by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 30, 2013
DrillDown ing standard. This is probably one of the most in-depth compliance exer- cises that an organization can attempt. Here are 10 steps that CSPs can take today to move toward becoming FedRAMP-compliant. 1. Review the "Guide to Under- standing FedRAMP." This document provides a wealth of information for CSPs, including how to document their System Security Plans (SSPs) and what to expect from a FedRAMP assess- ment. It is available at FedRAMP.gov. 2. Download the FedRAMP tem- plates. At FedRAMP.gov, the General Services Administration has also pro- vided several templates, presentations and instructional documents to help CSPs begin the process of becoming FedRAMP-compliant. In particular, download the SSP to understand the level of effort it will require. 3. Create a project plan for popu- lating the SSP and supplemental documentation. The SSP is regarded as the centerpiece of a CSP s compli- ance with FedRAMP. It is a 400-page template in which a CSP must provide information on its system inventory, boundaries and controls, which must satisfy the 298 control requirements derived from the National Institute of Standards and Technology s Special Publication 800-53 Revision 3. Creating the SSP, along with control mapping and implementation, could take sev- eral months. The FedRAMP Program Management Of ce and Joint Advisory Board will put you in a holding pattern until you have a completed SSP. 4. Determine your system's secu- rity categorization level. Using the FIPS 199 Categorization template, a CSP must assess whether its system falls into a low or moderate security category, which determines the set of applicable FedRAMP security controls. 5. Submit a FedRAMP Initiation Request or obtain an agency spon- sor. There are two paths by which CSPs can become FedRAMP-compli- ant: either through the FedRAMP PMO or through a sponsoring federal agency. If a CSP has an existing relationship with an agency or an interest from a potential customer, the CSP can navi- gate the FedRAMP process directly with the agency by obtaining a spon- sorship. Without an agency sponsor, CSPs must submit a request to the FedRAMP PMO and enter the queue of CSPs waiting for approval to begin a FedRAMP assessment. As of today, more than 100 CSPs are in the PMO queue. By using an agen- cy sponsor, as Amazon Web Services did, a CSP could trim the FedRAMP process by several months. However, CSPs will face certain issues if they choose the agency sponsorship route. Before going down any path, they should speak to a registered third-party assessment organization (3PAO) and the agency involved. 6. Compile policies, risk assess- ments, and internal and external security assessments. A major focus of FedRAMP is to help ensure that CSPs have policies and procedures governing the employees who per- form IT security responsibilities and processes for performing risk and secu- rity assessments. The information in a CSP s policies and assessments will become the basis for its SSP. 7. Map your system inventory and boundaries. Due to the nature of cloud systems, FedRAMP stresses the importance of a CSP s ability to accu- rately describe its network, hardware and software inventory, and its system boundaries. Although simple for small CSPs, it can be a daunting task for large systems. 8. Map existing controls to FedRAMP requirements and note gaps in your plan. As noted above, CSPs are required to implement con- trols that satisfy the 298 FedRAMP requirements derived from SP 800-53 Revision 3. FedRAMP.gov provides templates that CSPs are required to populate during this process. Note that not all requirements are applicable to all CSP systems. If a CSP does not have a control in place to satisfy a require- ment, the CSP must either implement a control or complete a Plan of Action and Milestones describing how and when it will implement the control. POAMs are subject to FedRAMP PMO or agency approval. The process of mapping, implement- ing, and documenting controls can take several months depending on the state of the CSP s existing information secu- rity control infrastructure. Many CSPs opt to hire consultants to assist with this process. 9. Submit the SSP and supplemen- tal documentation to the PMO or sponsoring agency for review. CSP documentation must be approved before a FedRAMP assessment can begin. 10. Engage a 3PAO to perform the FedRAMP assessment. A registered 3PAO generates a Security Assessment Plan used to test the system s controls. The 3PAO then generates a Security Assessment Report for review and authorization by the FedRAMP PMO or agency. As you can see, the FedRAMP pro- cess requires an extensive investment of time and money, internally and externally. We have really only touched on the initiation and preparedness activities. If you are a CSP wishing to become FedRAMP-compliant, a CSP beginning the FedRAMP process or an agency seeking to buy cloud services, you should begin communicating with one another and a 3PAO as soon as possible. ■ Bryan Graf is the FedRAMP prac- tice manager and technical lead at BrightLine, a FedRAMP-accredited third-party assessment organization. 40 October 30, 2013 FCW.COM
September 30, 2013
November 15, 2013