From: FierceGovernmentIT
A concept of operations for the FedRAMP governmentwide assessment and authorization of low- and moderate-impact cloud services released Feb. 7 by the program office shows that the Homeland Security Department will have an active role in continuous monitoring and incident response.
The document (.pdf) assigns DHS multiple responsibilities, including real-time monitoring of security posture reports from cloud service providers. Federal officials say any provider of multi-tenant cloud computing at the low and moderate risk level must go through the FedRAMP process, which grants providers a provisional authorization valid at any federal agency. Provisional authorization doesn’t substitute the need for a local agency official to sign an authorization to operate on the local network, but it should significantly speed up the process since agencies won’t have to reassess provider compliance with baseline security controls, federal officials say.
To ensure ongoing compliance with the baseline, cloud service providers will have to provide agencies with automated security posture data feeds, which must share them with DHS, the concept of operations states.
In addition, DHS, in the form of US-CERT, will have an active role in incident response, the document adds, working with the FedRAMP program office on matters including root cause analysis and recommending remedial actions.
The concept of operations also explains somewhat more what constitutes a “significant change” that could potentially affect a cloud service provider’s provisional authorization. Significant changes don’t include routine changes covered by a configuration management plan, but rather changes that affect “the scope of an approved provisional authorization or impact the authorization boundary.”
Examples include changes to applications that reside on the cloud system, changes to cloud infrastructure, to the risk posture, or in the point of contact to the FedRAMP program office.
For more:
– download the FedRAMP CONOPS, v 1.0 (.pdf)
Leave a Reply