You and your team are:
- Acting as the CSP (Cloud Service Provider)
- Seeking PA (Preliminary Authorization) for your information system
- Responsible for:
-
- Developing and documenting the system security architecture for your information system
- Developing a System Security Plan (SSP) for your information system
- Presenting your SSP to an internal senior management review team
To do so,
1. Select a mission-based or service delivery information system your firm will develop and host in the cloud to support one or more client governmental agencies
2. Determine the security categorization of the information and information system your firm will develop, host and support
and NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
-
- Based on your information system’s categorization, select either the High, Moderate, or Low System Security Plan (SSP) template to fill out
- Complete FedRAMP System Security Plan’s Cover Page, Sections 1, 2.1, 2.2, 2.3, 9.1, and 9.3
- Complete FedRAMP System Security Plan’s Attachment 10 – FIPS 199, including Table 15-9 and Attachment 3 Digital Identity Worksheet
The level of detail in your SSP should be one at which you would feel comfortable explaining to a group of high-level business leaders and executives
3.Based on step 2 (above) draft a logical network diagram of the information system architecture and infrastructure needed by your firm to develop and maintain the mission-based or service delivery information system for your government agency clients and document it in the:
- Boundary diagram of Section 9.2 in Figure 9-1 (with boundaries superposed to enable visualization of the data flows interconnecting systems),
- Network Architecture diagram of Section 9.4 in Figure 9-2.
- Data Flow diagram(s) of Section 10.1 figure 10-1 depicting the the different types of systems’ users and illustrate the flow of data between users across the internet and system boundary in and out and through the logical model of the system.
- You may use https://app.diagrams.net, Visio, CSET (Cyber Security Evaluation Tool), PowerPoint, or another drawing tool to draw the logical network diagram of the information system infrastructure
- Use appropriate network symbols and annotation in your architectural diagram, include:
- Information System Servers: e.g. Web Server(s), Application Server(s), Database Server(s), File Server(s), …
- Groups of desktop/laptop computers illustrating organized within LANS or VLANS of organizational units
- Strongly consider having 3 parallel cloud-based system environments to support your system: Development System, Test System, and Production System
4.Transform the draft of the logical network diagram of the information system architecture you created in step 3 into a high-level logical security architecture diagram that represents recommendations for technical security infrastructure for the information system
- Use appropriate network symbols and annotation
- Information System Servers: e.g. Web, Application, Database, File, …
- Groups of desktop/laptop computers illustrating organized within LANS of organizational units
- Security zones (i.e. security domain areas) based on security categorizations
- Appropriately placed switches, routers, firewalls, Intrusion Detection System(s) and/or Intrusion Protection Systems.
- Be sure to label all the types of firewalls, IDSs IPS, and annotate to indicate the type of firewall technology and the type of IDS/IPS technology you placed in each location of your diagram
- Identify the system’s boundaries, locations of interconnection(s) to the Internet, and ther information systems and to the Internet
- Identify where and how various user groups including clients and remote staff access your organization various IT system via the Internet and illustrate the data flow between each user group and the information system
5. Document your system and it security architecture and controls in the System Security Plan
- Complete FedRAMP System Security Plan’s cover page, Sections 1, 2, 7, 8.1, 8.2, 9.1, 9.2, 9.3, 9.4, 10.1, 11 (use Table 11-1 but do not include Columns 1, 3, nor 7; only include the External Organizations’ Names in column 2, Connectivity Security of column 4, Data Direction of column 5, and Information being Transmitted of column 6), and select and document one of the technical control families from the Minimum Security Control families in Section 13.
- If the network diagram does not fit into Figure 9-1, section 9.4 or 10.1 and display well, you may also include a copy of your diagrams in a separate PDF file with your hand-in via Canvas.
- Complete FedRAMP System Security Plan’s Attachment 10 – FIPS 199, including Table 2-1
- Make sure that your team’s identity (i.e. replace CSP Name with your Team # and members’ names), and Information System Name, SSP Version and Version Date are listed on the cover page of the SSP document you hand in for your assignment cover page. Note: CSP = Cloud Service Provider.
- Also, complete the following attachments in FedRAMP System Security Plan’s Section 15:
- Attachment 3 Digital Identity Worksheet
- Attachment 4 PTA/PIA
- For Attachment 6 Information System Contingency Plan – only provide a GANTT Chart for the plan (include a schedule tasks with labor estimate in person-hours) for completing Attachment 6 which is a Information System Contingency Plan (ISCP) based on FedRAMP ISCP Template
- Attachment 10 FIPS 199
6. Create and deliver in-class a PowerPoint presentation that introduces the name and purpose your Cloud Based Information System, your systems user’s and how it is used, and the security architecture of the system.
Deliverables: (Hand in your assignment individually via Canvas. Each member of the team should submit an identical copies of the following documents in PDF format with your names on the files and in the documents via your individual Canvas:
- PowerPoint presentation
- System Security Plan (with completed sections and attachments as detailed above)
- Logical system security architecture diagrams (System’s logical network diagram with boundaries, interconnections and data flows to/from users and other/supporting systems, and security architecture components)
- 360 Degree Review – On a single page, list the members of your team including yourself and briefly describe each team member’s contribution to developing and delivering the deliverables
- Each team not presenting will interview/question the SSP presentation team to help identify and clarify possible weaknesses in the information system’s security architecture being presented.