Federal Risk and Authorization Management Program - FedRAMP FedRAMP – Lessons Learnt Pierre Wettergren, CEO CCG Europe AB 1 w ww.MeetingSphere.se Pierre Wettergren, MBCI, CBCI ► ABB: 9 years, various positions within quality and line, subcontract, project, engineering, and improvement management - split 50/50 between ABB Sweden and ABB Switzerland. ► AstraZeneca: 4+ years as Global Head of Business Continuity Management (BCM) ► Since 2007 engaged as expert in ISO Societal Security standards development ► 4C Strategies: 1,5 year – Senior consultant, accountable for the BCM business area and Mgr. Gothenburg office ► 5G Continuity: CEO / Senior Consultant ► 2009 Started my own company ► Clever Collaboration Group: Founding partner / CEO ► 2013 peak year: ► Awarded: ”Security Consultant 2013” (www.SecurityAwards.se) ► Recognition: ”Highly Recommended – BCM Consultant of the Year” BCI Global Awards – Business Continuity Institute is an international organization with 8000 professional members globally. ► Onsala Floor-ball Club (OIBK): Chairman, since 2013 2 w ww.MeetingSphere.se +46 705 498 598 Skype: pwettergren Agenda steps ► Practical issues ► Login to follow and comment on this presentation ► http://korta.nu/scsss Enter your name and email address. This email will later get the report from the complete session. It’s also this link we use for the closing workshop. ► MeetingSphere - the tool in brief ► FedRAMP ► what it is, purpose of FedRAMP ► what value it brings ► For whom it applies and who are the players ► MeetingSphere FedRAMP journey 3 w ww.MeetingSphere.se MeetingSphere – In brief MeetingSphere is an online meeting productivity tool known as an Group Decision Support System (GDSS) which is designed to: ► Actively engage participants in face-to-face, online or hybrid meetings ► Generate a higher volume of inputs ► Allow people to say what is really on their minds ► Support online team collaboration (synchronous and asynchronous) ► Save time and eliminate un-necessary work, administration, and travels ► Bring accountability and transparency to the decision-making process ► Real work in real time with fully automatic reporting Deployment choices includes: ► On-premises in customer data centers, clouds, and portable servers ► Combinations very common, i.e. portable servers together with others solution depending on demands on security, demands on availability, intranet only etc. 4 w ww.MeetingSphere.se MeetingSphere makes the information gathering and decision-making process more efficient. 2 1 Capture more ideas in a shorter period of time. Sort into themes. Kick off the meeting with a presentation. Utilize the Presentation Tool – or use your Web Conference tool of choice. 3 6 Move content of Brainstorm to Discussion for more in-depth collaboration. 4 Generate Session Reports instantly with only a couple of clicks.. Rate 5 Assign responsibility for follow-up 5 Tracker. actions with Action w ww.MeetingSphere.se Move content to Rating Tool. Rate outcomes by single or Multiple criteria. MeetingSphere - Customer uses ► Regular team calls and web meetings ► ► Running hybrid workshops with stakeholders Online collaborative document development ► Proposal development ► Key account planning ► Supplier evaluations ► Focus groups ► Audit processes ► Change management programs ► Project requirements gathering ► Risk assessment processes (GAP/HAZID/RA/SWOT/…) ► Business Continuity Management ► Project learning reviews ► Whistleblowing Management (link) 9 w ww.MeetingSphere.se FedRAMP – What it is, what’s the purpose Federal Risk and Authorization Management Program ► FedRAMP is a program that supports the U.S. government’s objective: ► Enable U.S. federal agencies to use managed service providers that enable cloud computing capabilities. ► The program is designed to comply with the Federal Information Security Management Act (FISMA). ► It build’s on applicable US Laws and Regulations ► It build’s on US Standards and Guidance ► More info: www.fedramp.gov 10 w ww.MeetingSphere.se FedRAMP Process – CSP perspective ► FedRAMP provides a “streamlined avenue” for US federal agencies to make use of cloud service providers (CSPs) ► The ”independent” assessment is paid for by the CSP. ► The CSP selects the 3rd party assessment organization (3PAO) from a list of accredited 3PAOs. ► FedRAMP provides all actors with checklists, templates, guidance, and requirements. 11 w ww.MeetingSphere.se CSP and authorization model ► Cloud Service Provider ► IaaS – Infrastructure as a Service ► E.g. Amazon Web Services ► PaaS – Platform as a service ► E.g. MySQL ► SaaS – Software as a Service ► MeetingSphere ► Authorization model 3PAO and JAB ► 3PAO 12 w ww.MeetingSphere.se FedRAMP – Document hierarchy Policy Memo, released by OMB - provides the direction and high-level framework for standing up the governmentwide cloud security program. Baseline Security Controls document is based on the NIST 800-53 Security Control guidelines and includes additional control enhancements to address cloud system specific vulnerabilities. Key Processes are the three main functions that FedRAMP performs during operations. CONOPS, Concept of Operations, provides an overview of FedRAMP, the Operating Model and Key Processes. Operating Model for FedRAMP is based on the Policy Memo - identifies the key organizations responsibilities for implementing the program and a high-level description of the operational roles and responsibilities. Detailed Templates and Guidelines are documents that provide templates for forms and information required by CSPs or 3PAOs through the FedRAMP process phases and detailed instructions for each of the process areas. 13 w ww.MeetingSphere.se FedRAMP - Governance 14 w ww.MeetingSphere.se MeetingSphere - shared responsibility model Customer MeetingSphere administration (users, permissions, authentication, data retention) Responsible for security “in” the MeetingSphere Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client side Data Encryption & Data Integrity Authentication Compute AWS Global Infrastructure Server-side Encryption (File sytem and/or data) Storage Database Regions Availability Zones Network: Traffic Protection (Encryption / Integrity / Identity) Responsible for security “in” the Cloud Networking Edge Locations 15 w ww.MeetingSphere.se Responsible for security “of” the Cloud FedRAMP - journey 16 w ww.MeetingSphere.se FedRAMP - Reality check ► It makes life for agencies much easier ► Few BIG 3PAO ► Very few certifications by smaller 3PAO ► Huge incentive to “leverage” authorizations of big players (Amazon) ► Compliance as small SaaS ► Possible at technical level leveraging AWS ► Valuable lessons for professionalization ► Hardly doable at the process level (guidelines made for large hierarchical businesses) ► Only US businesses and personnel certifiable ► This is very much a process to drive business towards the big US players 17 w ww.MeetingSphere.se FedRAMP – the savior from heaven … ► Before ► Today 18 w ww.MeetingSphere.se CCG Reference - Selection 19 w ww.MeetingSphere.se Contact Pierre.Wettergren@CCGEurope.com 20 w ww.MeetingSphere.se
© Copyright 2024