Event ID: 2068327 Event Started: 1/8/2013 8:30:00 PM ---------- Please stand by for realtime captions. >> Good afternoon, everyone. We will be starting shortly. If you're having technical difficulties please call GoToWebinar at .8002636317. Select option number two, option one and option one. We will be starting shortly. >> good afternoon, everyone. Disses Katie Lewin, I'm starting to webinar federal risk and authorization management plan. SCER detesting and completing the package. Welcome, everyone. To a Mac would take the time to join us on a webinar. We will have two speakers today, myself, Katie Lewin, who is the Director of the federal computing program at GSA and Matt Goodrich who's the program manager for FedRAMP. This webinar is the fourth in a series of webinars that we've been conducting. We will be covering today the completion of the FedRAMP process of Security testing and documenting results to submitting a completed package to the FedRAMP Security suppository. Specifically the topics we're going to cover include the importance of the conformity assessment process, in terms of taking an accredited independent assessor, the will of the third-party assistant organization which we are also calling the independent assessor organization and completing discourteous assessment and testing. Planning for testing and documenting the results. How to remediate vulnerabilities thundering testing, to finalize your Security authorization package for submission to disk your repository and how to provide an overview of the lifecycle for that package. Those of the topics are going to be talking about, if you have questions please submit them as they arrive using the chat function. We will be looking up the questions and answering them during the webinar and their response was many questions as possible and answer them and those that we don't to get to we will posts on the frequently asked questions section of FedRAMP.gov. >> Today's webinar will quickly begin to review the list of topics but I wanted to remind you what we're talking about. The FedRAMP which has been launched in June of 2012 is a governmentwide program that provides a standardized approach to Security assessment, authorization and continuous monitoring for cloud products and services. I'm happy to say since a last webinar we have granted our first [Indiscernible] operate in that documentation for that ATO is available in our secure repository. >> Just as review we have had as I said three additional webinars, if you miss any of them if you want repeated topics, they are available on FedRAMP.gov under the new -- news section. [Indiscernible] materials from past events. The size of their -- I believe the recording of the webinar is also available there. >> Let's talk about where we are. I want to orient you to the two Major topics we're going to be talking about and FedRAMP at a test in submitting the packages to the FedRAMP secure repository which in this diagram is a STIP 1.3. This step requires that the service provider sought an independent assessor to perform the assessment of their Security environment. Their independent requester is responsible for developing the Security assessment plan performing the testing and documenting results in the Security assessment report. Templates for these documents can be found in FedRAMP.gov. Full abilities found the assessment and a plan to fix these whole abilities are documented in the fun action and milestones [Indiscernible] again tablets are available at FedRAMP.gov. >> The other topic that we are going to be talking about in terms of FedRAMP and finalizing your [Indiscernible] service providers, documentation and secure repository is the finalization of the skirt you assessment in that step occurs after testing has been completed. Documents that are updated to reflect testing results and Security package documents are consolidated into a single package for submission to this cure repository. I believe Matt is going to talk about what that really looks like and how to do it. Most packages and repository have either an Agency granted ATO or a FedRAMP provisional authorization so documents and secure repository have most of them have either of those ATOs growth is also an option for cloud service providers to submit a packet strictly to the repository. FedRAMP will support the CFP in doing this with access to this cure repository and a secure access control [Indiscernible] of the website for CSP to post their assessment package is. In addition, the FedRAMP project management office maintains a list of packages available to the secure repository and ensures that this packages remain secure and access to them is controlled. >> Access to actual Security assessment packages is limited to federal agencies request permission from the FedRAMP EMO and we posted or will be posting very soon I request form that asks what agencies can complete to request access to specific CSP documentation and ATO documentation so they can review and determine whether or not they want to leverage the ATOs that resides on the FedRAMP secure repository. CSP is the package is an repository are required to implement a continuous monitoring program and submit periodic updates and if you look at the documentation for FedRAMP you will be referred to the way continuous monitoring is operating right now and you need to be on the alert because DHS is also starting to develop additional requirements and tools to meet those requirements and they will be issuing updates to their continuous monitoring requirements as they proceed. >> Let's talk about [Indiscernible] nothing confusing and that the authorization level in the secure repository. CSPs [Indiscernible] should use an independent assessor based on the category of the package is illustrated in this chart. Packages submitted by a CSP without an ATO, they correctly come from the CSP, do not have an ATO and packages submitted to the FedRAMP project management office for review by the authorization point and granting provisional authorization, those two packages require an accredited independent assessor. OSV accredited independent assessors are available at FedRAMP.gov. Part of my presentation will be talking to about what an accredited and accredited sister -- number that means and how they get an accreditation. Agencies that have flexibility in using an accredited independent assessor. Use of an accredited independent assessor's agencies to submit their ATO documentation to the repository. So there's no additional documentation required, once the Agency grants the ATO the package of the documentation, they submitted to a repository, we will expect it and put it in a secure place on the repository. We encourage agencies to use accredited independent assessors. However, is also the option for agencies to use an independent assessor that's not accredited under the FedRAMP program. If an Agency does do this and the want to cement the documentation to the secure repository they must submit an attestation describing the independent and technical qualifications of the not accredited -- this an additional step if you as an Agency grants and ATO who does not use an accredited independent assessor legalizer value documentation on the FedRAMP secure repository. >> What to abandon assessors do quickly and try to standardize the term on independent assessors and as we've called him 3PAOs, but the independent assessor really is responsible for assessment by developing the assessment plan based on FedRAMP test cases in the types of servers, applications and databases that make up the system. They must ensure that the test plan results are presented unbiased and accurate picture of the Security implementation within the system and they have to demonstrate independent and that they are not developing a system or prepare Security documentation for the same systems their sissy and I think that's the point of this slide we have posted right now. And amendment and the demonstration thereof is the most important are one of the most important factors in the integrity of the FedRAMP process so independent assessors the reason we are changing the term is because we want to make sure that CSP and agencies understand that the assessment is to independent is not based on additional business or projects that they have concerning a particular system that they are assessing. CSP survey to hire another organization that calls himself an independent assessor to prepare Security documentation. But they cannot be the same one, the same organization that is performing the assessment. Something to keep in mind that if the CSP wants to hire an outside consultant to assist in the preparation of the documentation the outside consultant does not have to be an accredited independent assessor and that may give a little more flexibility in terms of the organization that CSP white might want use to help them prepare for the assessment under FedRAMP. >> The third-party assessment organization are accredited under something called conformity assessment. The overriding reason for the requirements using independent assessor is that as I said before to ensure that the CSP meets the FedRAMP's gritty requirements and that assurance is issued or documented by an independent organization. So how are these independent assessors accredited? We talk about this several times when we were just rolling FedRAMP out but it is probably bears repeating that we use a process called conformity assessment that was developed by NIST. NIST uses this conformity assessment process across a vast range of products and services everything from literally posters to medical records under aged just controlled. It is a very flexible process, its customizable but it is based on standards and processes that have been proven. The process conformity assessment evaluates the technical and managerial confidence of the independent assessor organization and ensures that they understand and go cut implement the requirement or independence. So that's one of the most important factors. Independent assessors must all accredited organizations. -- >> This is a list of the credited third-party assessment -- met you can find lists under F edRAMP.gov. Under Keeling's accredited third PEO in this is a leakage, this is a rolling mission process so they is no closed date when an organization can apply to become an independent accredited independent assessor. And we started out with nine and we are now up to [Indiscernible] we will be adding more organizations as the pass the conformity assessment process. >> What's the relationship between the 3PAO and the -- service provider? The relationship is preemies to body so the FedRAMP project management office really does not have a role in that relationship. The CSP's for the most part higher [Indiscernible - Audio cutting out] we do not make recommendations among the list of accredited independent assessors. We feel that the list of accredited independent assessors as recommendation enough in CSPs can pick from that list an organization that will best suit they're needs. One suggesting that we have is that they CSP might want to interview multiple [Indiscernible - Audio cutting out] work that an independent assessor organization can respond to either verbally or in writing about how they would approach the assessment task. Another couple of pointers in terms of how to pick an independent assessment organization. You probably as a CSP want to ask the assessment organization about their experience obviously the resources they are going to bring to [Indiscernible - Audio cutting out] that would meet the environment that you need assessed. May be an estimate the time required and obviously an understanding of what the requirements are. I think that it is fairly easy to do that because the requirements are well laid out under the FedRAMP.gov website. Once the CSP chooses their independent assessor they must formally notified the FedRAMP program [Indiscernible - Audio cutting out] you independent assessor [Indiscernible - Audio cutting out] to notify our office and we will then say yes, proceed. CSP Duplantis minute packages that other review levels to not me permission to test for FedRAMP, in other words, if you're going to Agency ATO you don't have to get permission from FedRAMP office to proceed with testing. Going to turn it over to Matt and he's going to talk about [Indiscernible - Audio cutting out] >> -- and how to choose the assessor to do that. Pellets put into action. Had to begin the testing phase to demonstrate your complaints to the FedRAMP script controls. The 3PAO you select will develop the Security assessment plan which we refer to as the Stapp. It defines the scope of the assessment and identifies the components that will be included in the assessment. Hardware, software, databases, applications and physical facilities. Is also advise the testing methodology and provides a test cases used for the assessment. The SAP contains a schedule outlining the time identifying symbols engagement for the test. Rules engagement describe notification and disclosure between the CSP and 3PAO includes a listing of components to be included and excluded from testing and provide instructions on how the results of the assessment are to be encrypted and transmitted to CSP. -- signify agreement on the terms. >> Even though 3PAO manage and complete the testing CSP should prepare ahead of time to ensure the testing goes as smoothly as possible. This means CSP have a little bit of work to do. CSP should give the 3PAO distinct point of contact, actual people not a general office number or support number. The CSP should provide at least three contacts in at least one of those contact should be at an operation centers such as a [Indiscernible] that is staffed 24/7. The schedule for performing scans are penetration testing shouldn't be a surprise to the CSP. 3PAO and CSPs should discuss the testing schedule so the CSP can ensure the 3PAO well of appropriate access to a CSP environment and personnel as needed to complete testing. As a part of this 3PAO should provide the CSP with a list of the IP addresses where schedule originate from, the testing [Indiscernible] as a malicious attack. Additionally, 3PAO will need access to facilities to assess fiscal and environmental controls. CSP should provide a list of the facilities or along with their address to the 3PAO. Sees patient also ensure the staff [Indiscernible] know when to expect 3PAO to be on-site to perform testing. This means that if there's an information needed to grant a 3PAO access to the facilities the CSP should inform the 3PAO of these requirements out of time. Finally, CSP and 3PAO need to review and sign off on the wills of engagement. These rules govern how the test to be conducted in by completing before beginning the testing both parties prevent any interruption of a CSP service. Also engagement is negotiable and should be reviewed by the General Counsel of both 3PAO and CSP. >> After the 3PAO has followed the night and tested the system that 3PAO must develop a Security assessment referred to as the SAR. These are documents the test findings and these findings a few PEO will provide analysis of the test results to determine the risk exposure of this is the. These are also highlights ways for CSP to mitigate the maturity weaknesses of boundary testing. Since tonight is to report on the overall risk of the CSP system the two men serves as a primary document that the taste began -- will review to make the decision and granting an authorization. While the 3PAO has a solar responsibility for writing the SAR we do recommend that they CSP and EPS schedule time to review the initial draft to ensure its accuracy before the SAR is finalized. >> After finalizing the SAR theses uses the vulnerabilities and recommendations in the tent to create a plan of action and milestones soother referred to as POA&M. The POA&M provides a detailed plan with the schedule of how the CSP plants to address and pick solar buildings found during the testing phase. >> The POA&M template contains an embedded Excel spreadsheet that CSP should use to track and manage the program -- meds before I do. In the spreadsheet the CSP will have unique IDs for each POA&M, description of which, description of what which this is boundary testing details about when and how the POA&M will be close. POA&M will be updated on a continual basis during the course of the maturity authorization and -- once every quarter. But it may be updated anytime to reflect the addition of new vulnerabilities or the closing of a POA&M item. Subsequent workbooks and the POA&M I used to track open new items during POA&M updates. >> A few things to remember when developing your POA&M to none, all findings must map to a POA&M I difficult this is compassed by giving each POA&M item unique identifier which pairs with respective SAR finding. False-positive should be clearly marked in the tonight but do not need today identified in the POA&M as there's the snow remediation needed to practical positive. The man -- departure mediate all high severity wristband for the -- CSP might also remediate within 90 days after receiving a provisional authorization. >> Is after finalizing the SAR and POA&M it is time to compile and submit your package. Final package will include control telling workbook which identifies controls of an adaptive by the CSP and the control and limitation summary [Indiscernible] resist possible for a Security control. These two documents are hopeful for agencies leveraging the authorization because the detailed a summary fashion what the customers responsibility as a school using the CSP service as well as what is CSP does Devonian meeting with this gritty controls. Next ottoman is a systems cootie plan, this is the. >> Document freeze gritty authorization. Is describes the system and this gritty control used to protect the system. Also supported documents Schneck may include things like the -- contingency plan, details of the country system occurs in case of a disruption of service, the configuration management plan which identifies how the CSP makes Ritchie changes to their operating environment and incident response plan which explained by their actions and response to Security incidents. The focus of this whatnot is on the file -- final documents needed to complete the package -- describing assessment methodology followed by the 3PAO to test the controls, Security assessment retort -- report -- the evidence and analysis and report on implementation of the controls. And the POA&M complex action by the provider to change her limits gritty controls based on independent assessment. The last and final document is a self attestation or declaration of conformity which states the package represents the true inaccurate depiction of the system. >> Before submitting documentation CSP should review the documents the special focus on the system Security plan and ensure they are up-to-date and reflects any changes made in either a mediating fuller abilities or in response to findings. Updates to all documents should include adding sensitivity markings on the cover page in the footer of each document. You may change the existing sensitivity market on a template to match your official company sensitivity nomenclature if it stick than what's on the template. Sensitivity markets may also be placing headers of any document and any other placement document that you feel requires sensitivity labeling. Depending on the assessment level of your package into the PMO or FedRAMP ISSO will work with the CSP and provide instructions on nexus and uploading the package the FedRAMP secured repository. CSP should be aware that federal agencies interested in acquiring the services will be able to request access to secure repository to review the CSP package. >> Was a CSP's file is other documents and double checked for accuracy, the last -- step is for the CSP to include a self attestation declaration of conformity letter. This letter a test and revise the system conforms to the FedRAMP requirements based on the assessment results and also certifies that all of orbited controls are working. FedRAMP provides declaration of conformity letter template on Page 6 and 7 of the self attestation template on FedRAMP.gov. CSP should all -- putting on the company name and address fill Phil and the system name and then have an authorized company official sign and date it. The question of conformity is a document in the C's P undersides of one sent all information submitted to FedRAMP is complete and accurate. >> How to does an Agency use the Security authorization packets? Agencies interested in leveraging a package will be able to search to repository for services that meet their requirements. Only federal agencies will be able to request access to Security package in the repository. Vendors access to the secure repository is limited to the area for storing their own respective documentation. >> To access a package listed in the repository, the user of the Agency must complete a FedRAMP package access request form and have their [Indiscernible] submit the form to the FedRAMP EMO. After FedRAMP receives the form of the PMO will perform a review provide notification of accepting or rejecting the request. >> Delivered the package agencies must double mint customer responsibility controls and grab them Agency ATO. CSP's are packages and his cure repository are required to maintain a continuous monitoring program which provides a -- control limitation, -- resolution and annual retesting. Does a detailed about continuous monitoring are available on FedRAMP.gov the FedRAMP continuous monitoring strategy and guide. >> In summary, the perform testing step of the FedRAMP process entered duces the independent assessor to FedRAMP. CSP's must use an independent assessor to plan the test and develop the SAP, perform the assessment and document the findings of that assessment and the SAR. This is required for FedRAMP -- Security control based on. CSP must use and depend assistant to provide independent assessment of the CSP system. Agencies and flexibility in selecting their independent assessor -- use of the FedRAMP accredited 3PAO -- accreditation program ensures -- independent, Audio cutting out] >> Or entity -- often a 30 on assigning severity to findings in the job -- signed by independent [Indiscernible - Audio cutting out] -- fender -- [Indiscernible - Audio cutting out] coming to a mutually agreeable decision on whether meeting is that the 3PAO can justify the job finds acceptable as well. >> What is the formal paper-based responsibility of the Agency leveraging a CSP package? That the Agency need to go through each CSP staff for all the customer controls or is there an Agency oriented APO form? We do not have Agency oriented APO form. Is up to each Agency how they want to leverage the documentation and provide for their own implementation of Security controls that their response ability of the Agency. >> How many CSPs have started the FedRAMP process? We have an excess of 80 applications from CSPs however, one of the [Indiscernible] how many this really translates this readiness so every one of those applicants have been contacted and we've done a readiness assessment with them to see how ready they are to provide the documentation, that's necessary to get an ATO. >> Quit and that closely relates us what kind of range of time from should be expected to go through the process and what are the key drivers. The best way to say is the fastest review time that the government can do for the PMO and JAB to finalize document is roughly 10 weeks, about eight to 10 weeks and that's if we have for the documentation. The key driver is really the level of detail and readiness of the CSP when they, and submit documents. Testing normally takes four to five days, that's usually the average amount of time to do that and finalize document and that's even after you created your SSP so if you SSP is not and perfect shape when it comes to us doubly working with the FedRAMP team to update those documents. A reasonable timeframe the fastest we are likely seen is in the six month timeframe at this point in time. That can go longer depending on where a CSP is and actually the readiness and when they come to FedRAMP. >> We have three questions about the requirement to use an accredited independent third-party assessor and I will go over that again because it somewhat confusing. If you're submitting a package for a general APO -- board you must use an accredited independent assessor. If you are correct -- who does not have a client at this time but want to get your documentation into the secure repository you must use an accredited third-party assessor. Flexibility comes with if you are getting your APO doing Agency. If the Agency wants -- does not want to use an accredited third-party assessor so there has to be in assessment and has to be independent, that's not new, that's a new requirement it is always been that way, however, agencies can choose not to use an accredited independent assessor if they do they want to send the documentation to the secure repository. Pen the Agency must a test as to the qualification and the independent of that third-party assessor. We recommend that that be the least traveled path. It is probably easier for everyone to use an accredited third-party assessor. However, there is that option. >> How long does it take for 3PAO to get approved once their application is submitted to? By now we are seeing an average turnaround time frame for first review of an application around them two months. >> That's also on a rolling basis so some of those take less time as the updater application or need clarifications. >> Can [Indiscernible] inquire as to which agencies have been granted access to get that package in the repository? >> Would basically help supervise that .bash -- back to CSP inmate will likely be something and a regular relay of information terms of hundred people have referred the documents but it is unlikely that CSPs will get direct contact information for every person reviewing the documents. >> for the six-month time frame imagine was that someone that CSP turn in their SSP to Wendy [Indiscernible] was granted? Yes. Is not from the time the test results were completed so that would be prohibitively long patchouli despite the whole process of proximally six months again readiness is a key to the speed and accuracy under which this process is conducted so the more ready a CSP is with the required level and detail of documentation the quicker this process will go. >> Right, to add something else, this can part the question Oryza from one test compo -- results are compared to? The fastest part is what we just went over today is that once the SAR is finalized albeit the documentation should be finalized and at that point we are really doing just a risk review not getting your documentation finalized. That sort of that dust as part of that is once testing is complete their summitry period make sure you have everything documented correctly that when you get to testing and test results come in its -- the other side we've already reached the [Indiscernible] in your testing. >> What are the most common hurdles, challenges for companies going to FedRAMP and what you recommend for other companies? By now at the beginning of this process is still an initial -- capabilities I know Matt will have more detail but I would say that right now there is really a pattern of things that are challenging to CSPs. For the most part lots of CSPs have different challenges. For example, some have problems with their SSP, other have trouble with their boundaries, in other words, defining them so that the reviews can understand them. We are saying we will be putting out best practices and lessons learned but right now we really don't have enough data to make like it statements about things that are particularly worrisome or difficult for every CSP as they apply. >> I would say that something that has held very true as we've been going forward is Section 4.3 of the guide understanding FedRAMP or 4.1 -- capabilities checklist. That gives you 12 points that you shall get to see if you're ready to move to FedRAMP and get a provision authorization. Keep things in our description of how you do [Indiscernible] authentication, what type of encryption you do particularly if it is -- validated moppets approved by has to be FIPS validated. Also disruption of your boundary and particularly when your interconnection Security RVee using any corporate environment to do anything with part of your services and really understand all about that and having a clear -- I think -- recognition that we've seen that's been beneficial to some companies has some uncommon to ask -- helping to develop your SSP before you get the testing phase because that's been awful for some people that have -- invested money that -- something that has proven to be very hopeful [Indiscernible] >> This is -- we are reviewing Estes be -- back correct when we could fight -- but after we issue an APO? If you reviewing Estes be -- package that's for an Agency ATO, you can engage with us -- you can engage with us as soon as you would like to. In order to help make sure your meeting the number requirements and the going Ford Agency ATO. We have resources that we can ensure that you are doing that crackly. If you're going for a job authorization you'll be working with us as soon as you want to leverage because you have to go through us to get access to that documentation. >> Overseas bugle Corps and no visits from the 3PAO? An thing that we've -- that's different from how we are doing control testing to FedRAMP them would've a lot of agencies do there is still at three-year requirement for a long and ATO is valid for. Under [Indiscernible]. A lot of agencies have made the practice of just retesting the controls, one third, one third, whether. FedRAMP as a defendant brooch or look at the controls that are most likely need to be retested due to either there being a lot of POA&Ms or just areas CSP environment that we think warrants retesting every year. It is unclear if it would require no visits or some of those or all have to be as set or not but it is something that will be -- basis depending on the C-SPAN environment and their system. >> Can a list of already approved clot service providers be shared with agencies, but the services? -- for each Agency wishing to leverage their service? Excellent question. Right now FedRAMP has granted a provisional ATO to one company [Indiscernible] resources because the documentation is residing in the secure repository. The process for an Agency to leverage the services it the following, they would get permission from us to access the documentation, review it I assume -- would be the one reviewing it and then they would determine whether or not they would want to accept the risk of deploying [Indiscernible] resources as described in the secure assessment documentation for FedRAMP. Agencies we assume for the most part if the ATOs granted by the authorization board that means they have passed the rigor of GSA, GHS and DOD. If agencies fill that one or two more controls need to be tested and added to the requirement in order to deploy that particular product or service they can do so. By But agencies do not have to complete the pre-conduct the Security assessment and they can accept the documentation and these associated risk directly from the FedRAMP joint authorization board. >> Another one from federal Agency, does FedRAMP serve geisha mammy geared toward companies who wish to offer class services to government agencies? Not two, FedRAMP is -- ethical to both private and public entities alike. Government agencies who offer cloud services to other government agencies if it is a cloud service they has to be a dumb complaint by June of 2014. So yes you would need to update to make the FedRAMP requirements. >> The looks of most of our questions have been answered. To a mapper joining us today. Booking for kiss you on our next webinar. >> [Event concluded]