You and your team are:
- Acting as the CSP (Cloud Service Provider)
- Seeking PA (Preliminary Authorization) for your information system
- Responsible for:
- Developing and documenting the system security architecture for your information system
- Developing a System Security Plan (SSP) for your information system
- Presenting your SSP to an internal senior management review team
To do so,
1. Select a mission-based or service delivery information system your firm will develop and host in the cloud to support one or more client governmental agencies
2. Determine the security categorization of the information and information system your firm will develop, host and support
- Based on your information system’s categorization, select either the High, Moderate, or Low System Security Plan (SSP) template to fill out
- Complete FedRAMP System Security Plan’s Cover Page, Sections 1, 2.1, 2.2, 2.3, 9.1, and 9.3
- Complete FedRAMP System Security Plan’s Attachment 10 – FIPS 199, including Table 15-9 and Attachment 3 Digital Identity Worksheet
The level of detail in your SSP should be one at which you would feel comfortable explaining to a group of high-level business leaders and executives
3.Based on step 2 (above) draft a logical network diagram of the information system architecture and infrastructure needed by your firm to develop and maintain the mission-based or service delivery information system for your government agency clients and document it in Figure 9-1, and Section 9.4. In Section 10.1 add the different types of systems’ users to the logical network diagrams illustrating the flow of data across the system boundary in and out and through the system.
- You may use www.draw.io , Visio, CSET (Cyber Security Evaluation Tool), PowerPoint, or another drawing tool to draw the logical network diagram of the information system infrastructure
- Use appropriate network symbols and annotation in your architectural diagram, include:
- Information System Servers: e.g. Web Server(s), Application Server(s), Database Server(s), File Server(s), …
- Groups of desktop/laptop computers illustrating organized within LANS or VLANS of organizational units
- Strongly consider having 3 parallel cloud-based system environments to support your system: Development System, Test System, and Production System
4.Transform the draft of the logical network diagram of the information system architecture you created in step 3 into a logical security architecture diagram that represents recommendations for technical security infrastructure for the information system
- Use appropriate network symbols and annotation
- Information System Servers: e.g. Web, Application, Database, File, …
- Groups of desktop/laptop computers illustrating organized within LANS of organizational units
- Security zones (i.e. security domain areas) based on security categorizations
- Appropriately placed switches, routers, firewalls, Intrusion Detection System(s) and/or Intrusion Protection Systems.
- Be sure to label all the types of firewalls, IDSs IPS, and annotate to indicate the type of firewall technology and the type of IDS/IPS technology you placed in each location of your diagram
- Identify the system’s boundaries, locations of interconnection(s) to the Internet, and ther information systems and to the Internet
- Identify where and how various user groups including clients and remote staff access your organization various IT system via the Internet and illustrate the data flow between each user group and the information system
5. Document your system and it security architecture and controls in the System Security Plan Step 2 of the assignment:
- Complete FedRAMP System Security Plan’s cover page and Sections 1, 2, 7, 8.1, 8.2, 9.1, 9.2, 9.3, 9.4, 10.1, 11 (use Table 11-1 but do not add IP address and Interface), and select and document one of the technical control families from the Minimum Security Control families in Section 13.
- If the network diagram does not fit into Figure 9-1, section 9.4 or 10.1 and display well, you may also include a copy of your diagrams in a separate PDF file with your hand-in via Canvas.
- Complete FedRAMP System Security Plan’s Attachment 10 – FIPS 199, including Table 2-1
- Make sure that your team’s identity (i.e. replace CSP Name with your Team # and members’ names), and Information System Name, SSP Version and Version Date are listed on the cover page of the SSP document you hand in for your assignment cover page. Note: CSP = Cloud Service Provider.
6. Create and deliver in-class a PowerPoint presentation that introduces the name and purpose your Cloud Based Information System, your systems user’s and how it is used, and the security architecture of the system.
Deliverables: (Hand in your assignment individually via Canvas. Each member of the team should submit an identical copy of the team’s SSP document via your individual Canvas accounts with the following)
- Powerpoint presentation
- System Security Plan
- Logical system security architecture diagrams (System’s logical network diagram with boundaries, interconnections and data flows to/from users and other/supporting systems, and security architecture components)
- Each team not presenting will interview/question the SSP presentation team to help identify and clarify possible weaknesses in the information system’s security architecture being presented.