Fedramp developing-system-security-plan-slides
6 likes4,087 views
The document discusses developing a System Security Plan (SSP) for the Federal Risk and Authorization Management Program (FedRAMP). The SSP is a detailed document that describes how security controls have been implemented based on NIST SP 800-53. It provides an overview of the system, identifies responsible personnel, and delineates control responsibilities. Developing a thorough SSP can streamline the FedRAMP assessment process. The SSP template is lengthy at 352 pages to fully document the system and control implementation.
Fedramp developing-system-security-plan-slides
- 1. Federal Risk and Authorization Management Program (FedRAMP) Developing Your System Security Plan November 28, 2012
- 2. Today’s Webinar FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. The goal of this webinar is review the System Security Plan (SSP) and provide the information and guidelines that you need to accurately document the FedRAMP controls and assemble a strong SSP that will meet FedRAMP review requirements. 2
- 3. System Security Plan (SSP) Overview • Detailed description of Control Implementation, based on NIST SP 800-53, r3 • Global view of how the system is structured • Identifies personnel in the organization that are responsible for system security • Delineates control responsibility between the customer or vendor • The SSP is the key document to moving the FedRAMP assessment process forward • Putting together a well documented SSP can save a lot of time in moving through the process 3
- 4. Why Such a Long Document? • SSP template is 352 pages long • Long template required to assure the system and implementation of controls are properly documented • Effort to produce a well documented SSP leads to a smooth process 4
- 5. SSP Document Organization 1. System Information and Scope Section 1 – Section 12 5
- 6. SSP Document Organization 2. Description of Control Implementation Section 13 6
- 7. SSP Document Organization 3. Appendix of Supporting Documents Section 14 7
- 8. Describe Your System Sections 1 – 11 Contain Description of your System • Section 1 – Basic System Info • System Name • Unique Identifier 8
- 9. Section 2 – Information System Categorization • Overall System Categorization • CSP Data Information Types 9
- 10. Section 2 – Information System Categorization • Security Objective Categorization (High Water Mark) • Select Security Baseline based on Impact Level 10
- 11. Section 2 – Information System Categorization • FIPS Guidance on NIST CSRC Website 11
- 12. Section 2 – Selecting E-Authentication Level • E-Authentication Determination 12
- 13. Section 2 – Selecting E-Authentication Level • OMB Memo M-04-04, EAuthentication Guidance for Federal Agencies 13
- 14. Section 3 -System Owner • System Owner Contact 14
- 15. Section 5 – Designated Contacts • Technical and Management POC 15
- 16. Section 6 – Security Responsibility • Information System Security Contact • PMO will provide FedRAMP ISSO info 16
- 17. Section 7– Operational Status • List the operational state of the system 17
- 18. Section 8 – Information System Type • List cloud service model 18
- 19. Section 8 –Information System Type • Is the cloud service built on top of another cloud system with a FedRAMP Provisional ATO? 19
- 20. Section 9 – General System Description • The general System Description section contains some of the most important parts of the SSP in terms of defining the roles of the system’s users, defining the system boundary, and describing the system architecture • What is the purpose of the system? – Why was it built? What problem does it solve? What solution does it provide? • Types of Users – Defined by what privileges the user is authorized to use – Is the user internal or external – Examples of roles include systems administrators, database administrators, release engineers, and customers – List other roles that have the ability to configure components that may affect services (web server administrators, network administrators, and firewall administrators) 20
- 21. Describing System Boundaries System Boundary Internet Network Components Protection Boundary Ports, Protocols and Services Network Architecture Outside the System Boundary Protection Boundary Different System Outside the Boundary • Understand which IT assets fit within the boundary. • Interconnections: indicate and label interconnections to other systems • Make sure your boundary is consistent with hardware & software inventory • Make sure your diagrams are consistent with boundary descriptions 21
- 22. Describing the Network Architecture Primary Datacenter Internet Cloud Service Provider Network Technical Support VPN SSL 10.x.x.x Customer Firewall Mobile user 192.x.x.x 10.x.x.x 192.x.x.x WAN Support Load Balancer 10.x.x.x Jump Box Router 10.x.x.x 10.x.2.x Operational Services (Authentication, Switch Messaging, etc.) Alternate Router 10.x.2.x 10.x.x.x 10.x.1.x Datacenter Backup servers 10.x.3.x Web Server Storage Server 10.x.2.x Authorization 10.x.1.x Database Virtualized Servers 10.x.1.x 10.x.2.x Boundary 22
- 23. Section 10 – System Environment • System Inventories – Hardware 23
- 24. Section 10 – System Environment • System Inventories – Software 24
- 25. Section 10 – System Environment • System Inventories – Network 25
- 26. Section 10 – System Environment • System Inventories – Port, Protocols and Services 26
- 27. Data Flow Diagram (Source: FISMA Center) 27
- 28. Describing Security Controls in the SSP • Security Control and enhancement requirement. • Security control and enhancements require security control summary information. • NOTE: The “-1” controls (e.g. AC-1, SC-1 etc.) describe Policies and Procedures. • Some have multiple parameters and additional FedRAMP requirements • All requirements (Part a – Part e) must have a response concerning implementations for the control. Control Summary Definition Responsible Role: the CSP should indicate what staff role within their organization is responsible for maintaining and implementing that particular security control. Examples of the types of role names may differ from CSP to CSP but could include role names such as: System Administrator Database Administrator Network Operations Analyst Network Engineer Configuration Management Team Lead IT Director Firewall Engineer 28
- 29. Control Origination Definitions Control Origination Definition Example Service Provider Corporate A control that originates from the CSP DNS from the corporate network provides corporate network. address resolution services for the information system and the service offering. Service Provider System A control specific to a particular system at the A unique host based intrusion detection Specific CSP and the control is not part of the standard system (HIDs) is available on the service corporate controls. offering platform but is not available on the corporate network. Service Provider Hybrid A control that makes use of both corporate There a scans of the corporate network controls and additional controls that are infrastructure; scans of databases and web specific to a particular system at the CSP. based application are system specific. Configured by Customer A control where the customer needs to apply a User profiles, policy/audit configurations, configuration in order to meet the control enabling/disabling key switches (e.g., requirement. enable/disable http or https, etc), entering an IP range specific to their organization are configurable by the customer. Provided by Customer A control where the customer needs to provide The customer provides a SAML SSO solution additional hardware or software in order to to implement two-factor authentication. meet the control requirement. Shared A control that is managed and implemented Security awareness training must be partially by the CSP and partially by the conducted by both the CSP and the customer. customer. 29
- 30. Quick Tips: Easy Mistakes to Avoid • Submitting an SSP without a Hardware or Software Inventory • Incorrect references to supporting documents or guidelines • Presenting non-applicable controls as implemented • Not reviewing information pulled from other documents or sources • Single sentence responses without details 30
- 31. Modifying the SSP • You can modify the SSP to make it easier to describe your system • Add new sections • Do not remove required sections • Make sure to provide sensitivity markings on the cover page and footer • Change to match company designation • Place markings in other sections as needed 31
- 32. Supporting Documentation User Guide Describes how leveraging agencies use the system 32
- 33. Supporting Documentation User Guide Describes how leveraging agencies use the system 33
- 34. Supporting Documentation Rules of Behavior Defines the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access. 34
- 35. Supporting Documentation IT Contingency Plan This document is used to define and test interim measures to recover information system services after a disruption. The ability to prove that system data can be routinely backed up and restored within agency specified parameters is necessary to limit the effects of any disaster and the subsequent recovery efforts. 35
- 36. Supporting Documentation Configuration Management Plan This plan describes how changes to the system are managed and tracked. The Configuration Management Plan should be consistent with NIST SP 800-128 36
- 37. Supporting Documentation Incident Response Plan This plan documents how incidents are detected, reported, and escalated and should include timeframes, points of contact, and how incidents are handled and remediated. The Incident Response Plan should be consistent with NIST Special Publication 800-61. 37
- 38. Supporting Documentation Privacy Threshold Analysis This questionnaire is used to help determine if a Privacy Impact Assessment is required. Privacy Impact Assessment This document assesses what Personally Identifiable Information (PII) is captured and if it is being properly safeguarded. This deliverable is not always necessary. 38
- 39. What Makes a Good SSP Key Areas of Focus for Documentation • Completeness • Compliant with FedRAMP policy and consistency with other package documents • Delivery of supporting documentation • Documentation is adequately referenced – e.g. : Policy, SOPs, Rules of Behavior, common control catalogs, waivers, exceptions, etc. Content should address four (4) criteria : 1. What 2. Who 3. When 4. How Proper level of detail for responses should be: • Unambiguous • Specific • Complete • Comprehensive • Make sure the response is sufficient in length to properly answer the question 39
- 40. How to Document References References To Other Documents Must: • Be relevant to the control requirement • Be up to date…not from 4 years ago • Refer to a real document, not something that doesn’t exist • References Must Include: • Full document title • Publication date • Version number 40
- 41. CM-6: Poor Response Security settings of information technology products used with the XX system are set to the most restrictive mode consistent with information system operational requirements. From NIST Special Publication 800-70, guidance was received on necessary configuration settings for information technology products. 41
- 42. CM-6: Good Response A. All servers, databases, and workstations are configured according to the Center for Internet Security (Level 1) guidelines. B. Configuration settings are implemented and updated weekly by the System Administrator. C. No system component is exempt from compliance with CIS Level 1 settings D. Team X monitors and controls changes to configuration settings by using ZZZ monitoring system. Any and all changes must go through the official change request process. More information may be found in the Configuration Management Plan. (1) CSP XYZ uses COTS Product AutoBlitz, Version 1.3 to manage, apply, and verify configuration settings. The nightly AutoBlitz report identifies and detects configuration changes made in the last 24 hours, including authorized and unauthorized changes (3) Upon detection of an unauthorized change or setting, a notice is automatically sent to the CSP XYZ SOC to report and track the incident. 42
- 43. Resources: Guide to Understanding FedRAMP 43
- 44. In Summary… • Three main parts of the SSP • Avoid easy mistakes by paying attention to details • Structure your response • Who, What, When, How • Be consistent throughout the document • Provide the right details in your answer • Read the Guide to Understanding FedRAMP • Review the Prep Checklist 44
- 45. Question and Answer Session For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud
- 46. For more information, please contact us or visit us at any of the following websites: http://FedRAMP.gov http://gsa.gov/FedRAMP Email: info@fedramp.gov @ FederalCloud