Example: biology

Guide to Understanding FedRAMP

Guide to Understanding FedRAMP . Guide to Understanding FedRAMP . Version March 4, 2013. Guide to Understanding FedRAMP . Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP 's requirements. The primary purpose of this document is to act as an aid for Cloud Service Providers and Third-Party Assessment Organizations (3 PAOs) to get through the security assessment process quickly. The FedRAMP website can be found at and information found in this document is consistent with the program described on the website. The FedRAMP program supports the government's mandate that all federal information systems comply with the Federal Information Security Management Act of 2002 (FISMA).

Protection of Sensitive Agency Information [OMB M-06-16] Records Management by Federal Agencies [44 USC 31] Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular A-108, as amended] Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]

Fullscreen Download

Tags:

  Appendix, Circular, Omb circular

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Guide to Understanding FedRAMP

1 Guide to Understanding FedRAMP . Guide to Understanding FedRAMP . Version March 4, 2013. Guide to Understanding FedRAMP . Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP 's requirements. The primary purpose of this document is to act as an aid for Cloud Service Providers and Third-Party Assessment Organizations (3 PAOs) to get through the security assessment process quickly. The FedRAMP website can be found at and information found in this document is consistent with the program described on the website. The FedRAMP program supports the government's mandate that all federal information systems comply with the Federal Information Security Management Act of 2002 (FISMA).

2 Page 2. Guide to Understanding FedRAMP . Document Revision History Date Page(s) Description Author 6/6/2012 All Version FedRAMP Office 10/15/2012 pp. 38-39 Added , , and (PE-2, PE-3, PE-4) FedRAMP Office 10/26/2012 p. 36 Table number revised FedRAMP Office 10/26/2012 p. 46 Table number revised FedRAMP Office 10/26/2012 p. 49 Table number revised FedRAMP Office 11/14/2012 p. 20 Added , all other sections past renumbered FedRAMP Office 11/14/2012 p. 13 revised FedRAMP Office 11/14/2012 p. 33 revised FedRAMP Office 02/04/13 p. 40 Added , , FedRAMP Office 03/04/13 p. 14 revised to change 3 PAO scans to annual FedRAMP Office 03/04/13 p.

3 18 , removed requirement for CTW FedRAMP Office 03/04/13 p. 13 Updated Figure 2-1 FedRAMP Office 03/04/13 p. 38 Added new FedRAMP Office Page 3. Guide to Understanding FedRAMP . Version , March 4, 2013. Table of Contents About this document .. 9. Who should use this document? .. 9. How this document is organized .. 9. Conventions used in this document .. 9. How to contact us .. 10. 1. FedRAMP 11. Applicable Laws and Regulations .. 11. Applicable Standards and Guidance .. 11. FedRAMP governance .. 12. Overview of The FedRAMP Process .. 12. 2. Guidelines For Third-Party Assessment Organizations .. 13. Security Assessment Plan (SAP) Template.

4 14. Security Test Procedure Workbooks .. 14. Security Assessment Report (SAR) Template .. 14. Running Scans .. 14. 3. Guidelines For Cloud Service Providers .. 15. Before You Begin .. 15. Initiating the 16. After Acceptance Into The FedRAMP Program .. 16. FIPS 199 Template .. 17. e-Authentication Template .. 17. Privacy Threshold Analysis & Privacy Impact Assessment .. 18. CTW Template .. 18. CIS Template .. 18. User Guide .. 20. Components, Boundaries, and Architecture .. 20. Describing Information System Components ( SSP) .. 20. Use Cases .. 21. Case 1: Simple 22. Case 2: Simple 22. Case 3: Simple SaaS .. 23. Case 4: One Provider, Just SaaS.

5 23. Page 4. Guide to Understanding FedRAMP . Version , March 4, 2013. Case 5: Two Cloud Providers, IaaS and 24. Case 6: Three Cloud Providers, IaaS, PaaS, and SaaS .. 25. Case 7: Two Cloud IaaS Providers .. 26. Case 8: Two Cloud IaaS Providers and a PaaS Provider .. 26. Case 9: Three Cloud Providers, One IaaS and Two PaaS .. 27. Discussing Virtualization .. 28. Discussing Boundaries ( in SSP) .. 29. Discussing Live Migrations .. 31. Discussing Storage Components .. 32. Addressing the Data Flow Diagram ( in SSP) .. 33. Describing the Security Controls in the SSP ( 13 in SSP) .. 34. Security Control Summary Information .. 36.

6 Security Control AC-7 .. 38. Security Control IA-5(3) .. 38. Security Control PE-2(a)(b)(c).. 39. Security Control PE-3(a)(b)(c)(d)(e)(f)(g).. 39. Security Control PE-4 .. 39. Security Control PE-5 .. 40. Security Control PE-6(a)(b)(c).. 40. Security Control PE-6(1) .. 40. Security Control PE-13 (1)(2)(3) .. 41. Security Control PL (4) .. 41. Security Control SA-11(1) .. 42. Security Control SC-7 (1) .. 42. Security Control 44. IT Contingency Plan (CP-2) .. 45. Business Impact Analysis (BIA) .. 45. Configuration Management Plan (CM-9) .. 45. Incident Response Plan (IR-8) .. 48. Security Control IR-2 .. 50. Security Control IR-3.

7 50. Security Control IR-4 .. 50. Security Control IR-4(1) .. 51. Security Control IR-5 .. 51. Page 5. Guide to Understanding FedRAMP . Version , March 4, 2013. Security Control IR-6 .. 52. Security Control IR-6(1) .. 53. Security Control IR-7 .. 53. Security Control IR-7(1) .. 53. Security Control IR-7(2) .. 54. POA&M 54. 4. Instructions for CSPs on Maintaining the Authorization .. 54. Ongoing Assessment and Continuous Monitoring .. 54. 5. General Documentation Information for CSP .. 55. Formatting and Section Numbers .. 55. Sensitivity Markings .. 55. Items That Are Not Applicable .. 55. Page 6. Guide to Understanding FedRAMP .

8 Version , March 4, 2013. List of Tables Table 3-1. Preparation 15. Table 3-2. Information Types for IaaS Providers .. 17. Table 3-3. Example of Security Control Summary Information .. 36. Table 3-5. Configuration Management Controls .. 45. Table 3-6. Configuration Management Nomenclature .. 46. Table 3-7. Incident Response Controls .. 48. Table 3-8. Agency Points of Contact to Report Incidents .. 52. Page 7. Guide to Understanding FedRAMP . Version , March 4, 2013. List of Figures Figure 2-1. FedRAMP Process .. 13. Figure 3-1. Screenshot from CTW .. Error! Bookmark not defined. Figure 3-2. Select the Implementation Status in the CIS.

9 19. Figure 3-3. Select the Control Origination Responsibility .. 19. Figure 3-4. Example of Components Described by 21. Figure 3-5. Example of Components Described by Function .. 21. Figure 3-6. One IaaS Provider .. 22. Figure 3-7. One Provider for IaaS and PaaS .. 23. Figure 3-8. One Provider, IaaS, PaaS, and SaaS .. 23. Figure 3-9. One Provider, Just SaaS .. 24. Figure 3-10. Two Providers, One IaaS and One PaaS .. 25. Figure 3-11. Three Providers, One IaaS, One PaaS, and One 25. Figure 3-12. Two IaaS Providers .. 26. Figure 3-13. Two IaaS and One PaaS Provider .. 27. Figure 3-14. Three Providers, One IaaS and Two 28. Figure 3-15.

10 Security Controls Fitting 30. Figure 3-16. Security Control Gap .. 30. Figure 3-17. Example of Storage Array Illustration .. 33. Figure 3-18. Data Flow Diagram Example .. 34. Figure 3-19. Access Control for System Components .. 35. Figure 3-20. Two Access Control Mechanisms .. 35. Figure 3-21. TIC Compliant Architecture .. 43. Page 8. Guide to Understanding FedRAMP . Version , March 4, 2013. ABOUT THIS DOCUMENT. This document has been developed to provide guidance on how to participate in and understand the FedRAMP program. WHO SHOULD USE THIS DOCUMENT? This document is intended to be used by service CSPs, 3 PAOs, government contractors working on FedRAMP projects, government employees working on FedRAMP projects, and any outside organizations that want to make use of the FedRAMP assessment process.

Show more

Documents from same domain

EXECUTIVE OFFICE OF THE PRESIDENT - gsa.gov

EXECUTIVE OFFICE OF THE PRESIDENT - gsa.gov

www.gsa.gov

executive office of the president office of management and budget washington, d.c. 20503 november 2, 2005 memorandum for users of omb circular no.

  Office, Executive, President, Executive office of the president, Executive office of the president office

APPENDIX B: Lease File Checklists - GSA

APPENDIX B: Lease File Checklists - GSA

www.gsa.gov

b. PwC “reviewed the leasing files to ensure the files were properly documented” and found some “discrepancies.” A small percentage of the files did not include either copies of newspaper

  Checklist, Life, Appendix b, Appendix, Lease, Lease file checklists

Federal Strategic Sourcing Initiative Wireless Program

Federal Strategic Sourcing Initiative Wireless Program

www.gsa.gov

Federal Strategic Sourcing Initiative Wireless (FSSI-W) ... This User Guide is not meant to provide or replace the ... Verizon Wireless verizonenterprise.com ...

  Federal, Guide, User, User guide, Strategic, Wireless, Initiative, Sourcing, Verizon wireless, Verizon, Federal strategic sourcing initiative wireless

PRICING DESK GUIDE - GSA

PRICING DESK GUIDE - GSA

www.gsa.gov

Table of Contents Pricing Desk Guide, 4th Edition Issued: April 5, 2010 Revised: June 5, 2014 i Public Buildings Service . Table of Contents . Chapter 1. Introduction 1-1

  Guide, Pricing, Desk, Pricing desk guide

U.S. General Services Administration

U.S. General Services Administration

www.gsa.gov

h january pp# smtwtfs 1 2 3 4 5 6 1 2 3 4 5 6 7 8 9 10 11 12 13 7 8 9 10 11 12 13 14 15 16 17 18 19 20 14 15 16 17 18 19 20 21 22 23 24 25 26 27 21 22 23 24 25 26 27

Table of Contents Section C: Descriptions/Specifications ...

Table of Contents Section C: Descriptions/Specifications ...

www.gsa.gov

solution types detailed in Table C‐1 below are provided to demonstrate the core capabilities of this contract, without limiting its scope. Combinations of any or all of the four solution types

  Section, Content, Table, Table of contents section

GENERAL SERVICES ADMINISTRATION Washington, DC …

GENERAL SERVICES ADMINISTRATION Washington, DC

www.gsa.gov

Standards Advisory Board (FASAB), and Treasury requirements; and the OCFO accounting policies and procedures necessary to support the accounting operations and the core financial accounting system of record (Pegasys) throughout GSA.

  Administration, Services, General, Standards, Accounting, Washington, Advisory, Standards advisory, General services administration washington

Government Auditing Standards Federal Financial Statements

Government Auditing Standards Federal Financial Statements

www.gsa.gov

Federal Financial Statements. Those standards and OMB Bulletin No. 15-02 require that we plan and perform ... information required by the Federal Accounting Standards Advisory Board (FASAB). The information on these ... comply with the (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3 ...

  Federal, Standards, Testament, Financial, Accounting, Advisory, Federal accounting standards advisory, Federal accounting standards, Standards federal financial statements, Federal financial statements

CHAPTER 7. OFFICE OF HUMAN RESOURCES MANAGEMENT …

CHAPTER 7. OFFICE OF HUMAN RESOURCES MANAGEMENT …

www.gsa.gov

OFFICE OF HUMAN RESOURCES MANAGEMENT (OHRM) 1 . PART 1 DELEGATION OF AUTHORITY FROM THE ADMINISTRATOR TO THE CHIEF HUMAN CAPITAL OFFICER(CHCO) The authority of the Inspector General to select, appoint, and employ such officers and

  Human, Office, Resource, Office of human resources

U.S. GENERAL SERVICES ADMINISTRATION

U.S. GENERAL SERVICES ADMINISTRATION

www.gsa.gov

FY 2015 No FEAR Act Annual Report 6 . brought against the agency, there were no identifiable trends, causal analysis or practical knowledge gained from the cases brought against the agency in Federal court because there were no judgments or findings that the agency discriminated in any way.

  Administration, Services, General, Report, Fare, General services administration, No fear act