The FedRAMP Readiness Assessment Report was my point interest.
A FedRAMP Ready assignment is required for any CSP seeking after a JAB P-ATO, and is exceedingly prescribed before seeking after an Agency ATO. While getting to be FedRAMP Ready isn’t a certification that a CSO will be approved, accomplishing FedRAMP Ready status shows a more prominent probability of achievement in the Approval process as the legislature has a more clear comprehension of a CSP’s specialized abilities. Furthermore, a FedRAMP Ready assignment is weighted intensely amid the FedRAMP Connect assessment what’s more, prioritization process. When making arrangements for the FedRAMP approval process, Cloud Service Providers ought to consider that FedRAMP Ready status is legitimate for one timetable year after assignment from the FedRAMP PMO. To accomplish the FedRAMP Ready assignment, a CSP (Cloud Service Provider) must cooperate with a licensed 3PAO to finish a preparation appraisal of its administration advertising. At the finish of the appraisal, the 3PAO may convey a Readiness Assessment Report (RAR) to the PMO if the 3PAO can bear witness to the CSO’s availability for the approval process. RARs are looked into by the FedRAMP PMO (Program Management Office) inside one business seven day stretch of accommodation. On the off chance that there are any issues spotted by the PMO in the audit, an in-person meeting is held to talk about the Program Management Office’s remarks and what is required all together for the Cloud Service Providers to be esteemed FedRAMP Ready.
When the Program Management Office favors a RAR, the CSO will be assigned FedRAMP Ready and promoted all things considered on the FedRAMP Marketplace. Notwithstanding being required to seek after a JAB P-ATO, being promoted as FedRAMP Ready on the Marketplace gives important presentation to potential Agency clients who are looking into CSOs that meet their hierarchical necessities or meet obligations required.
As a note, CSPs can and should utilize the Readiness Assessment Report for a self-evaluation so as to get ready for FedRAMP and a Cloud Service Providers commitment with a 3PAO. Cloud Service Providers ought not to hope to be considered FedRAMP Ready the first occasion when they complete a self-appraisal or have an evaluation performed by a 3PAO. These evaluations are additionally expected to help Cloud Service Providers see any holes in their present structures or capacities before starting a FedRAMP evaluation. This data helps Cloud Service Providers comprehend the dimension of exertion important to verify their frameworks as per FedRAMP.
One point is that NIST SP 800-145 establishes FedRAMP’s definitions for cloud services that are IaaS, PaaS and SaaS. Software as a Service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. The consumer uses the provider’s applications running on a cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage. The common examples include office and communication software, messaging software, payroll processing and accounting software, DBMS software, management software and mobile applications etc. It is generally low cost with easy set up, easy upgrade and deployment. It also has relative advantages in accessibility and scalability. However, privacy of sensitive data is a major concern for cloud services. And the performance is not always as good as server applications.
Characteristics of cloud services include self-provisioning and elasticity; that is, customers can provision services on an on-demand basis and shut them down when no longer necessary. In addition, customers typically subscribe to cloud services, under a monthly billing arrangement, for example, rather than pay for software licenses and supporting server and network infrastructure upfront. In many transactions, this approach makes a cloud-based technology an operational expense, rather than a capital expense. From a management standpoint, cloud-based technology lets organizations access software, storage, compute and other IT infrastructure elements without the burden of maintaining and upgrading them.
The usage of cloud services has become closely associated with common cloud offerings, such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
SaaS is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the internet. So, it is easy to use.
Good explanation, Haixin. There are three major types of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each cloud service, IaaS, PaaS, and SaaS, is tailored to the business needs of its target audience. SaaS utilizes the internet to deliver applications to its users, which are managed by a third-party vendor. PaaS provides a platform for software creation. The servers and storage are managed by the enterprise or a third-party vendor, while the developers maintain management of the applications they utilize. Lastly, IaaS is basically a virtual data center.
Software as a Service, also known as SaaS or on-demand software, is a way of delivering software applications to the end-user over the internet. SaaS can provide great advantages for most businesses, primarily in costs and flexibility. However, disadvantages of SaaS (such as lack of control) are considerable and should not be ignored.
Numerous cloud service providers are interested in seeking after a FedRAMP approval for their cloud services. However, cloud service providers frequently have inquiries on the procedure and how to begin. The CSP Authorization Playbook is intended to be a comprehensive guide for cloud service providers intrigued or pursuing after the FedRAMP procedure. The playbook tends to the start to finish FedRAMP approval process, covering everything from creating authorization strategies, the procedure for picking up approval from the JAB or Agencies, and the significance of the continuous monitoring movement. The CSP Authorization Playbook will eventually give a manual for cloud service providers that cover the whole FedRAMP authorization lifecycle and shares best practices to accomplish effective approval.
While at first glance, the Cloud Service Provider Authorization Playbook may seem like a daunting and confusing read full of acronyms and federal requirements for operating a cloud service provider, reading again with a full understanding of the vocabulary used paints a different image. The playbook itself is a step-by-step guide meant to inform and point cloud service providers to resources that help them prepare and acquire the mandatory FedRAMP certification and Authority to Operate. Among the most interesting things that caught my eye reading through the second time around was the nuances between the two different types of FedRAMP authorizations that are possible for cloud service providers, those being Joint Authorization Board (JAB) Authorization and Agency Authorization. While Phases 2 through 4 of both processes to get FedRAMP authorization are extremely similar, the first is what truly sets them apart from each other. For cloud service provider’s trying to take the JAB authorization approach, they apply for authorization and a Provisional Authority to Operate through direct interaction with the Joint Authorization Board and the FedRAMP Program Management Office and assume all responsibility upon themselves. In comparison, cloud service provider’s applying through the Agency authorization approach are required to meet all the standards and compliance requirements of the agencies they apply through while at the same time going through the same hoops as those in the JAB Process. Although the Agency authorization method is considerably more complex, a significant portion of the risk is shifted onto the agency that is either partnered or acquiring the cloud service provider.
It is interesting to read if an organization including cloud service and the most interesting thing I found is the continuous monitoring in agency authorization phase. FedRAMP suggests that a could service provider provide monthly continuous monitoring deliverables to the agencies which including an updated plan of actions and milestones, scan results, system change information/requests, as agreed upon between agency and the CSP, and any others that depending on each organization. Meantime, FedRAMP also suggests that vendor host monthly continuous monitoring collaboration calls to gain a better understanding of agency concerns, questions, and updates from CSP on continuous monitoring status. An annual security assessment from third-party assessment organizations is a must have for a CSP to ensure the risk posture of the system. I found monitoring is as important as the other authorization process.
Hi Shuyue,
The continuous monitoring in agency authorization from this reading is definitely interesting. This is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment. It is enhancing the organization’s operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
Hi Shuyue, I like your idea about the continuous monitoring in agency authorization phase. There are two types of FedRAMP authorizations: a Provisional Authority to Operate from the Joint Authorization Board and an Agency Authority to Operate. The CSP should review both processes and take into account their system’s impact level, deployment model, stack, and market demand. I also think this is an interesting point.
A system stack is a place in memory for things. It is more organized since it uses the stack data structure Also, the address of the next allocation is known at all times because of this organization. Allocated items are pushed on to the stack in a particular order and popped off when needed. The system stack is used to store information about subroutine. The stack store parameters for the function and a return address where the program should pick up when the function is finished. It also reserves a space for a return value to be popped by the system on return.
The system stack generally refers to the layers of services in the data center that are included in the cloud service offering. The CSO must be authorized according to the appropriate FedRAMP baseline, meaning each component ( laaS, PaaS, SaaS) has its own authorization boundary and its own ATO letter.
For example, using a SaaS CSO, an authorized stack would include three system boundaries and ATO letters for each component layer. This lends the SaaS the ability to inherit/ leverage security controls from the underlying Paas / laaS layers, transferring responsibility for the maintenance of some controls to the CSP providing infrastructure services. When a CSP has its system hosted in no FedRAMP authorized cloud service, the leveraging relationship does not exist. In this situation, as SaaS provider would need to include the application to and authorize the entire stack.
The playbook starts with introducing what program management office is responsible for and I think the importance of PMO makes it become key role in the FEDRAMP authorization process. The PMO is led directly by the organization’s senior executives and regularly reports on the achievement of the organization’s strategic objectives. Therefore, its essence is a decision-making and planning department of the organization, as well as a supervisory body. There are two functions of PMO, one is daily function and the other is strategic function. It can provide training, guidance and expert advice to the project, act as a cross-project information exchange and communication platform, assist in eliminating conflicts and duplication of effort between projects and optimize resource allocation as well as implement and maintain project management processes, standards and methods. PMO highly involve with both JAB authorization and Agency authorization and is an important part of the whole authorization process.
Hello,
As I read through your thoughts on what you found most interesting on the Cloud Service Provider Authorization Playbook, I found the conceptual importance of the Program Management Office and their authority in the authorization process became grounded in me. Your detailed explanations of the key roles they play in both the authorization and compliance process when getting and maintaining FedRAMP authorization respectively helped me better understand what I had been reading about, as I initially didn’t grasp the purpose of the document. I also appreciate you providing clear and concise summarization towards the end of your thoughts, breaking down the jargon used in the article itself into more widely understandable terms.
FedRAMP CSP Authorization Playbook is a brief document to help the cloud service providers to obtain FedRamp authorization. Cloud Services that hold federal data must be FedRAMP authorized. This document defines three primary players in the process:
– Cloud Service Providers (CSP): CSPs provide secure cloud services to federal agencies. They are responsible for meeting the security requirements, to include documentation and continuous monitoring, outlined by FedRAMP. CSPs contract with Third Party Assessment Organizations for assessment of their services against the FedRAMP requirements.
– Third Party Assessment Organizations (3PAO): 3PAOs provide an initial assessment of the CSP’s compliance to the FedRAMP requirements. They also perform additional assessments over time to ensure continued compliance and maintenance of the security posture of the CSP service.
– Federal Agencies: Federal agencies identify cloud solutions to support their mission and business processes. They are responsible for ensuring that the cloud services they leverage to process, store or transmit government data meet the FedRAMP baseline security controls. They complete the risk review of the cloud service and issue an Agency Authorization to Operate (ATO) for the cloud service.
The CSP can apply a mitigation and request a risk adjustment, which would allow the CSP more time to remediate a vulnerability. The CSP can seek approvals for a false positive (FP) if a vulnerability is not accurate for the CSP’s system. The CSP can seek approvals for operational requirements (OR) if a vulnerability is something that a CSP cannot fix, does not plan to fix, or a fix would break the system.
CSPs should apply all mitigations possible to lower the risk of the vulnerability prior to requesting an OR. As a note, High risks are typically not approved and must have some mitigation in place to be accepted.
If a vulnerability cannot be resolved by a CSP directly but is dependent on another vendor to fix, then the CSP should submit this vulnerability as a vendor dependency (VD). A CSP should check in with the vendor at least once a month so the vulnerability is not considered late. CSPs are required to perform scanning at least monthly, but it is recommended that vendors scan at least weekly. High and Critical findings must be addressed within 30 days of discovery, and Moderate vulnerabilities must be addressed within 90 days.
The Federal Risk and Authorization Management Program (FedRAMP) ensures that the federal government is able to adopt new and efficient cloud technologies while keeping security a top priority. For companies offering cloud services, being FedRAMP authorized not only offers the chance to service a large area of the government, but to increase the cloud services security as a whole. What I found particularly striking was the “system stack” concept with FedRAMP authorization, and the ability for one service to leverage security controls from another layer of the stack due to the three system boundaries. However, if a system were not FedRamp certified, there is not an inherent relationship between SaaS, PaaS, and IaaS components, and further precautions would be needed by the cloud service provider in order to service a platform with appropriate security requirements.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This allows cloud security solutions to be assessed once and that assessment to be used across multiple agencies. FedRAMP is based on NIST SP800-53, which is the gold standard for security control frameworks.
This document reminds me of the class Security Architecture immediately… The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security for the cloud. I found the deployment model interesting.
CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud. Deployment model contains:
-Federal Only Cloud: Only federal government customers are allowed to use these clouds. Federal governmentonly cloud presents less risk to government customers and is a prioritization criterion for the JAB.
-Government Only Cloud: The cloud holds only government data. Customers can be federal, state, local, tribal, territorial, federally funded research centers (FFRDCs), or lab entities.
-DoD Only Cloud: The cloud holds only DoD data. Theses clouds are best suited for Agency authorizations, as the JAB is meant for cloud services that have wide applicability.
-Public Cloud: Public cloud deployments support both government and non-government customers. This
aligns with the traditional model of cloud computing services, but it poses more of a risk to the federal government.
-Private Cloud: Private cloud deployments intended for single organizations and implemented fully within
federal facilities are not subject to the FedRAMP mandate and are the only exception to
FedRAMP being mandatory for all federal agencies.
Great comments! thank you for sharing the different kinds of deployment models of federal-only cloud, the government only cloud, Dod only cloud, public only cloud, and private cloud. By understanding these different deployment model, we can provide a better audit in terms of the different model.
The FedRAMP – CSP Authorization Playbook was constructed to help organizations that provide a cloud service offering (CSO) that has federal use or implications. The FedRAMP is a certification that allows those systems to be used in that manner. The sections that I chose to focus on was towards the middle of the playbook — Section 4.1.4 Phase 4: Continuous Monitoring. As an IS auditor it is imperative to hold periodic reviews of our system manually and have continuous backup and security reporting done in automation. If pursuing a JAB P-ATO it is imperative to have continuous reviews. Many of the certifying agencies will require this aspect of continuous monitoring. Thus, if a CSO plans to work with the governments and comply with FedRAMP standards, this is a MUST!
I appreciate that you emphasized the importance of Continuous Monitoring here. This concept is very important for information security auditors to consider. Continuous monitoring in the cloud consists of two core elements – monitoring and logging virtual machine instances and Vulnerability scanning.
First, security teams need to implement baseline monitoring and logging for virtual machine instances, containers and cloud services in general, including activity within SAAS environments. Baseline monitoring can be accomplished by gathering and processing logs made available via cloud service provider APIs. The second requirement for continuous monitoring in the cloud is scanning within the cloud for vulnerabilities, any scanning tools used in the cloud should integrate with cloud provider APIs.
Security teams need to embrace security automation and orchestration in the cloud for both deployment and production monitoring and alerting, and this will happen more readily as the tools and cloud provider environments mature.
The interesting point I took away from FedRAMP CSP Authorization Playbook is about determining your authorization strategy. In this part there are three subsections demand: broad vs. niche, existing or potential agency partners, impact levels and deployment model. According to the document, CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud. There are five different levels federal government only cloud, government only cloud, DoD only cloud, public cloud, and private cloud. It is important to understand the cloud environment.
Hi Ryu:
I like the way you approached the topic and I agree. Without a proper understanding of the cloud environment, it would either be wasting money for a public cloud of high-level authorization strategy or does not have secure enough authorization strategy clouds that contains sensitive information. Like we always say, we need to understand the business in order to make IT valuable, and I would say make IT valuable in the best cost-effective way.
FedRAMP’s definitions for cloud services that are IaaS, PaaS, or SaaS. To be honest, this is the part confused me most. I have trouble to understand the difference or comparison of IaaS, PaaS, SaaS. I know they are Software -as-a-Service , Platform -as-a-Service ,Infrastructure as-a-Service respectively. However, there is an article I found in google is helpful to easily differentiate the IaaS, PaaS, and SaaS. It lists lots of common example for each platform types. for example SaaS is used to build Google Apps, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting, PaaS is used to build AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos, OpenShift, and IaaS is used to build
DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE), This article also addressed when and how to use each platform types and their advantages and Characteristics. I would recommend this article to you all.
Hi, thanks for bring up these examples. I think, IaaS, is the company that specializes in providing infrastructure services. Companies can outsource the hardware to these specialist companies, which provide off-site servers, storage and networking hardware. A PaaS is really a platform for software development as a service. SaaS providers build all the network infrastructure, software and hardware operation platforms required by company situation, and are responsible for all the early implementation, late maintenance and a series of services. Enterprises can use the information system through the Internet without buying software and hardware, building machine rooms and recruiting IT personnel.
Hi, thank you for talking about the difference between them with articles and examples. And I agree with that no matter which option you choose, migrating to the cloud is the future of business and technology as we know it, and it is necessary to be properly informed.
Cloud computing is an extremely hot topic yet, the concept remains pretty broad. There are three platforms of cloud service— Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Software as a Service (SaaS) hosts an application and makes it available to users through the internet. For example, Netflix. Platform as a Service (PaaS) provides a framework for developers that they can build upon and use to create customized applications. For example, Windows Azure. Infrastructure as a Service (IaaS) are highly scalable and automated resources. Infrastructure as a Service (IaaS) clients have complete control over the entire infrastructure. For example, Cisco Metapod. The consumer does not manage or control the underlying cloud infrastructure for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
I agree as well, although cloud computing is the new big “hype”, not many people understand the three types of cloud service and the limitations of each type. Proper identification of the business need and the type of platform that would be the most fitting would help business be able to utilize each platform to its full potential.
I also thought this topic interesting because it is necessary to migrate the information and technology to the cloud. And thank you for differentiating each models with their own specific features and functionalities.
I agree. The different types of platforms are very interesting. Ever since I became aware of the differences, it has been hard to not notice every time I use a different type of cloud service. Personally, I have gotten sick of the people who are still skeptical about cloud services and slowing them down from expanding at their highest potential.
System stack refers to the layers of service in a data center that is included in cloud services. Each component (IaaS, PaaS, SaaS) has its own authorization boundary and own ATO letter.
The section uses the SaaS as an example, it has “ability to inherit / leverage security controls from the underlying Paas / IaaS layers, transferring responsibility for the maintenance of some controls to the CSP providing infrastructure services”. But if the CSP has a system that uses a non-FedRAMP authorized relationship, it kills the inheritance/leveraging relationship. The Saas provider would then have to include an infrastructure/platform component in its own authorization boundary with the software. Since the infrastructure/platform components are now built in the confines of the SaaS’s authority, the CSP is responsible for all components within its system security plan. This authorization is only regarding the SaaS’s own infrastructure but isn’t constituted as an IaaS.
I also found the system stack to be interesting, especially regarding the concept of leveraging/inheriting security controls from other components. In terms of security, it’s great to have some type of reinforcement when needed, however, I do wonder how it affects the component in which is it dependent on for that added security.
The most interesting part for me was Section 3.1: Demand: Broad Vs. Niche
I think it is interesting that your authorization strategy is based on whether you have a broad or niche demand. At first thought, you don’t think that authorization has anything to do with your consumer demand. Security is security, right? My belief was always that your security should be based on the sensitivity of your information and not your market share. All things considered, it makes sense that a CSO with a broad demand is handled by JAB and niche demands should be handled by agencies. Joint Authorization Boards are made up of diverse leaders from all different industries. Agencies are more fit to handle more specific cases, which would be ideal for niche CSO’s.
Feng Gao says
The FedRAMP Readiness Assessment Report was my point interest.
A FedRAMP Ready assignment is required for any CSP seeking after a JAB P-ATO, and is exceedingly prescribed before seeking after an Agency ATO. While getting to be FedRAMP Ready isn’t a certification that a CSO will be approved, accomplishing FedRAMP Ready status shows a more prominent probability of achievement in the Approval process as the legislature has a more clear comprehension of a CSP’s specialized abilities. Furthermore, a FedRAMP Ready assignment is weighted intensely amid the FedRAMP Connect assessment what’s more, prioritization process. When making arrangements for the FedRAMP approval process, Cloud Service Providers ought to consider that FedRAMP Ready status is legitimate for one timetable year after assignment from the FedRAMP PMO. To accomplish the FedRAMP Ready assignment, a CSP (Cloud Service Provider) must cooperate with a licensed 3PAO to finish a preparation appraisal of its administration advertising. At the finish of the appraisal, the 3PAO may convey a Readiness Assessment Report (RAR) to the PMO if the 3PAO can bear witness to the CSO’s availability for the approval process. RARs are looked into by the FedRAMP PMO (Program Management Office) inside one business seven day stretch of accommodation. On the off chance that there are any issues spotted by the PMO in the audit, an in-person meeting is held to talk about the Program Management Office’s remarks and what is required all together for the Cloud Service Providers to be esteemed FedRAMP Ready.
When the Program Management Office favors a RAR, the CSO will be assigned FedRAMP Ready and promoted all things considered on the FedRAMP Marketplace. Notwithstanding being required to seek after a JAB P-ATO, being promoted as FedRAMP Ready on the Marketplace gives important presentation to potential Agency clients who are looking into CSOs that meet their hierarchical necessities or meet obligations required.
As a note, CSPs can and should utilize the Readiness Assessment Report for a self-evaluation so as to get ready for FedRAMP and a Cloud Service Providers commitment with a 3PAO. Cloud Service Providers ought not to hope to be considered FedRAMP Ready the first occasion when they complete a self-appraisal or have an evaluation performed by a 3PAO. These evaluations are additionally expected to help Cloud Service Providers see any holes in their present structures or capacities before starting a FedRAMP evaluation. This data helps Cloud Service Providers comprehend the dimension of exertion important to verify their frameworks as per FedRAMP.
Haixin Sun says
One point is that NIST SP 800-145 establishes FedRAMP’s definitions for cloud services that are IaaS, PaaS and SaaS. Software as a Service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. The consumer uses the provider’s applications running on a cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage. The common examples include office and communication software, messaging software, payroll processing and accounting software, DBMS software, management software and mobile applications etc. It is generally low cost with easy set up, easy upgrade and deployment. It also has relative advantages in accessibility and scalability. However, privacy of sensitive data is a major concern for cloud services. And the performance is not always as good as server applications.
Zhu Li says
Characteristics of cloud services include self-provisioning and elasticity; that is, customers can provision services on an on-demand basis and shut them down when no longer necessary. In addition, customers typically subscribe to cloud services, under a monthly billing arrangement, for example, rather than pay for software licenses and supporting server and network infrastructure upfront. In many transactions, this approach makes a cloud-based technology an operational expense, rather than a capital expense. From a management standpoint, cloud-based technology lets organizations access software, storage, compute and other IT infrastructure elements without the burden of maintaining and upgrading them.
The usage of cloud services has become closely associated with common cloud offerings, such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
SaaS is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the internet. So, it is easy to use.
Raisa Ahmed says
Good explanation, Haixin. There are three major types of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each cloud service, IaaS, PaaS, and SaaS, is tailored to the business needs of its target audience. SaaS utilizes the internet to deliver applications to its users, which are managed by a third-party vendor. PaaS provides a platform for software creation. The servers and storage are managed by the enterprise or a third-party vendor, while the developers maintain management of the applications they utilize. Lastly, IaaS is basically a virtual data center.
Yuan Liu says
Software as a Service, also known as SaaS or on-demand software, is a way of delivering software applications to the end-user over the internet. SaaS can provide great advantages for most businesses, primarily in costs and flexibility. However, disadvantages of SaaS (such as lack of control) are considerable and should not be ignored.
Penghui Ai says
Numerous cloud service providers are interested in seeking after a FedRAMP approval for their cloud services. However, cloud service providers frequently have inquiries on the procedure and how to begin. The CSP Authorization Playbook is intended to be a comprehensive guide for cloud service providers intrigued or pursuing after the FedRAMP procedure. The playbook tends to the start to finish FedRAMP approval process, covering everything from creating authorization strategies, the procedure for picking up approval from the JAB or Agencies, and the significance of the continuous monitoring movement. The CSP Authorization Playbook will eventually give a manual for cloud service providers that cover the whole FedRAMP authorization lifecycle and shares best practices to accomplish effective approval.
Imran Jordan Kharabsheh says
While at first glance, the Cloud Service Provider Authorization Playbook may seem like a daunting and confusing read full of acronyms and federal requirements for operating a cloud service provider, reading again with a full understanding of the vocabulary used paints a different image. The playbook itself is a step-by-step guide meant to inform and point cloud service providers to resources that help them prepare and acquire the mandatory FedRAMP certification and Authority to Operate. Among the most interesting things that caught my eye reading through the second time around was the nuances between the two different types of FedRAMP authorizations that are possible for cloud service providers, those being Joint Authorization Board (JAB) Authorization and Agency Authorization. While Phases 2 through 4 of both processes to get FedRAMP authorization are extremely similar, the first is what truly sets them apart from each other. For cloud service provider’s trying to take the JAB authorization approach, they apply for authorization and a Provisional Authority to Operate through direct interaction with the Joint Authorization Board and the FedRAMP Program Management Office and assume all responsibility upon themselves. In comparison, cloud service provider’s applying through the Agency authorization approach are required to meet all the standards and compliance requirements of the agencies they apply through while at the same time going through the same hoops as those in the JAB Process. Although the Agency authorization method is considerably more complex, a significant portion of the risk is shifted onto the agency that is either partnered or acquiring the cloud service provider.
Shuyue Ding says
It is interesting to read if an organization including cloud service and the most interesting thing I found is the continuous monitoring in agency authorization phase. FedRAMP suggests that a could service provider provide monthly continuous monitoring deliverables to the agencies which including an updated plan of actions and milestones, scan results, system change information/requests, as agreed upon between agency and the CSP, and any others that depending on each organization. Meantime, FedRAMP also suggests that vendor host monthly continuous monitoring collaboration calls to gain a better understanding of agency concerns, questions, and updates from CSP on continuous monitoring status. An annual security assessment from third-party assessment organizations is a must have for a CSP to ensure the risk posture of the system. I found monitoring is as important as the other authorization process.
Yuchong Wang says
Hi Shuyue,
The continuous monitoring in agency authorization from this reading is definitely interesting. This is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment. It is enhancing the organization’s operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
Ryu Takatsuki says
Hi Shuyue, I like your idea about the continuous monitoring in agency authorization phase. There are two types of FedRAMP authorizations: a Provisional Authority to Operate from the Joint Authorization Board and an Agency Authority to Operate. The CSP should review both processes and take into account their system’s impact level, deployment model, stack, and market demand. I also think this is an interesting point.
Zhu Li says
A system stack is a place in memory for things. It is more organized since it uses the stack data structure Also, the address of the next allocation is known at all times because of this organization. Allocated items are pushed on to the stack in a particular order and popped off when needed. The system stack is used to store information about subroutine. The stack store parameters for the function and a return address where the program should pick up when the function is finished. It also reserves a space for a return value to be popped by the system on return.
The system stack generally refers to the layers of services in the data center that are included in the cloud service offering. The CSO must be authorized according to the appropriate FedRAMP baseline, meaning each component ( laaS, PaaS, SaaS) has its own authorization boundary and its own ATO letter.
For example, using a SaaS CSO, an authorized stack would include three system boundaries and ATO letters for each component layer. This lends the SaaS the ability to inherit/ leverage security controls from the underlying Paas / laaS layers, transferring responsibility for the maintenance of some controls to the CSP providing infrastructure services. When a CSP has its system hosted in no FedRAMP authorized cloud service, the leveraging relationship does not exist. In this situation, as SaaS provider would need to include the application to and authorize the entire stack.
Yuqing Tang says
The playbook starts with introducing what program management office is responsible for and I think the importance of PMO makes it become key role in the FEDRAMP authorization process. The PMO is led directly by the organization’s senior executives and regularly reports on the achievement of the organization’s strategic objectives. Therefore, its essence is a decision-making and planning department of the organization, as well as a supervisory body. There are two functions of PMO, one is daily function and the other is strategic function. It can provide training, guidance and expert advice to the project, act as a cross-project information exchange and communication platform, assist in eliminating conflicts and duplication of effort between projects and optimize resource allocation as well as implement and maintain project management processes, standards and methods. PMO highly involve with both JAB authorization and Agency authorization and is an important part of the whole authorization process.
Imran Jordan Kharabsheh says
Hello,
As I read through your thoughts on what you found most interesting on the Cloud Service Provider Authorization Playbook, I found the conceptual importance of the Program Management Office and their authority in the authorization process became grounded in me. Your detailed explanations of the key roles they play in both the authorization and compliance process when getting and maintaining FedRAMP authorization respectively helped me better understand what I had been reading about, as I initially didn’t grasp the purpose of the document. I also appreciate you providing clear and concise summarization towards the end of your thoughts, breaking down the jargon used in the article itself into more widely understandable terms.
Deepa Kuppuswamy says
FedRAMP CSP Authorization Playbook is a brief document to help the cloud service providers to obtain FedRamp authorization. Cloud Services that hold federal data must be FedRAMP authorized. This document defines three primary players in the process:
– Cloud Service Providers (CSP): CSPs provide secure cloud services to federal agencies. They are responsible for meeting the security requirements, to include documentation and continuous monitoring, outlined by FedRAMP. CSPs contract with Third Party Assessment Organizations for assessment of their services against the FedRAMP requirements.
– Third Party Assessment Organizations (3PAO): 3PAOs provide an initial assessment of the CSP’s compliance to the FedRAMP requirements. They also perform additional assessments over time to ensure continued compliance and maintenance of the security posture of the CSP service.
– Federal Agencies: Federal agencies identify cloud solutions to support their mission and business processes. They are responsible for ensuring that the cloud services they leverage to process, store or transmit government data meet the FedRAMP baseline security controls. They complete the risk review of the cloud service and issue an Agency Authorization to Operate (ATO) for the cloud service.
Yuan Liu says
The CSP can apply a mitigation and request a risk adjustment, which would allow the CSP more time to remediate a vulnerability. The CSP can seek approvals for a false positive (FP) if a vulnerability is not accurate for the CSP’s system. The CSP can seek approvals for operational requirements (OR) if a vulnerability is something that a CSP cannot fix, does not plan to fix, or a fix would break the system.
CSPs should apply all mitigations possible to lower the risk of the vulnerability prior to requesting an OR. As a note, High risks are typically not approved and must have some mitigation in place to be accepted.
If a vulnerability cannot be resolved by a CSP directly but is dependent on another vendor to fix, then the CSP should submit this vulnerability as a vendor dependency (VD). A CSP should check in with the vendor at least once a month so the vulnerability is not considered late. CSPs are required to perform scanning at least monthly, but it is recommended that vendors scan at least weekly. High and Critical findings must be addressed within 30 days of discovery, and Moderate vulnerabilities must be addressed within 90 days.
Sarah Puffen says
The Federal Risk and Authorization Management Program (FedRAMP) ensures that the federal government is able to adopt new and efficient cloud technologies while keeping security a top priority. For companies offering cloud services, being FedRAMP authorized not only offers the chance to service a large area of the government, but to increase the cloud services security as a whole. What I found particularly striking was the “system stack” concept with FedRAMP authorization, and the ability for one service to leverage security controls from another layer of the stack due to the three system boundaries. However, if a system were not FedRamp certified, there is not an inherent relationship between SaaS, PaaS, and IaaS components, and further precautions would be needed by the cloud service provider in order to service a platform with appropriate security requirements.
Feng Gao says
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This allows cloud security solutions to be assessed once and that assessment to be used across multiple agencies. FedRAMP is based on NIST SP800-53, which is the gold standard for security control frameworks.
Yuchong Wang says
This document reminds me of the class Security Architecture immediately… The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security for the cloud. I found the deployment model interesting.
CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud. Deployment model contains:
-Federal Only Cloud: Only federal government customers are allowed to use these clouds. Federal governmentonly cloud presents less risk to government customers and is a prioritization criterion for the JAB.
-Government Only Cloud: The cloud holds only government data. Customers can be federal, state, local, tribal, territorial, federally funded research centers (FFRDCs), or lab entities.
-DoD Only Cloud: The cloud holds only DoD data. Theses clouds are best suited for Agency authorizations, as the JAB is meant for cloud services that have wide applicability.
-Public Cloud: Public cloud deployments support both government and non-government customers. This
aligns with the traditional model of cloud computing services, but it poses more of a risk to the federal government.
-Private Cloud: Private cloud deployments intended for single organizations and implemented fully within
federal facilities are not subject to the FedRAMP mandate and are the only exception to
FedRAMP being mandatory for all federal agencies.
Penghui Ai says
Hi Yuchong,
Great comments! thank you for sharing the different kinds of deployment models of federal-only cloud, the government only cloud, Dod only cloud, public only cloud, and private cloud. By understanding these different deployment model, we can provide a better audit in terms of the different model.
Alexander Reichart-Anderson says
The FedRAMP – CSP Authorization Playbook was constructed to help organizations that provide a cloud service offering (CSO) that has federal use or implications. The FedRAMP is a certification that allows those systems to be used in that manner. The sections that I chose to focus on was towards the middle of the playbook — Section 4.1.4 Phase 4: Continuous Monitoring. As an IS auditor it is imperative to hold periodic reviews of our system manually and have continuous backup and security reporting done in automation. If pursuing a JAB P-ATO it is imperative to have continuous reviews. Many of the certifying agencies will require this aspect of continuous monitoring. Thus, if a CSO plans to work with the governments and comply with FedRAMP standards, this is a MUST!
Deepa Kuppuswamy says
I appreciate that you emphasized the importance of Continuous Monitoring here. This concept is very important for information security auditors to consider. Continuous monitoring in the cloud consists of two core elements – monitoring and logging virtual machine instances and Vulnerability scanning.
First, security teams need to implement baseline monitoring and logging for virtual machine instances, containers and cloud services in general, including activity within SAAS environments. Baseline monitoring can be accomplished by gathering and processing logs made available via cloud service provider APIs. The second requirement for continuous monitoring in the cloud is scanning within the cloud for vulnerabilities, any scanning tools used in the cloud should integrate with cloud provider APIs.
Security teams need to embrace security automation and orchestration in the cloud for both deployment and production monitoring and alerting, and this will happen more readily as the tools and cloud provider environments mature.
Ryu Takatsuki says
The interesting point I took away from FedRAMP CSP Authorization Playbook is about determining your authorization strategy. In this part there are three subsections demand: broad vs. niche, existing or potential agency partners, impact levels and deployment model. According to the document, CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud. There are five different levels federal government only cloud, government only cloud, DoD only cloud, public cloud, and private cloud. It is important to understand the cloud environment.
Shuyue Ding says
Hi Ryu:
I like the way you approached the topic and I agree. Without a proper understanding of the cloud environment, it would either be wasting money for a public cloud of high-level authorization strategy or does not have secure enough authorization strategy clouds that contains sensitive information. Like we always say, we need to understand the business in order to make IT valuable, and I would say make IT valuable in the best cost-effective way.
Xinye Yang says
FedRAMP’s definitions for cloud services that are IaaS, PaaS, or SaaS. To be honest, this is the part confused me most. I have trouble to understand the difference or comparison of IaaS, PaaS, SaaS. I know they are Software -as-a-Service , Platform -as-a-Service ,Infrastructure as-a-Service respectively. However, there is an article I found in google is helpful to easily differentiate the IaaS, PaaS, and SaaS. It lists lots of common example for each platform types. for example SaaS is used to build Google Apps, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting, PaaS is used to build AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos, OpenShift, and IaaS is used to build
DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE), This article also addressed when and how to use each platform types and their advantages and Characteristics. I would recommend this article to you all.
https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/
Yuqing Tang says
Hi, thanks for bring up these examples. I think, IaaS, is the company that specializes in providing infrastructure services. Companies can outsource the hardware to these specialist companies, which provide off-site servers, storage and networking hardware. A PaaS is really a platform for software development as a service. SaaS providers build all the network infrastructure, software and hardware operation platforms required by company situation, and are responsible for all the early implementation, late maintenance and a series of services. Enterprises can use the information system through the Internet without buying software and hardware, building machine rooms and recruiting IT personnel.
Haixin Sun says
Hi, thank you for talking about the difference between them with articles and examples. And I agree with that no matter which option you choose, migrating to the cloud is the future of business and technology as we know it, and it is necessary to be properly informed.
Raisa Ahmed says
5.1. IaaS vs. PaaS vs. SaaS
Cloud computing is an extremely hot topic yet, the concept remains pretty broad. There are three platforms of cloud service— Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Software as a Service (SaaS) hosts an application and makes it available to users through the internet. For example, Netflix. Platform as a Service (PaaS) provides a framework for developers that they can build upon and use to create customized applications. For example, Windows Azure. Infrastructure as a Service (IaaS) are highly scalable and automated resources. Infrastructure as a Service (IaaS) clients have complete control over the entire infrastructure. For example, Cisco Metapod. The consumer does not manage or control the underlying cloud infrastructure for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
Mei X Wang says
Hi Raisa,
I agree as well, although cloud computing is the new big “hype”, not many people understand the three types of cloud service and the limitations of each type. Proper identification of the business need and the type of platform that would be the most fitting would help business be able to utilize each platform to its full potential.
Haixin Sun says
I also thought this topic interesting because it is necessary to migrate the information and technology to the cloud. And thank you for differentiating each models with their own specific features and functionalities.
Panayiotis Laskaridis says
Hi Raisa,
I agree. The different types of platforms are very interesting. Ever since I became aware of the differences, it has been hard to not notice every time I use a different type of cloud service. Personally, I have gotten sick of the people who are still skeptical about cloud services and slowing them down from expanding at their highest potential.
Mei X Wang says
5.2: System Stack
System stack refers to the layers of service in a data center that is included in cloud services. Each component (IaaS, PaaS, SaaS) has its own authorization boundary and own ATO letter.
The section uses the SaaS as an example, it has “ability to inherit / leverage security controls from the underlying Paas / IaaS layers, transferring responsibility for the maintenance of some controls to the CSP providing infrastructure services”. But if the CSP has a system that uses a non-FedRAMP authorized relationship, it kills the inheritance/leveraging relationship. The Saas provider would then have to include an infrastructure/platform component in its own authorization boundary with the software. Since the infrastructure/platform components are now built in the confines of the SaaS’s authority, the CSP is responsible for all components within its system security plan. This authorization is only regarding the SaaS’s own infrastructure but isn’t constituted as an IaaS.
Sarah Puffen says
I also found the system stack to be interesting, especially regarding the concept of leveraging/inheriting security controls from other components. In terms of security, it’s great to have some type of reinforcement when needed, however, I do wonder how it affects the component in which is it dependent on for that added security.
Panayiotis Laskaridis says
The most interesting part for me was Section 3.1: Demand: Broad Vs. Niche
I think it is interesting that your authorization strategy is based on whether you have a broad or niche demand. At first thought, you don’t think that authorization has anything to do with your consumer demand. Security is security, right? My belief was always that your security should be based on the sensitivity of your information and not your market share. All things considered, it makes sense that a CSO with a broad demand is handled by JAB and niche demands should be handled by agencies. Joint Authorization Boards are made up of diverse leaders from all different industries. Agencies are more fit to handle more specific cases, which would be ideal for niche CSO’s.