the CSP implements each FedRAMP security control Control responsibility What solution is being used for the control How the solution meets the control requirement 39 FedRAMP Baseline Security Controls Assessment Phase Document Controls Controls are based upon the NIST SP 800-53 R3 catalog of controls for low and

moderate impact systems Impact level Low Moderate NIST Baseline Controls 115 252 Additional FedRAMP controls selected to address unique elements of cloud computing Additional FedRAMP Controls 1 46 Total Controls Agreed to by JAB for FedRAMP 116 298

cy Shared resource Multi-tenan pooling ervice s e h t f o l o r Cont ucture r t s a r f in s r provide

Visib ust r t ility h lis Estab FedRAMP Security Controls Baseline Available on FedRAMP.gov 40 System Security Plan (SSP) Assessment Phase Document Controls Describes the purpose of the system Detailed description of Control Implementation Global view of how the system is structured Defines roles of the systems users and identifies personnel responsible for system security Delineates control responsibility between the customer or vendor

The SSP is the key document to moving the FedRAMP assessment process forward 41 Reviewing Security Controls in the SSP Assessment Phase Document Controls Security control section details all the security controls and control enhancements required for FedRAMP Responsible role maintain and implement the control Parameter of control frequency Implementation Status Control origination organization responsible for implementing and managing the control (vendor, customer, shared) Solution and how implemented 42

SSP Supporting Documentation (1/2) Assessment Phase Document Controls Information Security Policies CSPs Information Security Policy that governs the system described in the SSP User Guide - describes how leveraging agencies use the system Rules of Behavior - defines the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access Configuration Management Plan - describes how changes to the system are managed and tracked (consistent with NIST SP 800-128) 43 SSP Supporting Documentation (2/2) Assessment Phase Document Controls IT Contingency Plan - details how the recovery of the system occurs in the case of a disruption of service Incident Response Plan explains provider actions in response to a security incident

Privacy Threshold Analysis - questionnaire used to help determine if a Privacy Impact Assessment is required Privacy Impact Assessment - assesses what Personally Identifiable Information (PII) is captured and if it is being properly safeguarded 44 Perform Security Tests Assessment Phase Perform Security Tests 1. Assess against the SSP with NIST SP 800-53a test cases 2. Independent Assessor audits assessment and results 3. Independent Assessor generates security assessment report 45 Role of the Independent Assessor Assessment Phase Perform Security Tests Develops Security Assessment Plan (SAP)

Performs Initial and Periodic Assessments of CSP Security Controls Conducts Security Testing Use Test Case Workbooks Manual Tests Automated Tests Develops Security Assessment Report (SAR) Assessor must be independent Cannot test and help CSP prepare documents Cannot test and assist CSP in implementing controls 46 Independent Assessor Conformity Assessment Phase Perform Security Tests Third Party Assessment Organization (3PAO) Benefits Benefits of of leveraging leveraging an an accredited

accredited independent independent assessor assessor (Third (Third Party Party Assessment Assessment Organization Organization 3PAO) 3PAO) Accredited Independent Assessor Creates Creates consistency consistency in in security security assessments assessments in in accordance accordance

with with FISMA FISMA and and NIST NIST standards standards Ensures Ensures assessor assessor independence independence from from CSP CSP in in accordance accordance with with international international standards standards Establishes Establishes an an approved approved list list of

of assessors assessors -- 3PAOs 3PAOs for for CSPs CSPs and and agencies agencies to to choose choose from from to to satisfy satisfy FedRAMP FedRAMP requirements requirements.. 47 Third Party Assessment Organizations Assessment Phase Perform Security Tests Accredited 3PAOs BrightLine COACT, Inc.

Coalfire Systems Department of Transportation (DOT) Enterprise Service Center (ESC) Homeland Security Consultants J.D. Biggs and Associates, Inc. Knowledge Consulting Group, Inc. Logyx LLC Dynamics Research Corporation (DRC) Lunarline, Inc. Earthling Security, Inc. Secure Info Electrosoft Services, Inc. SRA International, Inc. Veris Group, LLC

48 Security Assessment Plan (SAP) Assessment Phase Perform Security Tests Independent Assessor develops the SAP Defines scope of assessment - Hardware - Software - Databases - Applications - Facilities Testing Schedule Rules of Engagement (ROE) - Components included and excluded in assessment - Rules for transmission of results - ROE signed by CSP and Independent Assessor 49 Security Assessment Report (SAR) Assessment Phase Perform Security Tests

Independent Assessor develops the SAR Documents findings Analysis of test results Highlights ways for CSPs to mitigate security weaknesses Primary document for making risk-based decisions 50 Finalize Security Assessment Assessment Phase Finalize Assessment 1. CSP develops plan of actions and milestones (POA&M) 2. CSP declares conformity with FedRAMP requirements and submits security assessment package 51 Plan of Action and Milestones Assessment Phase Finalize Assessment

Detailed plan with a schedule of how the CSP plans to address and fix and vulnerabilities found during testing All SAR findings must map to a POA&M item False positives marked in the SAR but not identified in the POA&M as there is no remediation needed to correct false positives. CSPs applying for Provisional ATO: Remediate high severity findings before Provisional ATO is granted Remediate moderate findings within 90 days 52 Declaration of Conformity Assessment Phase Finalize Assessment CSP attests and verifies that the system conforms to FedRAMP requirements. Certifies that all controls are working properly Both JAB and leveraging agencies use the Self-Attestation Declaration of Conformity when considering issuing an ATO

53 Complete Assessment Package Assessment Phase Finalize Assessment A complete security authorization package includes deliverables in section 10 of the FedRAMP CONOPS Mandatory Templates: System Security Plan Security Assessment Plan Security Assessment Report Other Templates located on fedramp.gov:

Control Tailoring Workbook Control Implementation Summary IT Contingency Plan Plan Of Action & Milestones Suppliers Declaration of Conformity 54 FedRAMP Implementation Customer and Authorization Phase Federal Risk andControls Authorization Management Program Maria Roat FedRAMP Director (FedRAMP)

Office of Citizen Services and Innovative Technologies 55 Customer Controls & Authorization Phase Purpose and Key Steps Purpose: Review security assessment documentation and grant authority to operate Key Steps 1. 2. 3. 4. Review FedRAMP security authorization package Implement customer controls Grant authorization Alert FedRAMP PMO of authorization granted and provide feedback regarding additional controls used 56 Customer Review of Authorization Package

Customer Controls & Authorization Phase Security Authorization Package Complete, consistent, and compliant with FedRAMP policy Hardware or software inventory included Content addresses the who, what, when, and how Delivery of supporting documentation and information adequately referenced Non-applicable controls not presented as implemented Risk review of Security Assessment Report and current Plan of Actions and Milestones 57 Agency Controls Customer Controls & Authorization Phase Include controls added on to FedRAMP baseline Include controls for applications & middleware

Include controls with agency shared responsibility Shared Responsibility Both the CSP and the agency use two-factor authentication for authenticating to privileged and non-privileged accounts. Both CSP and agency must ensure users take security awareness training. 58 Authorize System Customer Controls & Authorization Phase Agencies make own risk-based determination for granting Authority to Operate Complete Authorization Package Agency Responsibilities Implemented

Agency Authority to Operate Submit final security assessment package to FedRAMP PMO if not already in the secure repository Notify FedRAMP PMO if Agency ATO withdrawn 59 FedRAMP Ongoing Assessment & Authorization Federal Risk and Authorization Maria Roat FedRAMP Director Management Program Office of Citizen Services and Innovative Technologies (FedRAMP) 60 Ongoing Assessment and Authorization Purpose: Determine whether deployed security controls remain effective in light of planned and

unplanned changes that occur in the system and its environment over time. Key Steps 1. Review of control implementation 2. Review changes to the system 3. Monitor incidents and new vulnerabilities 61 Overview Ongoing Assessment and Authorization (Continuous Monitoring) Ongoing Assessment & Authorization 1 Operational Visibility 2 Change Control Incident

3 Response Cloud Service Provider (CSP) Govt. Agency Annual Self-Attestation Review control reporting provided by CSP Obtains Change Reports / POA&M Updates Ensure POA&M / System Changes meet ATO requirements Notifications Responds to Incidents

& Coordinate with USCERT 62 Operational Visibility Ongoing Assessment & Authorization CSPs CSP submits artifacts to the FedRAMP ISSO as defined by the FedRAMP Continuous Monitoring Strategy and Guide Artifacts include POA&Ms, Scans, and the Annual Self Attestation CSP Submission Schedule Number of Deliverables Monthly 1 Quarterly 2

Semi-Annually 1 Annually 10 Every 3 Years 1 FedRAMP The ISSOs monitor POA&Ms and reporting artifacts (vulnerability scan reports) Artifacts are stored in the Secure Repository ISSOs provide the JAB and leveraging agencies with updated information on the system so that risk-based decisions can be made about ongoing authorization Agency Review artifacts in the Secure Repository to ensure that the risk posture of the CSP falls within agency tolerance Monitor security controls that are agency responsibilities 63

Change Control Ongoing Assessment & Authorization CSPs CSPs must notify FedRAMP of any planned significant changes to the system before implementing the change CSPs must submit an updated SAR 30-days after implementation FedRAMP Changes are reviewed by FedRAMP ISSOs and approved by the JAB FedRAMP will notify leveraging agencies: If a significant change is planned and when it occurs If it affects security posture or adds unacceptable levels of risk Agency Upon notification of a significant change agencies should inform FedRAMP if they believe the planned changes will adversely affect the security of their information Agencies should review the change following the implementation of an approved change 64 Incident Response Ongoing Assessment & Authorization Multiple incident response notification scenarios based

on first responder to incident (Refer to the FedRAMP Incident Communication Plan) Agency Responsibilities for Incident Response: Provide a primary and secondary POC to CSPs and US-CERT Notify US-CERT when a CSP reports an incident Work with CSPs to resolve incidents by providing coordination with US-CERT Notify CSPs, if the agency becomes aware of an incident that a CSP has not yet reported Notify FedRAMP ISSO of CSP incident activity Monitor security controls that are agency responsibilities. 65 Agency Responsibilities JAB vs. Other Paths Ongoing Assessment & Authorization Review Level Description Authorization Responsibility for Continuous Monitoring

CSP CSP Supplied, not yet reviewed Candidate for Authorization None Agency Reviewed by agency (*Accredited 3PAO Optional) Agency ATO Agency JAB Reviewed by FedRAMP ISSO & JAB

FedRAMP PA & Agency ATO FedRAMP 66 Wrap-Up 67 Cloud System Compliant with FedRAMP The system security package has been created using the required FedRAMP templates The systems meets the FedRAMP security control requirements The system has been assessed by an independent assessor A Provisional Authorization, and/or an Agency ATO, has been granted for the system An authorization letter for the system is on file with the FedRAMP PMO 68

Common Agency Questions Do I need to have the JAB grant a Provisional Authorization to be FedRAMP Compliant? No, an agency can grant an ATO using the FedRAMP Controls and templates. If an agency wishes to grant their own ATO using the FedRAMP process, must the CSP use an accredited 3PAO? No, but the JAB will only grant Provisional Authorizations if an accredited 3PAO performs the assessment. If an agency is starting an acquisition, what must be included in the solicitation? Sample contract clauses are located on FedRAMP.gov. If an agency leverages a FedRAMP authorization, must the agency still grant an ATO? Yes, the agency must implement the consumer controls and grant an ATO for the entire information system. Does an agency need to report the FedRAMP system in their FISMA reporting? The agency needs to include its Information System in the FISMA inventory. 69

Questions and Answers 70 For more information, please contact us or visit us the following website: www.FedRAMP.gov Email: [email protected] @ FederalCloud 71

Recently Viewed Presentations

  • Wellbeing & Mental Health Network Tuesday 11th June

    Wellbeing & Mental Health Network Tuesday 11th June

    About London Youth. London Youth is a membership network of 450+ community youth organisations across London. We are a charity on a mission to improve the lives of young Londoners. We deliver a broad range of services to our members,...
  • Copy the passage into the left page of

    Copy the passage into the left page of

    Copy the passage into the left page of your notes from yesterday. Fill in the blanks using the word bank below: You may use your notes ... It can be split into three distinctive processes: _____, mitosis and _____. ......
  • 8-22-14(A) & 8-25-14(B) Day 3 of 45

    8-22-14(A) & 8-25-14(B) Day 3 of 45

    PLTW Formula Sheet. Engineering Notebook. Exam Make-Ups will be next class. Take your engineering notebooks home with you @ end of class today! Get anything you want off your :p drives. 5-18-15 (A) & 5-19-15 (B) Day 40 of 45....
  • Natural Logic for Textual Inference - Stanford NLP Group

    Natural Logic for Textual Inference - Stanford NLP Group

    Arial MS Pゴシック Gill Sans Tahoma Times Times New Roman Symbol Courier New ヒラギノ角ゴ Pro W3 nate-stanford-nlp Two Related Approaches to the Problem of Textual Inference The textual inference task A two-part talk The Stanford RTE system Containment, Exclusion, and...
  • Excerpt A: Penelope Weaving - Loudoun County Public Schools

    Excerpt A: Penelope Weaving - Loudoun County Public Schools

    Excerpt A: Penelope Weaving. What's going on? For many years, Penelope has been waiting at home on the Greek island of Ithaca for her husband King Odysseus to return from the Trojan War. Since she is a lovely, wealthy woman,...
  • Writing Shell Scripts ─ part 2 - eecs.yorku.ca

    Writing Shell Scripts ─ part 2 - eecs.yorku.ca

    Shell Control Structures CSE 2031 Fall 2010 * * Control Structures if then else for while case (which) until * if Statement and test Command Syntax: if condition then command(s) elif condition_2 then command(s) else command(s) fi Command test is...
  • Fandom (Jenkins) Five patterns of fan engagement: -

    Fandom (Jenkins) Five patterns of fan engagement: -

    It is argued that, this along with a free press, is the ideal situation.- However, a free press often leads to press abuse, ideological radicalisation and an infringement on the human rights of the subject of journalistic investigation. ... online...
  • Material Fallacies

    Material Fallacies

    MATERIAL FALLACIES Michael Jhon M. Tamayao, M.Phil. College of Medical Technology