It is worth pointing out that NIST SP 800-145 established FedRAMP’s definition of cloud services, namely IaaS, PaaS and SaaS. Software as a Service (Software as a Service) is a software licensing and delivery model. In this model, software is licensed by subscription and managed centrally. Consumers use provider’s applications running on cloud infrastructure. Users do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage. However, the privacy of sensitive data is a major issue for cloud services. And performance is not always as good as server applications.
If an organization includes cloud services, this is interesting, and I find the most interesting thing is the ongoing monitoring of the proxy authorization phase. FedRAMP recommends that can service providers provide agencies with ongoing monitoring deliverables on a monthly level, including updated action plans and milestones, scan results, system change information/requests (as agreed between agencies and CSPs), and any other content that depends on the organization. At the same time, FedRAMP recommends that suppliers conduct monthly continuous monitoring collaboration calls to better understand dealer concerns, issues, and CSP updates on continuous monitoring status. Annual security assessments from third-party evaluating agencies are necessary for CSPs to ensure system risk posture. I find monitoring as important as other authorization processes.
The third stage “authorization process” is the more interesting part, because I think the transparency and reliability of the authorization process can make customers who use products and services trust this platform more. The authorization process mentioned in this article is very complete. Once the CSP is authorized by FedRAMP, the CSP will be reflected in the FedRAMP market. FedRAMP will provide its security software package to the entire federal government based on the requester’s request and verification to proceed in order. Issue your own ATO to use the service. Due to the sensitivity of the material, this information is strictly controlled through the use of an access request form, which must be sent with an appropriate signature within the federal government. Each form must be approved by FedRAMP to review this document.
FedRAMP is a government-wide initiative that provides a standardized approach for security assessment, authorization, and ongoing monitoring of cloud products and services. I am in FedRAMP compliance and electronic security can help the three aspects of encryption and key management, access control strategy and privileged users and is very interested in safety report, such as access control strategy and privileged users: limit access to encrypted data – allow only for authorized users and applications to decrypt data, at the same time allows a privileged user to perform IT operations to view the protected information.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
The purpose of FedRAMP is to:
•Ensure that cloud applications and services used by government agencies have sufficient safeguards.
•Enable efficient and cost-effective procurement of cloud-based information systems and services.
•Eliminate duplication of effort and risk management costs across government agencies.
If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized.
There are two paths for pursuing a FedRAMP authorization: Joint Authorization Board (JAB) and Agency.
There are different levels of impact. CSPs must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline. For example, it would not be appropriate for CSOs that qualify for LI-SaaS or align with Low Baseline to pursue a JAB P-ATO. Rather, a JAB P-ATO would be better suited for cloud services that are moderate and high impact. CSPs should use the FedRAMP FIPS 199 Categorization Template along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted.
The CSP can apply a mitigation and request a risk adjustment, which would allow the CSP more time to remediate a vulnerability. The CSP can seek approvals for a false positive (FP) if a vulnerability is not accurate for the CSP’s system. The CSP can seek approvals for operational requirements (OR) if a vulnerability is something that a CSP cannot fix, does not plan to fix, or a fix would break the system.
CSPs should apply all mitigations possible to lower the risk of the vulnerability prior to requesting an OR. As a note, High risks are typically not approved and must have some mitigation in place to be accepted.
If a vulnerability cannot be resolved by a CSP directly but is dependent on another vendor to fix, then the CSP should submit this vulnerability as a vendor dependency (VD). A CSP should check in with the vendor at least once a month so the vulnerability is not considered late. CSPs are required to perform scanning at least monthly, but it is recommended that vendors scan at least weekly. High and Critical findings must be addressed within 30 days of discovery, and Moderate vulnerabilities must be addressed within 90 days.
FedRAMP recommends that suppliers conduct a continuous monitoring collaboration call once a month to better understand dealer concerns, and that CSPs must conduct an annual security assessment from a third-party assessment agency to ensure system risk posture. I always follow FedRAMP, electronic security can help with encryption and key management, access control policies and privileged users, and am very interested in security reporting.
After reading the article, I was interested in the two types of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization. The former has four stages, which are FedRAMP Readiness Assessment and FedRAMP Connect, Full Security Assessment, Authorization Process and Continuous Monitoring. The latter also has four stages, but the only difference is that the first stage is Partnership Establishment.
There are two paths for pursuing a FedRAMP authorization; Joint Authorization Board (JAB) and Agency. Both authorization paths require a security assessment based on FISMA requirements and NIST 800-53 baselines, and both are explained in greater detail in the following sections. Responsible for providing a unified process for stakeholders, the FedRAMP PMO is a key partner for CSPs researching or seeking a FedRAMP authorization for their CSO.
The level of impact is very important. He is divided into three levels: Low, Moderate and High.
Low impact is most appropriate for CSOs for which the loss of confidentiality, integrity, and
availability would result in limited adverse effects on an Agency’s operations, assets, or
individuals.
Medium-impact systems account for nearly 80% of CSP services authorized by the Federal RAMP, and are most suitable for CSOs.
High-impact data usually appears in law enforcement and emergency service systems, financial systems, health systems, and any other system. The Federal Reserve’s RAMP introduced a high baseline to explain the government’s most sensitive non-confidential data in the cloud computing environment, including data related to protecting lives and preventing financial destruction.
The third part “determining your authorization strategy,” is the more interesting part. Mostly Choosing one path means giving up the other. So it is important to choose right authorization strategy. First, Security Objectives should be set, including: availability, integrity, confidentiality. Second, you ought to evaluate the impact levels, low impact level moderate impact level or high impact level. you must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline. last you should be able to qualify whether their CSO is government-only or exists as a public cloud. You should carefully compare the strengths and weaknesses of the different models to find the one that best matches the needs of your organization’s strategic goals.
After reading the essay, I’m kind of interest in the authorization strategy. We should evaluate the below factors to determine the authorization strategy:
1)Demand is a key consideration for CSPs deciding between pursuing a JAB P-ATO, Agency ATO, or both. CSOs with broad demand are more appropriate for a JAB P-ATO and CSOs with niche demand are more appropriate for an Agency ATO.
2)Discussing with Existing or potential agency partners to address questions or concerns about the authorization process.
3)It is important that CSPs understand the impact level of their service offering(s) and correlated security categorization when developing an authorization strategy. CSOs are categorized into one of three impact levels: low, moderate, and high; and across three security objectives: confidentiality, integrity, and availability.
4)Development model: Federal government only cloud; Government only cloud; Public cloud; Private cloud.
There are three major types of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each component (IaaS, PaaS, SaaS) has its own authorization boundary and its own ATO letter.
SaaS hosts an application and makes it available to users through the internet.
PaaS provides a framework for developers that they can build upon and use to create customized applications.
IaaS are highly scalable and automated resources. IaaS clients have complete control over the entire infrastructure.
The consumer does not manage or control the underlying cloud infrastructure for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
From the reading the paper of FedRAMP CSP Authorization Playbook, I think the interesting thing in the content that it tells about the tasks need the authorization team to be completed:
Initially, the authorization team should pay more attention in the aspect of CSP, because FedRAMP PMO did not give any useful suggestion for CSP.
Moreover, the specific assignments of the authorization team :
1) Project Management
2) Customer Relationship Management
3)System Archietecture and Engineering
4)Technical Writing
5) Communicaiton
Many cloud service providers are interested in seeking FedRAMP approval for their cloud services. There are three types of cloud services: software as a service (SaaS), platform as a service (PssS) and infrastructure as a service (LaaS). Each cloud service is tailored to the business needs of its target audience. For example: SaaS uses the Internet to deliver results to users managed by third-party providers.
Certainly, suppliers often ask about the relevant process, calculations, and how to start. The CSP Authorization Playbook aims to inform and point out the resources that cloud service providers need to provide to help them obtain FedRAMP certification and operation authorization. The CSPs is gradual in nature, including the approval process, creating an authorization strategy, obtaining approval procedures from JAB/agents, and continuous monitoring. This manual covers the entire FedRAMP authorization life cycle and has gradually become the best standard for sharing and achieving effective approval.
What is IaaS, PaaS, SaaS that make me feel interested.
IaaS is Software -as-a-Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. PaaS is Platform -as-a-Service (PaaS): The capability provided to the consumer is to deploy consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider onto the cloud infrastructure. SaaS is Infrastructure- as-a-Service (IaaS): The capability provided to the consumer is to provide processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
Access control policies and privileged users, and are very concerned about security reports, such as access control policies and privileged users: restrict access to encrypted data-only allow authorized users and applications to decrypt data, while allowing privileged users to perform IT operations personnel to view protected Information.
what is the different of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization.
I noticed that if I have a cloud service offering (CSO) that the federal government is using, I should consider obtaining a FedRAMP authorization. According to the OMB memorandum, cloud services storing federal data must be authorized by FedRAMP.
There are two paths for pursuing a FedRAMP authorization; Joint Authorization Board (JAB) and Agency.
Both authorization paths require a security assessment based on FISMA requirements and NIST 800-53
baselines, and both are explained in greater detail in the following sections. In making your business
decision regarding the type of FedRAMP authorization that is most suitable for your service, it is
important to consider your overall strategy for the federal marketplace. If you are brand new to the
federal arena, there may be a learning curve associated with the procurement timeline, and you might
want to consider partnering with a systems integrator who has experience and a federal customer base.
Conversely, if you already have a federal footprint and are looking to expand, a FedRAMP authorization
can be a business development driver as it provides cross-government visibility in the FedRAMP
Marketplace.
The Federal risk and Authorization Management Program ((FedRAMP)) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of all cloud products and services. FedRAMP was co-founded by the Joint Authorization Committee (JAB) and representatives of the Department of Homeland Security (DHS), General Administration (GSA) and the Department of Defense (DoD). SaaS hosts the application and provides it to the user through Internet.
In response to the Cloud First Policy (now the Cloud Smart Strategy), the US Bureau of Administration and Budget (OMB) issued the FedRAMP Policy Memorandum (now the Federal Cloud Computing Strategy) to establish the first government under the Federal Information Security Modernization Act (FISMA) Overall security authorization plan. All US federal agencies and all cloud services must enforce FedRAMP. FedRAMP is important because it can improve:
Use the National Institute of Standards and Technology (NIST) and FISMA to define the security consistency and reliability of cloud solutions
Transparency between the U.S. government and cloud providers
Automated and near-real-time continuous monitoring
Adopt a secure cloud solution through repeated use of evaluation and authorization
There are two types of FedRAMP authorizations available for CSP: JAB authorization and institutional authorization.
1. JAB authorization:
Readiness assessment& FedRAMP connect
Full Security Assessment
Authorization Process
ConMon
The article details the role of the four stages, the time to go through and the deliverables, etc.
2. Agency authorization
partnership establishment
Full Security Assessment
Authorization Process
ConMon
The difference lies in the need to establish a partnership, and there are some obvious differences in other steps.
It is worth pointing out that NIST SP 800-145 established FedRAMP’s definition of cloud services, namely IaaS, PaaS and SaaS. Software as a Service (Software as a Service) is a software licensing and delivery model. In this model, software is licensed by subscription and managed centrally. Consumers use provider’s applications running on cloud infrastructure. Users do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage. However, the privacy of sensitive data is a major issue for cloud services. And performance is not always as good as server applications.
If an organization includes cloud services, this is interesting, and I find the most interesting thing is the ongoing monitoring of the proxy authorization phase. FedRAMP recommends that can service providers provide agencies with ongoing monitoring deliverables on a monthly level, including updated action plans and milestones, scan results, system change information/requests (as agreed between agencies and CSPs), and any other content that depends on the organization. At the same time, FedRAMP recommends that suppliers conduct monthly continuous monitoring collaboration calls to better understand dealer concerns, issues, and CSP updates on continuous monitoring status. Annual security assessments from third-party evaluating agencies are necessary for CSPs to ensure system risk posture. I find monitoring as important as other authorization processes.
The third stage “authorization process” is the more interesting part, because I think the transparency and reliability of the authorization process can make customers who use products and services trust this platform more. The authorization process mentioned in this article is very complete. Once the CSP is authorized by FedRAMP, the CSP will be reflected in the FedRAMP market. FedRAMP will provide its security software package to the entire federal government based on the requester’s request and verification to proceed in order. Issue your own ATO to use the service. Due to the sensitivity of the material, this information is strictly controlled through the use of an access request form, which must be sent with an appropriate signature within the federal government. Each form must be approved by FedRAMP to review this document.
FedRAMP is a government-wide initiative that provides a standardized approach for security assessment, authorization, and ongoing monitoring of cloud products and services. I am in FedRAMP compliance and electronic security can help the three aspects of encryption and key management, access control strategy and privileged users and is very interested in safety report, such as access control strategy and privileged users: limit access to encrypted data – allow only for authorized users and applications to decrypt data, at the same time allows a privileged user to perform IT operations to view the protected information.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).
The purpose of FedRAMP is to:
•Ensure that cloud applications and services used by government agencies have sufficient safeguards.
•Enable efficient and cost-effective procurement of cloud-based information systems and services.
•Eliminate duplication of effort and risk management costs across government agencies.
If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized.
There are two paths for pursuing a FedRAMP authorization: Joint Authorization Board (JAB) and Agency.
There are different levels of impact. CSPs must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline. For example, it would not be appropriate for CSOs that qualify for LI-SaaS or align with Low Baseline to pursue a JAB P-ATO. Rather, a JAB P-ATO would be better suited for cloud services that are moderate and high impact. CSPs should use the FedRAMP FIPS 199 Categorization Template along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted.
The CSP can apply a mitigation and request a risk adjustment, which would allow the CSP more time to remediate a vulnerability. The CSP can seek approvals for a false positive (FP) if a vulnerability is not accurate for the CSP’s system. The CSP can seek approvals for operational requirements (OR) if a vulnerability is something that a CSP cannot fix, does not plan to fix, or a fix would break the system.
CSPs should apply all mitigations possible to lower the risk of the vulnerability prior to requesting an OR. As a note, High risks are typically not approved and must have some mitigation in place to be accepted.
If a vulnerability cannot be resolved by a CSP directly but is dependent on another vendor to fix, then the CSP should submit this vulnerability as a vendor dependency (VD). A CSP should check in with the vendor at least once a month so the vulnerability is not considered late. CSPs are required to perform scanning at least monthly, but it is recommended that vendors scan at least weekly. High and Critical findings must be addressed within 30 days of discovery, and Moderate vulnerabilities must be addressed within 90 days.
FedRAMP recommends that suppliers conduct a continuous monitoring collaboration call once a month to better understand dealer concerns, and that CSPs must conduct an annual security assessment from a third-party assessment agency to ensure system risk posture. I always follow FedRAMP, electronic security can help with encryption and key management, access control policies and privileged users, and am very interested in security reporting.
After reading the article, I was interested in the two types of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization. The former has four stages, which are FedRAMP Readiness Assessment and FedRAMP Connect, Full Security Assessment, Authorization Process and Continuous Monitoring. The latter also has four stages, but the only difference is that the first stage is Partnership Establishment.
There are two paths for pursuing a FedRAMP authorization; Joint Authorization Board (JAB) and Agency. Both authorization paths require a security assessment based on FISMA requirements and NIST 800-53 baselines, and both are explained in greater detail in the following sections. Responsible for providing a unified process for stakeholders, the FedRAMP PMO is a key partner for CSPs researching or seeking a FedRAMP authorization for their CSO.
The level of impact is very important. He is divided into three levels: Low, Moderate and High.
Low impact is most appropriate for CSOs for which the loss of confidentiality, integrity, and
availability would result in limited adverse effects on an Agency’s operations, assets, or
individuals.
Medium-impact systems account for nearly 80% of CSP services authorized by the Federal RAMP, and are most suitable for CSOs.
High-impact data usually appears in law enforcement and emergency service systems, financial systems, health systems, and any other system. The Federal Reserve’s RAMP introduced a high baseline to explain the government’s most sensitive non-confidential data in the cloud computing environment, including data related to protecting lives and preventing financial destruction.
The third part “determining your authorization strategy,” is the more interesting part. Mostly Choosing one path means giving up the other. So it is important to choose right authorization strategy. First, Security Objectives should be set, including: availability, integrity, confidentiality. Second, you ought to evaluate the impact levels, low impact level moderate impact level or high impact level. you must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline. last you should be able to qualify whether their CSO is government-only or exists as a public cloud. You should carefully compare the strengths and weaknesses of the different models to find the one that best matches the needs of your organization’s strategic goals.
After reading the essay, I’m kind of interest in the authorization strategy. We should evaluate the below factors to determine the authorization strategy:
1)Demand is a key consideration for CSPs deciding between pursuing a JAB P-ATO, Agency ATO, or both. CSOs with broad demand are more appropriate for a JAB P-ATO and CSOs with niche demand are more appropriate for an Agency ATO.
2)Discussing with Existing or potential agency partners to address questions or concerns about the authorization process.
3)It is important that CSPs understand the impact level of their service offering(s) and correlated security categorization when developing an authorization strategy. CSOs are categorized into one of three impact levels: low, moderate, and high; and across three security objectives: confidentiality, integrity, and availability.
4)Development model: Federal government only cloud; Government only cloud; Public cloud; Private cloud.
There are three major types of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each component (IaaS, PaaS, SaaS) has its own authorization boundary and its own ATO letter.
SaaS hosts an application and makes it available to users through the internet.
PaaS provides a framework for developers that they can build upon and use to create customized applications.
IaaS are highly scalable and automated resources. IaaS clients have complete control over the entire infrastructure.
The consumer does not manage or control the underlying cloud infrastructure for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
From the reading the paper of FedRAMP CSP Authorization Playbook, I think the interesting thing in the content that it tells about the tasks need the authorization team to be completed:
Initially, the authorization team should pay more attention in the aspect of CSP, because FedRAMP PMO did not give any useful suggestion for CSP.
Moreover, the specific assignments of the authorization team :
1) Project Management
2) Customer Relationship Management
3)System Archietecture and Engineering
4)Technical Writing
5) Communicaiton
Many cloud service providers are interested in seeking FedRAMP approval for their cloud services. There are three types of cloud services: software as a service (SaaS), platform as a service (PssS) and infrastructure as a service (LaaS). Each cloud service is tailored to the business needs of its target audience. For example: SaaS uses the Internet to deliver results to users managed by third-party providers.
Certainly, suppliers often ask about the relevant process, calculations, and how to start. The CSP Authorization Playbook aims to inform and point out the resources that cloud service providers need to provide to help them obtain FedRAMP certification and operation authorization. The CSPs is gradual in nature, including the approval process, creating an authorization strategy, obtaining approval procedures from JAB/agents, and continuous monitoring. This manual covers the entire FedRAMP authorization life cycle and has gradually become the best standard for sharing and achieving effective approval.
What is IaaS, PaaS, SaaS that make me feel interested.
IaaS is Software -as-a-Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. PaaS is Platform -as-a-Service (PaaS): The capability provided to the consumer is to deploy consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider onto the cloud infrastructure. SaaS is Infrastructure- as-a-Service (IaaS): The capability provided to the consumer is to provide processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
Access control policies and privileged users, and are very concerned about security reports, such as access control policies and privileged users: restrict access to encrypted data-only allow authorized users and applications to decrypt data, while allowing privileged users to perform IT operations personnel to view protected Information.
what is the different of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization.
I noticed that if I have a cloud service offering (CSO) that the federal government is using, I should consider obtaining a FedRAMP authorization. According to the OMB memorandum, cloud services storing federal data must be authorized by FedRAMP.
There are two paths for pursuing a FedRAMP authorization; Joint Authorization Board (JAB) and Agency.
Both authorization paths require a security assessment based on FISMA requirements and NIST 800-53
baselines, and both are explained in greater detail in the following sections. In making your business
decision regarding the type of FedRAMP authorization that is most suitable for your service, it is
important to consider your overall strategy for the federal marketplace. If you are brand new to the
federal arena, there may be a learning curve associated with the procurement timeline, and you might
want to consider partnering with a systems integrator who has experience and a federal customer base.
Conversely, if you already have a federal footprint and are looking to expand, a FedRAMP authorization
can be a business development driver as it provides cross-government visibility in the FedRAMP
Marketplace.
The Federal risk and Authorization Management Program ((FedRAMP)) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of all cloud products and services. FedRAMP was co-founded by the Joint Authorization Committee (JAB) and representatives of the Department of Homeland Security (DHS), General Administration (GSA) and the Department of Defense (DoD). SaaS hosts the application and provides it to the user through Internet.
In response to the Cloud First Policy (now the Cloud Smart Strategy), the US Bureau of Administration and Budget (OMB) issued the FedRAMP Policy Memorandum (now the Federal Cloud Computing Strategy) to establish the first government under the Federal Information Security Modernization Act (FISMA) Overall security authorization plan. All US federal agencies and all cloud services must enforce FedRAMP. FedRAMP is important because it can improve:
Use the National Institute of Standards and Technology (NIST) and FISMA to define the security consistency and reliability of cloud solutions
Transparency between the U.S. government and cloud providers
Automated and near-real-time continuous monitoring
Adopt a secure cloud solution through repeated use of evaluation and authorization
There are two types of FedRAMP authorizations available for CSP: JAB authorization and institutional authorization.
1. JAB authorization:
Readiness assessment& FedRAMP connect
Full Security Assessment
Authorization Process
ConMon
The article details the role of the four stages, the time to go through and the deliverables, etc.
2. Agency authorization
partnership establishment
Full Security Assessment
Authorization Process
ConMon
The difference lies in the need to establish a partnership, and there are some obvious differences in other steps.