Federal Cloud Computing This page is intentionally left blank Federal Cloud Computing The Definitive Guide for Cloud Service Providers Matthew Metheny AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Acquiring Editor: Development Editor: Project Manager: Designer: Chris Katsaropoulos Meagan White Mohanambal Natarajan Joanne Blank Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein) Notices Knowledge and best practice in this field are constantly changing As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of p­ roducts liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein Library of Congress Cataloging-in-Publication Data Metheny, Matthew   Federal cloud computing : the definitive guide for cloud service providers / Matthew Metheny—First edition   pages cm   Summary: “In recent years ‘cloud computing’ has emerged as a model for providing IT infrastructure, resources and services that has the potential to drive significant value to organizations through increased IT efficiency, agility and innovation However, Federal agencies who were early adopters of cloud computing have learned that there are many challenges and risks that must be addressed in order to realize these benefits”—Provided by publisher   Includes bibliographical references and index   ISBN 978-1-59749-737-4 (pbk.)   1.  Cloud computing—Security measure.  2.  Web services—Government policy.  I.  Title  QA76.585.M48  2012  004.67'82—dc23 2012030642 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Printed in the United States of America 13 14 15 16 17  10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications visit our werbsite at www.syngress.com Excerpts from Federal Information Processing Standards, Special Publications, and Interagency Reports referenced in this book are courtesy of the National Institute of Standards and Technology This book is dedicated to my wonderful wife Her support in giving me the opportunity to write this book cannot be expressed in simple words For her continuous patience, encouragement, and for those times of sacrifice For her inspiration and incredible love for reading and editing, even when the subject matter may not have been of interest to her To my dear, loving wife Erin Thank you for tirelessly standing by my side and supporting me every step of the way There are many times in one’s life where the task may seem too difficult, but having someone like you there as a guiding arm to encourage and to consult has been a blessing You have always been there when the times were challenging It is with great honor to share this accomplishment with you To my wife, with love This page is intentionally left blank In memory of Ron Knode Ron was a gift that left an impression of a smile, kind words, encouragement, and a unique way to make one think and see in a different perspective I feel extremely honored to have had the opportunity to know and be mentored by Ron Ron, you have left an impression on many that will never be forgotten This page is intentionally left blank Contents About the Author������������������������������������������������������������������������������������������������������ xv About the Technical Editor������������������������������������������������������������������������������������xvii Foreword by William Corrington����������������������������������������������������������������������������xix Foreword by Jim Reavis������������������������������������������������������������������������������������������xxi CHAPTER 1 INTRODUCTION TO THE FEDERAL CLOUD COMPUTING STRATEGY Introduction A Historical View of Federal IT The Early Years and the Mainframe Era Shifting to Minicomputer Decentralization: The Microcomputer (“Personal Computer”) Transitioning to Mobility 10 Evolution of Federal IT Policy 11 Cloud Computing: Drivers in Federal IT Transformation 19 Drivers for Adoption 20 Cloud Benefits 23 Decision Framework for Cloud Migration 25 Selecting Services to Move to the Cloud 26 Provisioning Cloud Services Effectively 27 Managing Services Rather Than Assets 28 Summary 28 CHAPTER Cloud Computing Standards 31 Introduction 31 Standards Development Primer 34 Cloud Computing Standardization Drivers 36 Federal Laws and Policy 36 Adoption Barriers 37 Identifying Standards for Federal Cloud Computing Adoption 39 Standards Development Organizations (SDOs) and Other Community-Driven Organizations 40 Standards Inventory 40 Summary 50 ix 424 Index Conceptual reference architecture, 74 Concurrent session control, 258 Confidentiality, 83–84 Configuration change control, 272–273 Configuration Management (CM), 271–276 access restrictions for change, 273 baseline configuration, 272 configuration change control, 272–273 management plan, 275–276 settings, 273–274 information system component inventory, 275 least functionality, 274–275 policy and procedures, 271–272 program, 356 implementation, 358–363 updating, 363–364 reference architecture, 377–378 automation, CM activities, 379 CAESARS, 378 CAESARS FE, 378–382 specification layers, 384–388 subsystems and components, 382–383 security impact analysis, 273 strategy, 354–356 definition, 357–358 updating, 363–364 Configuration Management Plan (CMP), 275–276, 368–372 Conformity assessment, 34 CONOPS See Concept of Operations Consensus Assessment Initiative Questionnaire (CAIQ), 392 Content management system (CMS), 59 Content subsystem, 384 Contingency Planning (CP), 276–281 alternate processing site, 278–279 alternate storage site, 278 contingency training, 277–278 information system recovery and reconstitution, 281 policy and procedures, 276–277 telecommunications services, 280–281 testing and exercises, 278 Continuous Asset Evaluation, Situational, Awareness, and Risk Scoring (CAESARS), 140–141, 362, 378 Continuous monitoring (CM), 160, 235, 271, 349– 350, 356–357, 375 change control, 236 within FEDRAMP, 364 foundational elements, 350–351 incident response, 236 integration of, 357 operational visibility, 235–236 organization-wide view of, 352 organizational governance, 351 CM process, 351 federal agencies, 353–354 metrics, 352–353 organization-wide view of, 351–352 process, 356–357 CM strategy and program updating, 363 program implementation, 358 strategy definition, 357–358 program, 356 review and update, 363–364 program implementation, 358 CAESARS, 362 coordination, 363 frequency determination, 359–360 ISSO, 359 metrics, 359 organization-wide view, 352 performance metrics, 360–361 policies and procedures, 363 security automation, 362–363 security-related information, 363 strategic and programmatic activities, 356–357 strategy, 354–356 definition, 357–358 review and update, 363–364 Continuous Monitoring Working Group (CMWG), 359 Control Implementation Summary (CIS), 228, 245, 413 Control Tailoring Workbook (CTW), 228, 253, 414 COTS software See Commercial off the shelf software Council Information Security and Identity Management Committee (ISIMC), 359 CP See Contingency Planning Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Act (COMPETES Act), 37 Cross-cutting security and privacy, 74 Cross-domain solutions (CDS), 203 Cryptographic key establishment and management, 316–317 module authentication, 285–286 CS&C See Cybersecurity and Communications CSA See Cloud Security Alliance Index CSC See Computer Security Center CSP See Cloud Service Provider CSRDC See Cyber Security Research and Development Center CTP See Cloud Trust Protocol CTW See Control Tailoring Workbook Cyber Security Research and Development Center (CSRDC), 64 Cyber threats, 203 CyberScope, 390–392 Cybersecurity and Communications (CS&C), 221–223 Cybersecurity Information Exchange (CYBEX), 389–390 CYBEX See Cybersecurity Information Exchange D Data aggregation subsystem, 384 Data Minimization and Retention (DM), 91 data retention and disposal, 91–92 of PII, 91–92 Data Quality and Integrity (DI), 90 data integrity, 90 data integrity board, 90 data quality, 90 DCI See Director of Central Intelligence DCID See Director of Center Intelligence Directives Defense Information Assurance Certification and Accreditation Process (DIACAP), 201 Defense-wide Information Security Program (DISSP), 201 Department of Defense (DoD), 58, 204 CSC, 201 DIACAP, 201 DISSP, 201 Department of Homeland Security (DHS), 64, 378 CS&C, 221–223 limitations, 223 NPPD, 221–223 OMB, federal agencies requirement, 80 OMB Memorandum, 223 roles and responsibilities, 223 Department of the Navy (DON), 59 Developer configuration management, 311–312 Developer security testing, 312 DHS See Department of Homeland Security DI See Data Quality and Integrity DIACAP See Defense Information Assurance Certification and Accreditation Process; DoD Information Assurance Security Certification and Accreditation Process Digital Government Strategy, 60, 65–67, 68 Director of Center Intelligence Directives (DCID), 202 Director of Central Intelligence (DCI), 202 DISSP See Defense-wide Information Security Program DM See Data Minimization and Retention DoD See Department of Defense DoD Information Assurance Security Certification and Accreditation Process (DIACAP), 64 DON See Department of the Navy Due diligence process, 71 E E-Government Act of 2002 See Federal Information Security Management Act (FISMA) EHR See Electronic Health Record Electronic Health Record (EHR), 54 Elements of transparency (EoT), 392 Enterprise Risk Management (ERM), 170–171 Enterprise-wide risk management, 175 See also Configuration Management (CM); Federal Risk and Authorization Management Program (FedRAMP) components, 175–177 multi-tiered integration, 179 multi-tiered risk management, 179–180 tier 1, 180 tier 2, 181 tier 3, 181–182 risk assessment, 177–178 framing, 176 monitoring, 179 response, 178 EoT See Elements of transparency ERM See Enterprise Risk Management Exchange reference architecture framework, 409–410 External information systems, 262 F Fair Information Practice (FIP), 75–77 FAQ See Frequently asked question FAR See Federal Acquisition Regulation FDCCI See Federal Data Center Consolidation Initiative 425 426 Index FE See Framework Extension; CAESARS Framework Extension (CAESARS FE) FEA See Federal Enterprise Architecture FEA Program Management Office (FEAPMO), 126 FEA-SPP See Federal Enterprise Architecture Security and Privacy Profile FEAPMO See FEA Program Management Office Federal Acquisition Regulation (FAR), 250 Federal Agency, 10,26–27, 39–40, 365–368, 395 agility improvement, 25 challenges, CIO, 11–18 Cloud First policy, 2–3 current IT portfolio evaluation, 26–27 decision framework, for cloud migration, 26 efficiency improvement, 25 empowerment, 1–2 independent evaluations and reporting, 109–110 information security program, 109 innovation improvement, 25 managing SLAs, 27 in mobile computing devices, 10 OSS, 54 shift to cloud services, 3–4 standards development, 37–38 uses in IT resources, 20– 23 Federal Cloud Computing Initiative, 217–218 Federal Cloud Computing Strategy See Cloud Strategy Federal Data Center Consolidation Initiative (FDCCI), 20–22, 65–67 Federal Enterprise Architecture (FEA), 119–120, 399–408 relationship with NIST RMF, 119–120 Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP), 73 Federal Information Processing Standards (FIPS), 248–249, 253 Federal Information Security Management Act (FISMA), 79–80, 103 codified CM, 350 federal agencies, 80, 107, 226 Head of Agency, 108 independent evaluations and reporting, 109–110 information security program, 109 federal agency obligation through, 75 implementation, 223 NIST, 106–107 OMB Director, 105–106 purpose, 103–104 requirements, 220–221, 245, 353–354 roles and responsibilities, 103–104 US-CERT, 80 Federal IT policy evolution, 5, 11 Brooks Act, 11–18 comparison, federal government, acquisition activity, 6–7 IT policy framework, 18 legislation timeline, 12 mainframe computing, mainframe inventory grew, microcomputer comparison, cumulative IT budget, GSA, return on investment, modern computing, 5–6 policy timeline, 13 portfolio, shifting to minicomputer, 7–8 transitioning to mobility, 10–11 UNIVAC, Federal Network Security (FNS), 378 Federal policies See also Federal Agency FIP, 75–77 FIPS 199 impact level, 81 FISMA, 79–80, 75 federal agencies, 80 US-CERT, 80 OMB memorandum policies information types, 81–82 PII, 81 PII, 76–77 Privacy Act of 1974, 77–78 FIPPs, internationally recognized, 78 issuances, 79 OFR, 79 requirements, 78–79 SORN, 78–79 security considerations, 75 US Federal Privacy Laws, 76, 75 Federal Privacy Laws FIP, 75–77 FIPS 199 impact level, 81 FISMA, 79–80, 75 federal agencies, 80 US-CERT, 80 key security considerations, 75 OMB memorandum policies information types, 81–82 Index PII, 81 PII, 76–77 Privacy Act of 1974, 77–78 FIPPs, internationally recognized, 78 OFR, 79 Privacy Act issuances, 79 Privacy Act requirements, 78–79 SORN, 78–79 US Federal Privacy Laws, 76, 75 Federal Risk and Authorization Management Program (FedRAMP), 73, 84, 241 change control process, 368–372 cloud computing overlay, 243 cloud computing security requirements, 243–244 external service provider compliance assurance, 249 harmonizing FedRAMP requirements, 247–248 policy and procedures, 245 security control implementation, approaches to, 250–251 security control requirements, 253–263 CONOPS, 225 operational processes, 226–237 continuous monitoring, 367 activities, 366 deliverables, 369–372 roles and responsibilities, 365 CSP, 364–365 deliverables, 229 FedRAMP Policy Memo, 247–248 goal, 218 incident response, 373 ongoing assessment and authorization process, 390 operational visibility, 368 PMO, 218–219, 364–365 policy memo, 219 primary stakeholders, 221–225 process area, 229, 225 program, 241 real-time operational feeds, 365 requirements, 340 RMF, 329–396 security authorization process, 368 control baselines, 241 documents, 365 security control selection process, 241 cloud computing overlay, 243 security control baseline, selecting, 242 security control baseline, supplementing, 242–243 security control baseline, tailoring, 242–243 stakeholders, 333 3PAO program, 237 three-tiered approach, 365–368 Federal security certification standards C&A, 196 civilian agencies, 199 CNSS, 202–204 DoD, 201 IC, 202 process evolution, 199 unified approach to, 203 federal agencies, 195 federal government, 195–196 NIST and ISO/IEC information security standards, 203 boundary and scope, 204–205 risk management strategy, 206–209 security objectives and controls, 210 security policy, 205–206 Federal Segment Architectures (FSA), 399–408 Federal Tax Information (FTI), 395–396 FedRAMP See Federal Risk and Authorization Management Program FedRAMP PMO See FedRAMP Program Management Office FedRAMP Program Management Office (FedRAMP PMO), 333 FIP See Fair Information Practice FIPS See Federal Information Processing Standards Fire protection, 298–299 FISMA See Federal Information Security Management Act FNS See Federal Network Security Framework Extension (FE), 378 See also CAESARS Framework Extension (CAESARS FE) Frequently asked question (FAQ), 61–62 FSA See Federal Segment Architectures FTI See Federal Tax Information G GAO See General Accounting Office General Accounting Office (GAO), General Public License (GPL), 57–58 General Services Administration (GSA), 8, 11 GIG See Global Information Grid GISRA See Government Information Security Reform Act of 2000 Global Information Grid (GIG), 201 427 428 Index GNU See GNU’s Not Unix GNU’s Not Unix (GNU), 57–58 Governance, Risk Management and Compliance (GRC), 411 Stack, 390–392 Governance in security assessment, 331–332 results, 332–334 roles, 332 Government Information Security Reform Act (GISRA) of 2000, 103 GPL See General Public License GPRA Modernization Act (GPRAMA) of 2010, 25 performance assessment, 353–354 GPRAMA See GPRA Modernization Act of 2010 GRC See Governance, Risk Management and Compliance GSA See General Services Administration H Health, Education, and Welfare (HW) Advisory Committee on Automated Personal Data Systems protection of information, 75–76 Health Insurance Portability and Accountability Act of 1996 (HIPAA), 412–413 Healthcare exchange, 395–396 HIPAA See Health Insurance Portability and Accountability Act of 1996 Homeland Open Security Technology (HOST), 64 HOST See Homeland Open Security Technology HW See Health, Education, and Welfare I IA See Identification and Authentication IaaS See Infrastructure as a Service IC See Intelligence Community ICD See Intelligence Community Directive Identification and Authentication (IA), 282–283 authenticator feedback, 285 authenticator management, 283–285 cryptographic module authentication, 285–286 device, 283 identifier management, 283 policy and procedures, 281–286 In-scope security control identification, 341–342 Incident Response (IR), 286–289, 373 incident handling, 287 incident monitoring, 287–288 incident reporting, 288 incident response assistance, 288–289 incident response plan, 289 incident response testing and exercises, 287 incident response training, 286–287 policy and procedures, 286 Individual Participation and Redress (IP), 92–94 Information flow enforcement, 256 Information security, 82–83 Information security continuous monitoring (ISCM), 130–134, 159–160 Information system component inventory, 275 connections, 269–270 recovery and reconstitution, 281 Information System Security Officer (ISSO), 359 Information technology (IT), 1, 59, 122, 350–351 Information Technology Management Reform Act (ITMRA) of 1996, 11–18 Infrastructure as a Service (IaaS), 395 Integrity, 83–84 Intelligence Community (IC), 196, 223 C&A processes, 204 DCID, 202 ODNI, 202 Intelligence Community Directive (ICD), 202 Interagency Committee on Standards Policy (ISCP), 237 International Organization for Standardization (ISO), 34 International Organization for Standards / International Electrotechnical Commission (ISO/IEC), 189, 203 International Telecommunication Union (ITU), 41, 389–390 ITU Study Group 17 common vulnerabilities and exposures, 46–48 common vulnerability scoring system, 46–48 cybersecurity information exchange (CYBEX), overview of, 46–48 IdM in cloud computing, requirement of, 49 IP See Individual Participation and Redress IR See Incident Response ISCM See Information security continuous monitoring ISCP See Interagency Committee on Standards Policy ISIMC See Council Information Security and Identity Management Committee ISO See International Organization for Standardization ISO/IEC See International Organization for Standards /International Electrotechnical Commission Index ISO/IEC information security standards, 203 boundary and scope, 204–205 explicit requirements, 209–210 relationship with NIST, 208 risk management process, 206–209 strategy, 206 and risk management program mapping, 207 risk response, options comparison for, 211 security objectives and controls AC control family, 210–211 AC-1 access control policy and procedures, 212 ISO/IEC control objectives and controls mapping, 212 selection process, 210 SSP and SOA requirement comparison, 213–214 System Security Plan, 212 security policy, 205–206 ISSO See Information System Security Officer IT See Information technology ITMRA See Information Technology Management Reform Act of 1996 ITU See International Telecommunication Union J Joint Authorization Board (JAB), 238, 219, 241, 333 Joint Task Force Transformation Initiative (JTFTI) and CNSS, 202–204 goals of, 203 NIST SP 800-37 Revision, 1200 L Labor laws and employees, , 76 Language, SCAP Specification Category, 390 Legislative frameworks, US Federal Privacy Laws, 76 Leveraging, ATO, 234–235 Liability and regulations, 19 License Management, 382 M MA See System Maintenance MAC See Mandatory access control Maintenance tools, 290–291 Mandatory access control (MAC), 57–58 Media Protection (MP), 292–295 media access, 292–293 media markings, 293 media sanitization, 294–295 media storage, 293–294 media transport, 294 policy and procedures, 292 Memorandum of Agreement (MOA), 224 Memorandum of Understanding (MOU), 224 Microcomputer, comparison, cumulative IT budget, GSA, return on investment, MOA See Memorandum of Agreement Mobile code, 318 Modern computing, 5–6 MOU See Memorandum of Understanding MP See Media Protection Multi-tiered integration, 179 Multi-tiered risk management, 179–180 bi-directional, 180 tier 1, 180 tier 2, 181 tier 3, 181–182 N National Aeronautics and Space Administration (NASA), 59 National Bureau of Standards (NBS), 171–172, 199 National Computer Security Center (NCSC), 201 National Cyber Security Division (NCSD), 221–223 National Information Assurance Certification and Accreditation Process (NIACAP), 64, 202–204 National Information Assurance Partnership (NIAP), 64 National Institute of Standards and Technology (NIST), 33, 74 See also NIST risk management framework (NIST RMF); Federal Risk and Authorization Management Program (FedRAMP) Cloud Computing Program, 32–33 CM, 350 deployment models, 33 ISCP, 237 risk management acceptance of residual risk, 191–192 communication of responsibilities, 192–193 harmonization efforts, 190 methodologies, 189 monitoring, 192–193 practices, 189 process comparison with ISO/IEC, 192 risk framing, 189–190 429 430 Index risk response and option selection, 191–192 standards and guidelines, 190 supporting risk determination activities, 191 supporting risk identification activities, 191 security control families, 210 SP 800-53 catalog, 203, 241 National Protection and Programs Directorate (NPPD), 221–223 National Science Foundation (NSF), 37 National Security Agency (NSA), 57–58, 201 National security system (NSS), 105–106, 223 National Technology Transfer and Advancement Act (NTTAA) of 1995, 37 NBS See National Bureau of Standards NCSC See National Computer Security Center NCSD See National Cyber Security Division NIACAP See National Information Assurance Certification and Accreditation Process NIAP See National Information Assurance Partnership NIST See National Institute of Standards and Technology NIST information security standards, 203 boundary and scope, 204–205 explicit requirements, 209–210 NIST SP 800-53, 203 options comparison for risk response, 211 relationship with ISO/IEC, 208 risk management process, 206–209 strategy, 206 and risk management program mapping, 207 security objectives and controls AC control family, 210–211 AC-1 access control policy and procedures, 212 NIST control objectives and controls mapping, 212 selection process, 210 SSP and SOA requirements comparison, 213–214 System Security Plan, 212 security policy, 205–206 NIST risk management framework (NIST RMF), 110, 114 chain of trust, 120–122 information and information system categorization, 116– 117 process, 116–117 relationship with FEA, 119–120 enterprise asset mapping, 118 FEA-security and privacy profile framework, 118 role, 112 SDLC, 110–112 security consideration, 115, 113 security requirements, 115–116 security categorization process, 117–118 adjustments, 127–129 application of, 119 goal, 122 information support, 122–124 information type identification, 124–126 provisional impact value selection, 126–127 requirements, 122 system security impact level, 129–141, 128 shared responsibility,120–122 tiered risk management approach, 111 NIST RMF See NIST risk management framework Non-local maintenance, 291–292 NPPD See National Protection and Programs Directorate NSA See National Security Agency NSF See National Science Foundation NSS See National security system NTTAA See National Technology Transfer and Advancement Act of 1995 O O&M phase See Operations and maintenance phase OCSIT See Office of Citizens Services and Innovative Technologies ODNI See Office of Director of National Intelligence OECD See Organization for Economic Cooperation and Development Office of Citizens Services and Innovative Technologies (OCSIT), 223–224 Office of Director of National Intelligence (ODNI), 202 Office of Federal Register (OFR), 79 Office of Management and Budget (OMB), 18, 71–72 Circular A-119, 37 Circular A-130, 200, 350 memorandum policies information types, 81–82 PII, 81 Office of Technology Plus (OTP), OFR See Office of Federal Register OMB See Office of Management and Budget Open Government Directive, 59 Open source and federal government Index acquisition challenges, 61 federal laws and regulations, 61– 62 key license criteria, 61–62 policy framework, 61, 63 US Government OSS FAQs, 61–62, 64 advantages, 56–57 Bazaar model, 56–57 challenges, 56–57 Digital Government Strategy, 60 MITRE report, 58, 58–59 Open Government Directive, 59 PITAC report, 56–57 security challenges, 62–64 SELinux project, 57–58 US government OSS policy framework,55–56 Open Source Definition (OSD), 58 Open Source Electronic Health Record Agent (OSEHRA), 54 Open Source Initiative (OSI), 58 Open source software (OSS), 53 and cloud computing, 65 Digital Government Strategy, 65–68 FDCCI, 65–67 federal agencies, 54 modernization projects, 55 Operational expenditures (OPEX), 23 Operational processes, CONOPS, 226 continuous monitoring, 235 change control, 236 incident response, 236 operational visibility, 235–236 FedRAMP process areas, 227, 229 leveraging ATO, 234–235 security assessment process, 228 documenting controls, 230 finalizing, 233 performing, 232 request initiating, 228 Operational visibility, 368 compliance, 390–392 and continuous monitoring, 390, 391 GRC Stack components, 392–393 Operations and maintenance phase (O&M phase), 157 OPEX See Operational expenditures Organization for Economic Cooperation and Development (OECD), 75–76 Organizational governance, 351 CM process, 351 federal agencies, 353–354 metrics, 352–353 organization-wide view of, 351–352 OSD See Open Source Definition OSEHRA See Open Source Electronic Health Record Agent OSI See Open Source Initiative OSS See Open source software OTP See Office of Technology Plus P PaaS See Platform as a Service PDCA See Plan-Do-Check-Act PE See Physical and Environmental Protection Performance Reference Model (PRM), 120 Personal computer See Microcomputer Personal Health Information (PHI), 395–396 Personally identifiable information (PII), 76–77, 395–396 DM of, 91– 92 in federal policies, 76–77 in Federal Privacy Laws, 76–77 information types, 81–82 Personnel Security (PS), 302–304 access agreements, 304 personnel sanctions, 304 personnel screening, 302–303 personnel termination, 303 personnel transfer, 303–304 policy and procedures, 302 position categorization, 302 third-party personnel security, 304 PHI See Personal Health Information Physical access control, 296–297 Physical and Environmental Protection (PE), 295–300 access control for output devices, 297 for transmission medium, 297 access records, 298 alternate work site, 300 delivery and removal, 299–300 emergency services lighting, 298 power, 298 shutoff, 298 fire protection, 298–299 location of information system components, 300 monitoring physical access, 297 physical access authorizations, 296 control, 296–297 policy and procedures, 295–296 power equipment and power cabling, 298 temperature and humidity controls, 299 431 432 Index visitor control, 297–298 water damage protection, 299 PIA See Privacy Impact Assessment PII See Personally identifiable information PITAC See President’s Information Technology Advisory Committee PL See Security planning Plan of action and milestone (POA&M), 150, 415 documenting, 151 risk mitigation strategy, 151 Plan-Do-Check-Act (PDCA), 204–205 Platform as a Service (PaaS), 395 PMO See Program Management Office POA&M See Plan of action and milestone Policy memo, 219 document hierarchy, 220 FISMA, 220–221 primary stakeholders, 221 DHS, 221–223 federal agencies, 224–225 JAB, 223–224 PMO, 224 Power equipment and cabling, 298 Presentation/reporting subsystem, 383 President’s Information Technology Advisory Committee (PITAC), 56–57 Primary stakeholders, 221 DHS cybersecurity-related responsibilities, 223 cybersecurity-related roles, 223 NCSD, 221–223 NPPD, 221–223 federal agencies, 224–225 FedRAMP PMO, 224 JAB, 223–224 OCSIT, 223–224 roles and interaction, 222 SLA, 224 PRISMA See Program Review for Information Security Management Assistance Privacy, 75 Privacy control families, 85 accountability, audit, and risk management, 86–90 authority and purpose, 86 data minimization and retention, 91–92 data quality and integrity, 90–91 individual participation and redress, 92–94 security, 94–95 transparency, 95–96 use limitation, 96–97 Privacy Impact Assessment (PIA), 73, 146, 301 PRM See Performance Reference Model Program Management Office (PMO), 27, 244–245, 249–250, 364 Program Review for Information Security Management Assistance (PRISMA), 124 PS See Personnel Security Public cloud computing, 71 See also Cloud computing CSP, 71–72 FEA-SPP, 73 Federal Privacy Laws and policies, 75 FISMA, 79–80 OMB memorandum policies, 81 Privacy Act of 1974, 77–78 Federal Privacy policies, 75 public cloud service, 72–73 safeguarding privacy information, 82–83 data breaches, impacts and consequences, 97–98 privacy controls, 84 security and privacy conceptual reference model, 74 cross-cutting security and privacy, 74 key security considerations, 75 of NIST, 74 security and privacy issues, 100 CSP actions, 100 federal agency, 99–100 using situational analysis techniques, 99–100 Public key infrastructure certificates, 317–318 Publicly accessible content, 262–263 R RA See Risk assessment Real-time operational feeds, 365 Remote access, 259–260 Return on investment (ROI), 9, 65–67 Risk assessment (RA), 177–178, 185, 304–307 activities, 185 components of, 187 information security-related risks, 185 inputs, 185 NIST, 186 outputs, 185 policy and procedures, 304–305 risk assessment methodology, 186 security categorization, 305 strategy, 186 vulnerability scanning, 306–307 Risk framing, 176, 183, 184 activities, 183 risk framework, 183–184 Index risk methodologies, 183–184 Risk management, 169–170 activities, 180 tier 1, 180 tier 2, 181 tier 3, 181–182 enterprise-wide risk management, 175–176 multi-tiered risk management, 179–182 risk assessment, 177–178 risk framing, 176 risk monitoring, 179 risk response, 178, 186–188 ERM, 170–171 federal information security risk management practices C&A, 172 chronology of, 173–174 NBS, 171–172 NIST and ISO/IEC risk management process comparison, 189 practices, 189 strategy, 206 top-down approach, 171 Risk Management Framework (RMF), 64 boundary, 413 cloud service provider role, 408 CSP, 396–399 to FedRAMP, 329, 396 IaaS information types, 399– 400 key data types, 410–411 mission-based information types, 399–408 NIST, 110, 169–170 PaaS information types, 399– 400 potential information types, 411 resource management information types, 402– 403, 399–408 security control selection process, 412 laws, 412–413 required standards, 412–413 guidance, 412–413 service delivery support information types, 399–408 supplementing, 414 tailoring, 414 Risk management process, 182, 206–209 risk assessment, 185 activities, 185 components of, 187 information security-related risks, 185 inputs, 185 outputs, 185 NIST, 186 strategy, 186 risk framing, 183–184 activities, 183 risk framework, 183–184 risk methodologies, 183–184 risk monitoring, 188–189 activities, 188 inputs, 188 outputs, 188 risk response, 186–188 activities, 187 inputs, 187 outputs, 187 tiered application of, 183 Risk monitoring, 179, 188–189 activities, 188 inputs, 188 outputs, 188 program, 192–193 Risk treatment See Risk response RMF See Risk Management Framework ROI See Return on investment S S&T See Science and Technology SA See System and Services Acquisition SABI See Secret and Below Interoperability Safeguarding privacy information accountability, 98 confidentiality, 83–84 consequences, 98 data breaches, 97–98 data security breaches, 99 FIPPs and safeguards relationship, 83 internationally accepted framework, 84 privacy and security, 82–83 privacy control families, 85 privacy controls, 84 SAISO See Senior Agency Information Security Officer SAJACC See Standards Acceleration to Jumpstart Adoption of Cloud Computing SAP See Security assessment plan SAR See Security Assessment Report SC See System and Communications Protection SCAP See Secure Content Automation Protocol SCI See Secret/Sensitive Compartmented Information Science and Technology (S&T), 64 SCO See Standards Coordination Office SDLC See System development life cycle; Systemdevelopment lifecycle 433 434 Index SDOs See Standards development organizations SE See Security SecDef See Secretary of Defense Secret and Below Interoperability (SABI), 203 Secret/Sensitive Compartmented Information (SCI), 203 Secretary of Defense (SecDef), 105 Secure Content Automation Protocol (SCAP), 140–141, 389 Security (SE), 94 authority to collect, 94 privacy incident response, 94 Security assessment, 228, 329, 269 execution, 346–348 goal, 329–330 governance in, 331–332 results, 332–334 roles, 332 key areas, 331 NIST RMF and FedRAMP, 229–231 preparation, 334–346 request initiating, 228–230 security assessment finalization, 233–234 security assessment performance, 232–233 security controls documentation, 230–232 Security Assessment and Authorization (CA), 268–271 continuous monitoring, 271 information system connections, 269–270 plan of action and milestones, 270 policy and procedures, 268–269 security assessments, 269 security authorization, 270–271 Security assessment plan (SAP), 336 assessment procedure, 342–344 assessment cases, 344 sample, 343 selection, 342 development, 340–341 execution, 346–348 in-scope security control identification, 341–342 Security assessment preparation, 334–335 customer responsibilities, 336 planning, 338 artifacts, 338–339 personnel, 339 post-assessment activities, 334–336 pre-assessment activities, 334–336 provider, 336–337 responsibilities, 339–346 Security assessment provider responsibilities, 339–340 developing SAP, 340–341 assessment procedures selection, 342–343 scope security controls, 341–342 team members selection, 340 Security Assessment Report (SAR), 148, 330–331, 334–336, 415 Security attributes, 259 Security authorization process, 153, 270–271, 368 See also Security categorization process cloud service provider role in, 398 decisions, 155–156 key updates, 163–165 monitoring, 158–160 O&M phase,157–159 ongoing risk determination and acceptance, 165 ongoing security controls assessments, 162 package, 153–154 risk determination, 154–155 security impact analysis, 160–162 status reporting,163–165 Security automation, 375 CM, 375–376 automating CM activities, 376–377 reference architectures, 377–388 CYBEX, 389–390 SCAP, 389–390 standards and specifications, 388–389 Security awareness, 263, 264 Security categorization process, 117–118, 121 activities, 133–135 adjustments, 127–129 application of, 119 assessment, 146 plan, 147 preparation, 147, 145 result, 148 security controls, 147–148 step activities, 146, 144 authorization, 149 BRM, 123, 126–127 business architecture, 123–124 continuous monitoring planning, 140–141 boundary, 139,141–142 decomposition, 142–143 E-Government Task Force, 124 goal, 122 implementation, 141,143–144 information security level,121–122 information support, 122–124 information type identification, 124 business architecture, 123 business reference model, 123 Index FEAPMO, 126 federal government’s dependency, 127 NIST RMF step activities,130–134 POA&M, 150 documenting, 151 risk mitigation strategy, 151 provisional impact levels, 125–129 activities,126–127 adjustments, 129 provisional impact value selection for information type, 127–129 potential impact levels, 125, 128 security characterization, 124 requirements, 122 security control selection, 130–134 security controls, 144–146 security impact level, 129 system security impact level, 128–141 tailored baseline, 138 compensation, 136–137, 155 cyber preparedness, 137–138 organization-defined parameters, 137 scoping, 136 tailoring process of, 135–136 and supplementation, 137–140 Security control See also System and Communications Protection (SC) assessment, 415 baseline selection, 242 selection process, 241 FedRAMP cloud computing overlay, 243 program, 241 security control baseline selection, 242 supplementing security control baseline, 243 tailoring process, 242–243 Security control baseline, supplementing, 243 Security control implementation, FedRAMP See also Cloud computing security requirements, FedRAMP cloud security reference model, 252 CSPs, 251 in development process, 251 FIPS, 253 gap analysis exercise, 253 security control selection process, 250–251 Security control requirements, FedRAMP, 253–263 See also Cloud computing security requirements, FedRAMP AT, 263–264 access control for mobile devices, 261–262 policy and procedures, 254 access enforcement, 255–256 account management, 254–255 actions without identification and authentication, 258–259 AU, 264–268 CM, 271–276 concurrent session control, 258 CP, 276–281 external information systems, 262 IA, 281–286 information flow enforcement, 256 IR, 286–289 least privilege, 256–257 MA, 289–292 MP, 292–295 PE, 295–300 planning, 300–302 PS, 302–304 publicly accessible content, 262–263 remote access, 259–260 risk assessment, 304–307 SA, 307–312 SC, 312–320 security assessment and authorization, 268–271 security attributes, 259 separation of duties, 256 session lock, 258 SI, 320–326 system use notification, 257–258 unsuccessful login attempts, 257 wireless access, 260–261 Security documents, 365 Security Enhanced Linux project (SELinux project), 57–58 Security impact analysis, 273 Security Operations Center (SOC), 236 Security planning (PL), 300–301 policy and procedures, 300–301 privacy impact assessment, 301 rules of behavior, 301 security-related activity planning, 301 system security plan, 301 Security training, 263–264 Security-related activity planning, 301 SELinux project See Security Enhanced Linux project Senior Agency Information Security Officer (SAISO), 108, 105 Service level agreement (SLA), 27–28, 120, 182, 224, 249–250 435 436 Index Session authenticity, 319 Session lock, 258 SI See System and information integrity Single problem statement, 217–218 SLA See Service level agreement SOC See Security Operations Center SORN See Systems of Records Notice SP See Special Publication Special Publication (SP), 200, 241 SSP See System Security Plan Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC), 36 Standards Coordination Office (SCO), 37 Standards development organizations (SDOs), 34 Standards identification for federal cloud computing adoption NIST conceptual reference model,39–40 SDOs and community-drive organizations, 40–41 standards cloud computing-related, 40–41,49 Internet-related, 40–46 US federal government and internationalrelated standards, 40–48 Strengths, Weaknesses, Opportunities, and Threats (SWOT), 99–100 Supply chain protection, 312 SWOT See Strengths, Weaknesses, Opportunities, and Threats System and Communications Protection (SC), 312–320 application partitioning, 313 architecture and provisioning, 319 authoritative source, 318–319 boundary protection, 313–315 caching resolver, 319 collaborative computing devices, 317 cryptographic key establishment and management, 316–317 using cryptography, 317 denial of service protection, 313 information in shared resources, 313 information system partitioning, 320 mobile code, 318 network disconnect, 316 policy and procedures, 312–313 information protection, at rest, 319–320 public access protections, 317 public key infrastructure certificates, 317–318 resource priority, 313 session authenticity, 319 transmission confidentiality, 315–316 transmission integrity, 315 trusted path, 316 virtualization techniques, 320 voice over Internet protocol, 318 System and information integrity (SI), 320–325 error handling, 325 flaw remediation, 321 information input restrictions, 325 information input verification, 325 information output handling and retention, 325 information system monitoring, 322–324 malicious code protection, 321–322 policy and procedures, 320–321 security alerts, advisories, and directives, 324 security functionality verification, 324 software and information integrity, 324 spam protection, 324–325 System and Services Acquisition (SA), 307–312 acquisitions, 308–310 allocation of resources, 308 developer configuration management, 311–312 developer security testing, 312 external information system services, 311 information system documentation, 310 life cycle support, 308 policy and procedures, 307–308 security engineering principles, 311 software usage restrictions, 310–311 supply chain protection, 312 user-installed software, 311 System development life cycle (SDLC), 110–112, 329, 350 System Maintenance (MA), 289–292 controlled maintenance, 290 maintenance personnel, 292 maintenance tools, 290–291 non-local maintenance, 291–292 policy and procedures, 289–290 timely maintenance, 292 System Security Plan (SSP), 244–245, 301, 341– 342, 415–418 System-development lifecycle (SDLC), 181–182 Systems of Records Notice (SORN), 78–79 T TAA See Trade Agreements Act Tailor assessment procedures, 344 selecting assessment methods and objects, 345 selecting depth and coverage attributes, 345 finalization, 346 optimization, 346 supplementation, 345 Tailoring process, 135–136, 242–243 Index Task manager subsystem, 383 TCSEC See Trusted Computer System Evaluation Criteria Telecommunications services, 280–281 Temperature and humidity controls, 299 Third Party Assessment Organization program (3PAO program), 219, 223, 238, 390, 415 ISCP, 237 JAB, 237–238 NIST, 237 Third-party personnel security, 304 Three-tiered approach, 365–368 TIC See Trusted Internet Connection Time stamps, 266–267 Top-down approach, 171 TR See Transparency Trade Agreements Act (TAA), 36–37 Transmission confidentiality, 315–316 Transmission integrity, 315 Transparency (TR), 95–96 Trusted Computer System Evaluation Criteria (TCSEC), 202 Trusted Internet Connection (TIC), 223 UNIVersal Automatic Computer (UNIVAC), US Computer Emergency Readiness Team (US-CERT), 80 US-CERT See United States Computer Emergency Readiness Team; US Computer Emergency Readiness Team Use Limitation (UL), 96–97 U X UCDMO See Unified Cross Domain Management Office UL See Use Limitation Unified Cross Domain Management Office (UCDMO), 203 United States Computer Emergency Readiness Team (US-CERT), 236, 373 UNIVAC See UNIVersal Automatic Computer V VA See Veterans Affair Veterans Affair (VA), 54 Virtualization techniques, 320 Visitor control, 297–298 Voice over Internet protocol, 318 Vulnerability scanning, 306–307 W Water damage protection, 299 Web Services Definition Language (WSDL), 387–388 Wireless access, 260–261 WSDL See Web Services Definition Language XCCDF, 389 XML Path Language (XPath), 42–46 XML Signature Syntax and Processing (XMLSig), 42–46 XMLSig See XML Signature Syntax and Processing XPath See XML Path Language 437 This page is intentionally left blank .. .Federal Cloud Computing This page is intentionally left blank Federal Cloud Computing The Definitive Guide for Cloud Service Providers Matthew Metheny AMSTERDAM... Metheny, Matthew   Federal cloud computing : the definitive guide for cloud service providers / Matthew Metheny—First edition   pages cm   Summary: “In recent years cloud computing has emerged... adopt cloud computing without a sound understanding of its potential and risks could prove a devastating setback This book, Federal Cloud Computing: The Definitive Guide for Cloud Service Providers