Contenu connexe Similaire à FedRAMP Certification & FedRAMP Marketplace (20) FedRAMP Certification & FedRAMP Marketplace1. YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST
Download FedRAMP Compliance Checklist
FedRAMP Certification Blog
FedRAMP Certification &
FedRAMP Marketplace
WEBINAR:
2. Who Does FedRAMP Apply To?
ControlCase Introduction
What Is FedRAMP?
What Is FedRAMP Marketplace?
How Hard Is It To Get FedRAMP Certified?
How Long Does The FedRAMP Process Take?
How To Get FedRAMP Certified?
ControlCase Methodology For FedRAMP Compliance
Why ControlCase
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
4
1
2
3
5
6
7
8
9
4. ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
© 2020 ControlCase. All Rights Reserved. 4
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 300+
10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS
5. Solution
Certification and Continuous Compliance Services
© 2020 ControlCase. All Rights Reserved. 5
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
6. Certification Services
One Audit™
Assess Once. Comply to Many.
© 2020 ControlCase. All Rights Reserved. 6
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HITRUST CSF
HIPAA PCI P2PE GDPR NIST CSF Risk
Assessment
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
8. FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FedRAMP):
FedRAMP prescribes the security requirements & processes cloud service providers must follow in order for
the government to use their services.
• Established in 2012 by the Office
of Management and Budget (OMB).
FedRAMP empowers government
agencies to use modern cloud
technologies, with emphasis on security
and protection of federal information,
and helps accelerate the adoption of
secure, cloud solutions.
• Provides a standardized approach to
security assessment, authorization,
and continuous monitoring for
cloud products and services.
• Uses NIST SP 800-53 standard as
security baseline.
• Similar to FISMA, but for Cloud
Security.
What is FedRAMP?
© 2020 ControlCase. All Rights Reserved. 8
9. PROGRAM MANAGEMENT OFFICE (PMO)
• Resides within GSA and supports agencies
and cloud service providers through the
FedRAMP authorization process.
• Maintains a secure repository of FedRAMP
authorizations to enable reuse of security
packages.
JOINT AUTHORIZATION BOARD (JAB)
• Primary governance and decision-making
body for FedRAMP.
• Members include the chief information
officers (CIOs) from the Department of
Defense, Department of Homeland Security,
and General Services Administration.
FedRAMP Entities
© 2020 ControlCase. All Rights Reserved. 9
10. FedRAMP Stakeholders
© 2020 ControlCase. All Rights Reserved. 10
FEDERAL AGENCIES
• Contract with Cloud Service Provider
• Leverage ATO or use FedRAMP
process when authorizing
• Implement consumer controls
FedRAMP PMO & JAB
• Establish processes and standards for
security authorizations
• Maintain secure repository of available
security packages
• Provisionally authorize systems that
have greatest ability to be leveraged
government-wide
CLOUD SERVICE
PROVIDER
• Implement and
document security
• Use independent
Assessor
• Monitor security
• Provide artifacts
3PAOs (Third Party Assessment
Organizations)
• Cloud auditor, maintains independence
from CSP
• Performs initial and periodic
assessment of FedRAMP controls
• Does NOT assist in creation of control
documentation
11. FedRAMP USES NIST 800-53 CONTROLS
• A standard published by the National Institute of Standards and Technology (NIST), which creates and
promotes the standards used by federal agencies to implement the Federal Information Security
Management Act (FISMA) and manage other programs designed to protect information and promote
information security.
• Used as the information security standard for both FISMA and FedRAMP.
FedRAMP & NIST 800-53
© 2020 ControlCase. All Rights Reserved. 11
13. FedRAMP MARKETPLACE
Database of Cloud Service
Offerings (CSOs)
Database of FedRAMP
Accredited auditors
Maintained by the FedRAMP
Program Management Office
(PMO)
FedRAMP Marketplace
© 2020 ControlCase. All Rights Reserved. 13
15. Any cloud services that hold federal data must be FedRAMP Authorized.
Who does FedRAMP apply to?
© 2020 ControlCase. All Rights Reserved. 15
17. How is FedRAMP Certified
There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint
Authorization Board (JAB) and an Agency Authority to Operate (ATO).
© 2020 ControlCase. All Rights Reserved. 17
AGENCY AUTHORITY TO OPERATE (ATO)
• Issued by the agency only.
• Agencies have varying levels of risk acceptance.
• Agency monitors the CSPs continuous monitoring activities.
• Typically use a 3PAO, like ControlCase, to perform
independent testing.
PROVISIONAL AUTHORITY TO OPERATE (P-ATO)
• Issued by the Joint Authorization Board.
• Prioritizes authorizing cloud services that will be widely used
across government.
• CIOs of DoD, DHS and GSA must agree that the CSP meets
all controls and presents an acceptable risk posture for use
across the federal government.
• Conveys a baseline level of likely acceptability for
government-wide use.
• CSPs must use an accredited Third-Party Assessor
Organization (3PAO).
• FedRAMP PMO manages continuous monitoring activities.
18. FedRAMP is based on the NIST 800-53
Controls Domains Include:
© 2020 ControlCase. All Rights Reserved. 18
Anti-Malware
Configuration
Management
Incident
Response
Policies &
Procedures
Third-Party
Management
Application
Security
Data Encryption
at Rest
Logging
& Monitoring
Privacy
Business
Continuity Plan
Governance &
Compliance
Logical
Access
Risk
Assessment
Change
Management
HR
Physical
Security
Security
Testing
20. FedRAMP Timeline
© 2020 ControlCase. All Rights Reserved. 20
1
DOCUMENT
SSP
NIST RMF 1, 2, 3
JAB P-ATO
2
ASSESS
SAP / Testing
NIST RMF 4
3
AUTHORIZE
SAR / POA&M
NIST RMF 5
4
MONITOR
CON MON Reports
NIST RMF 6
6+ MONTHS
AGENCY ATOs 3+ MONTHS
22. FedRAMP & NIST 800-53
© 2020 ControlCase. All Rights Reserved. 22
1
CATEGORIZE THE
INFORMATION SYSTEM
Low, Moderate, High Impact
2
SELECT THE
CONTROLS
FedRAMP Low, Moderate, High Baseline
3
IMPLEMENT SECURITY
CONTROLS
Describe in SSP
4
ASSESS THE SECURITY
CONTROLS
Use of an Independent Assessor
(3PAO)
5
AUTHORIZE INFORMATION
SYSTEM
Provisional ATO / Agency ATO
6
MONITOR SECURITY
CONTROLS
Continuous Monitoring
NIST RMF
23. FedRAMP JAB P-ATO Process (Certification)
© 2020 ControlCase. All Rights Reserved. 23
3
PHASE
AUTHORIZATION
PROCESS
4
PHASE
CON
MON
1
PHASE
READINESS ASSESSMENT &
FedRAMP CONNECT
2
PHASE
FULL SECURITY
ASSESSMENT
CSP
DEPENDENT
4+
MONTH
CONTINUOUS
MONITORING
˜ 1
WEEK
˜ 3 WEEKS ˜ 3 WEEKS ˜ 4 WEEKS
FedRAMP Ready &
Prioritized for JAB
ATO
Kick-Off Review Remediation
Final
Review
• Readiness
Assessment
Report
• FedRAMP
Connect
Business Case
Security
Authorization
Package
* A CSP must be prioritized by the JAB before entering the JAB P-ATO process. The CSP can obtain FedRAMP Ready status either before or after the JAB’s prioritization.
SSP
SAP
SAR
POA&M
24. Monthly Continuous
Monitoring Deliverables
SAP
Development
FedRAMP Agency ATO Process (Certification)
© 2020 ControlCase. All Rights Reserved. 24
3
PHASE
AUTHORIZATION
PROCESS
4
PHASE
CON
MON
1
PHASE
PARTNERSHIP
ESTABLISHMENT
2
PHASE
FULL SECURITY
ASSESSMENT
FedRAMP
Authorization
Kick-Off SAR Debrief Agency ATO
* SAP & SAR are completed by the 3PAO.
CONTINUOUS
MONITORING
REMEDIATION
(IF NEEDED)
FedRAMP
PMO
REVIEW
AGENCY
FINAL
REVIEW
REMEDIATION
AGENCY
REVIEW OF
POA&M
ASSESSMENT
AGENCY
REVIEW
OF SAP
AGENCY
REVIEW
OF SSP
AUTHORIZATION
PLANNING
IN PROCESS
DESIGNATION
SSP
Development
SAR POA&M
Development
25. FedRAMP Continuous Monitoring
ATO AUTHORIZATION PACKAGE
© 2020 ControlCase. All Rights Reserved. 25
MONTHLY
ANNUAL
ONGOING
CSP
OPERATIONAL
VISIBILITY
• Periodic assessment of controls
• Updated documentation
• Ongoing authorization decision
• Annual Assessment – Partial control
set (SAP/SAR/POA&M/Updated docs)
• Vulnerability Scans (OS/WEB/DB)
• POA&M
• Deviation Requests (OR/FP/RA)
27. ControlCase Methodology for FedRAMP Certification
As a 3PAO, ControlCase will independently verify and validate the control implementation and test results for
your organization using a four-phase approach. Each phase will have a specific set of tasks and deliverables
required to guide you, through the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to
Operate (P-ATO) process.
© 2020 ControlCase. All Rights Reserved. 27
1
PHASE
READINESS ASSESSMENT
SSP / RAR
JAB P-ATO
2
PHASE
FULL SECURITY ASSESSMENT
SAP / SAR / Testing
3
PHASE
AUTHORIZATION PROCESS
SSP / SAP / SAR / POA&M
4
PHASE
CONTINUOUS MONITORING
SAP / SAR
6+ MONTHS
28. Deliverables
© 2020 ControlCase. All Rights Reserved. 28
• SAP - Security Assessment Plan
• SAR - Security Assessment Report
• SSP - System Security Plan
• RMF - Risk Management Framework
DOCUMENT
SSP
MONITOR
AUTHORIZE
ACCESS
SAP
&
Testing
SAR
Continuous
Monitoring
NIST
RMF
1,2,3
4
5
6
30. One Audit™
Assess Once. Comply to Many.
© 2020 ControlCase. All Rights Reserved. 30
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
FedRAMP HIPAA PCI P2PE
GDPR NIST CSF PCI PIN PCI PA-DSS CSA STAR Microsoft SSPA
31. Areas of Focus for Continuous Compliance Management
© 2020 ControlCase. All Rights Reserved. 31
CONTROLCASE SOLUTION
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
32. Summary – Why ControlCase
© 2020 ControlCase. All Rights Reserved. 32
“They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company
33. THANK YOU FOR THE OPPORTUNITY TO
CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com
Download FedRAMP Compliance Checklist
FedRAMP Certification Blog