The key point I noted in this document (FedRamp) is that; it’s a guide for cloud service providers(CSPs) when conducting risk assessments, security authorizations, and granting an ATO (Authority to operate). There are a list of controls at every level of the system and steps on how to implement them, plus the CIA triad is a constant in application of polices and the process of categorization
Hello,
Glancing through your main take away from the assigned reading, I found that what you stated resonates with what I also noticed while reading the FedRAMP’s System Security Plan High Baseline Template. As the primary purpose of the template is to create a snapshot of the organization’s current security framework and operations, it’s critical that the controls included in the document are adherent to CIA triad to better secure information systems.
The FedRAMP SSP High baseline Template provides security control requirements for high impact cloud systems. All federal agencies required to use the FedRAMP process to conduct security assessments, responsibilities and authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management office (PMO) identified some requirements for FedRAMP compliance. To do so, template provides the framework for the information system environment, system responsibilities, and high baseline controls required for the system. One key point is it is important to describe the origin of controls to make clear whose responsibility it is to implement, manage and monitor the control.
This FedRAMP System Security Plan (SSP) is designed template to develop security plan. It provides the example format and important data which SSP should have. In addition, For the security control sections, it is aligned with the controls in the NIST SP 800-53 and it should be evaluated the level of risks (High, Medium, Low). One key point which I took is that each control should identify the responsible role, implement status, and control origination.
The System Security Plan (SSP) specifies the controls to be put in place by Cloud Service Providers (CSP) on information systems of their customers and federal agencies. The minimum-security control requirements are classified in to 17 domains. For every single domain, the controls are further classified into high/medium/low level of controls as per the sensitivity of the information asset to be safe guarded. The important point to note is that while populating the fields in this template, it becomes clear the information system or business process for which the level of control needs to be implemented. This gives a further clarification on the responsibility for implementing and monitoring these controls, which can either be the customer or CSP or both.
Good points, Akshay, Also, the information system monitoring plan must include measures and techniques to identify unauthorized use of the information systems, must deploy monitoring devices strategically within the information system to collect essential information , and at ad hoc locations to track specific types of transactions of interest to the organization.
Hi Akshay, i agree with you that FedRamp specifies the controls to be put in place by Cloud Service Providers (CSP) on information systems of their customers and federal agencies. Furthermore, it guides professionals on what controls deploy for Low, Medium and High security parameters.
The key takeaway I took from this document is that there are minimum security control requirements that must be met. The fact that each security control has a certain level to attain I think its good because it keeps the organization accountable for what needs to be improved to help mitigate risk. Following this protocol can also open the eyes of management to seeing other aspects of the organization that they weren’t previously aware of.
The key point I want to point out is the included contingency planning for the site. It has assigned person for specific roll. It has guidelines so that the planning people won’t miss out any details like contingency planning activities should be coordinated with incident handling activities. It also gives the space for control enhancement so that the contingency plan can be improved overtime. It has training and plan testing so that staffs can handle it well when the problem occurs. System backup and recovery can also minimize the risk.
Hi,Peiran Liu,
You are right, this template can be used to deal with some unexpected situations, this template is related to BCP and DRP. Employees can follow this template for appropriate actions.
After I browsed through the FedRAMP’s System Security Plan High Baseline Template and read through a few of the notes left there by the publisher’s of the template, I feel like I better understand the requirements and purpose of the high baseline version of the template. While the general idea of the template itself is to create a snapshot of the current organization’s system environment, the system’s designated responsibilities, and the status of the system’s controls, I compared the Moderate Baseline Template to the High Baseline Template and found that it was tailored very differently to address the differences between the magnitude of moderate impact and high impact information systems respectively.
I think it’s interesting that you made that observation about the difference between the Moderate Baseline Template and High Baseline Template. I believe this was probably enforced to better measure the difference between the levels.
The FedRAMP System Security Plan (SSP) High Baseline Template provides a detailed form to identify and define controls.This is a template guide to security planning and can also serve as a guide to control specification requirements.Control is divided into high/medium/low levels.The organization can choose the appropriate control over the protected information assets so as to meet the organization’s risk appetite and minimum acceptable risk requirements.
The FedRAMP ssp high baseline template is used for documenting all the security controls of a cloud service provider to a government entity. It it used to identify where security controls are implemented within the system and who is explicitly responsible for them . all of the controls either originate from a system or a business process. The document also uses SP 800-53 and FIPS 199 for controls and and risk categorization. Overall the FedRAMP documentation of a system is an in depth look at how a system is secured and who is responsible for the controls.
Hello Chris,
Good summary of the FedRAMP SSP template. I agree, the document goes in depth in how an information system can be secured. However, as this is a template, with every information that is fed in this template, it also gives a good idea about the responsibilities associated with the securing information systems.
The FedRAMP Template is an excellent System Security Plan (SSP) of how to implement the NIST framework SP 800-18r1. I found that the Access Control (AC) in the template uses all in the same order of the security control and enhanced that are in SP 800-53,
The FedRAMP System Security Plan template provides the user with a set of baseline questions that describes the security controls implemented within a cloud service provider for a government agency. After skimming through the document, I thought about how it relates to our other NIST readings and how it’s essentially another form of “results documentation” for a risk assessment, but on a much larger scale.
Hi Sarah, Yes, the “baseline questions” set forth in the FedRAMP SSP template are a great guideline to ensure compliance. Important questions are asked such as who is responsible for the systems and who should have access to certain systems, The answers to these questions can then be used for ongoing auditing purposes which can be used as “another form of results documentation”.
The FedRAMP Template provides a template for a System Security Plan. This document uses the FIPS 199 classification of security and provides appropriate control over the implementation of the security plan for information transferred, processed or stored by the system. The FedRAMP SSP provides guidance on policy and control requirements of information system security measures.
According to the Federal Risk and Authorization Management Program (a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services), information systems monitoring is necessary to detect attacks and identify indicators of attacks in accordance with an organization’s defined monitoring objectives. The information system monitoring plan should include measures and techniques to identify unauthorized use of the information systems, must deploy monitoring devices strategically within the information system to collect essential information , and at ad hoc locations to track specific types of transactions of interest to the organization; protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication on increased risk to organizational operations and assets etc.
The key point I noted in this document (FedRamp) is that; it’s a guide for cloud service providers(CSPs) when conducting risk assessments, security authorizations, and granting an ATO (Authority to operate). There are a list of controls at every level of the system and steps on how to implement them, plus the CIA triad is a constant in application of polices and the process of categorization
Hello,
Glancing through your main take away from the assigned reading, I found that what you stated resonates with what I also noticed while reading the FedRAMP’s System Security Plan High Baseline Template. As the primary purpose of the template is to create a snapshot of the organization’s current security framework and operations, it’s critical that the controls included in the document are adherent to CIA triad to better secure information systems.
The FedRAMP SSP High baseline Template provides security control requirements for high impact cloud systems. All federal agencies required to use the FedRAMP process to conduct security assessments, responsibilities and authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management office (PMO) identified some requirements for FedRAMP compliance. To do so, template provides the framework for the information system environment, system responsibilities, and high baseline controls required for the system. One key point is it is important to describe the origin of controls to make clear whose responsibility it is to implement, manage and monitor the control.
This FedRAMP System Security Plan (SSP) is designed template to develop security plan. It provides the example format and important data which SSP should have. In addition, For the security control sections, it is aligned with the controls in the NIST SP 800-53 and it should be evaluated the level of risks (High, Medium, Low). One key point which I took is that each control should identify the responsible role, implement status, and control origination.
The System Security Plan (SSP) specifies the controls to be put in place by Cloud Service Providers (CSP) on information systems of their customers and federal agencies. The minimum-security control requirements are classified in to 17 domains. For every single domain, the controls are further classified into high/medium/low level of controls as per the sensitivity of the information asset to be safe guarded. The important point to note is that while populating the fields in this template, it becomes clear the information system or business process for which the level of control needs to be implemented. This gives a further clarification on the responsibility for implementing and monitoring these controls, which can either be the customer or CSP or both.
Hi Akshay,
Yes. With this template, responsibilities will be clearer and everyone will know what to do according to the system security plan.
Good points, Akshay, Also, the information system monitoring plan must include measures and techniques to identify unauthorized use of the information systems, must deploy monitoring devices strategically within the information system to collect essential information , and at ad hoc locations to track specific types of transactions of interest to the organization.
Hi Akshay, i agree with you that FedRamp specifies the controls to be put in place by Cloud Service Providers (CSP) on information systems of their customers and federal agencies. Furthermore, it guides professionals on what controls deploy for Low, Medium and High security parameters.
The key takeaway I took from this document is that there are minimum security control requirements that must be met. The fact that each security control has a certain level to attain I think its good because it keeps the organization accountable for what needs to be improved to help mitigate risk. Following this protocol can also open the eyes of management to seeing other aspects of the organization that they weren’t previously aware of.
Hi Natalie, well done. I agree with your point that this FedRAMP SSP can help administrators focus on what have not previously focused on.
The key point I want to point out is the included contingency planning for the site. It has assigned person for specific roll. It has guidelines so that the planning people won’t miss out any details like contingency planning activities should be coordinated with incident handling activities. It also gives the space for control enhancement so that the contingency plan can be improved overtime. It has training and plan testing so that staffs can handle it well when the problem occurs. System backup and recovery can also minimize the risk.
Hi,Peiran Liu,
You are right, this template can be used to deal with some unexpected situations, this template is related to BCP and DRP. Employees can follow this template for appropriate actions.
After I browsed through the FedRAMP’s System Security Plan High Baseline Template and read through a few of the notes left there by the publisher’s of the template, I feel like I better understand the requirements and purpose of the high baseline version of the template. While the general idea of the template itself is to create a snapshot of the current organization’s system environment, the system’s designated responsibilities, and the status of the system’s controls, I compared the Moderate Baseline Template to the High Baseline Template and found that it was tailored very differently to address the differences between the magnitude of moderate impact and high impact information systems respectively.
Hi Jordan,
I think it’s interesting that you made that observation about the difference between the Moderate Baseline Template and High Baseline Template. I believe this was probably enforced to better measure the difference between the levels.
Best,
Natalie Dorely
The FedRAMP System Security Plan (SSP) High Baseline Template provides a detailed form to identify and define controls.This is a template guide to security planning and can also serve as a guide to control specification requirements.Control is divided into high/medium/low levels.The organization can choose the appropriate control over the protected information assets so as to meet the organization’s risk appetite and minimum acceptable risk requirements.
The FedRAMP ssp high baseline template is used for documenting all the security controls of a cloud service provider to a government entity. It it used to identify where security controls are implemented within the system and who is explicitly responsible for them . all of the controls either originate from a system or a business process. The document also uses SP 800-53 and FIPS 199 for controls and and risk categorization. Overall the FedRAMP documentation of a system is an in depth look at how a system is secured and who is responsible for the controls.
Hello Chris,
Good summary of the FedRAMP SSP template. I agree, the document goes in depth in how an information system can be secured. However, as this is a template, with every information that is fed in this template, it also gives a good idea about the responsibilities associated with the securing information systems.
The FedRAMP Template is an excellent System Security Plan (SSP) of how to implement the NIST framework SP 800-18r1. I found that the Access Control (AC) in the template uses all in the same order of the security control and enhanced that are in SP 800-53,
The FedRAMP System Security Plan template provides the user with a set of baseline questions that describes the security controls implemented within a cloud service provider for a government agency. After skimming through the document, I thought about how it relates to our other NIST readings and how it’s essentially another form of “results documentation” for a risk assessment, but on a much larger scale.
Hi Sarah, Yes, the “baseline questions” set forth in the FedRAMP SSP template are a great guideline to ensure compliance. Important questions are asked such as who is responsible for the systems and who should have access to certain systems, The answers to these questions can then be used for ongoing auditing purposes which can be used as “another form of results documentation”.
The FedRAMP Template provides a template for a System Security Plan. This document uses the FIPS 199 classification of security and provides appropriate control over the implementation of the security plan for information transferred, processed or stored by the system. The FedRAMP SSP provides guidance on policy and control requirements of information system security measures.
According to the Federal Risk and Authorization Management Program (a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services), information systems monitoring is necessary to detect attacks and identify indicators of attacks in accordance with an organization’s defined monitoring objectives. The information system monitoring plan should include measures and techniques to identify unauthorized use of the information systems, must deploy monitoring devices strategically within the information system to collect essential information , and at ad hoc locations to track specific types of transactions of interest to the organization; protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication on increased risk to organizational operations and assets etc.