An open source approach to FedRAMP
A presentation at Carahsoft FedRAMP Forum in in Washington, DC, USA by Shawn Wells
An open source approach to FedRAMP Shawn Wells Chief Security Strategist, North America Public Sector shawn@redhat.com || 443-534-0130
AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IR-8: Incident Response Plan MA-4: Nonlocal Maintenance
AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 4
FedRAMP High. FedRAMP Moderate. FedRAMP Low. AC-2: Account Management AC-8: System Use Notification AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones …. CM-10: Software Usage Restrictions CM-4: Security Impact Analysis …. CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 5
CONFIDENTIAL Designator The Government created a control catalog. Could we create a response catalog? Can deployment specific ATO materials be dynamically generated?
Structured language for ATO responses, created by 18F
- control_key: AC-14 standard_key: NIST-800-53 covered_by: [] implementation_status: complete narrative: - text: | ‘Regardless of access mechanism, such as the Ansible Tower console, unauthenticated users will only be shown the system use notifications (as defined in AC-8) and login prompt. This is non-configurable behavior.’
name: DoD-STIG name: FedRAMP-mod name: DHS-4300A standards: standards: standards: NIST-800-53: NIST-800-53: NIST-800-53: AC-1: {} AC-1: {} AC-20 (1): {} AC-14: {} AC-2: {} AC-20 (2): {} AU-2: {} AT-7: {} AC-20 (3): {} SC-3: {} AU-11: {} AC-20 (4): {} SI-7: {} CA-4: {} AC-21: {}
NIST NATIONAL CHECKLIST PROGRAM The National Checklist Program (NCP) is the U.S. Government repository of publicly available security checklists, that provide detailed low level guidance, on setting the security configuration of system components and applications https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0
ComplianceAsCode Project https://github.com/ComplianceAsCode
INNOVATION DOES NO GOOD IF YOU CAN’T SECURE IT
Recent news headlines include how GSA took their ATO process from 6 months to 30 days, the Navy’s “Compile to Combat in 24 hours” capability, or how ORock achieved FedRAMP Moderate in three months.
These rapid ATO success stories sharply contrast to opinions that FedRAMP, FISMA, and broader initiatives like Controlled Unclassified Information (CUI) slow down innovation.
Via NIST 800-53 the U.S. Government created a security control catalog. Could a <i>response catalog be created, sharing prepopulated answers for common technologies like operating systems and container platforms? If we could create a control response catalog, could deployment-specific ATO materials be dynamically generated?
This talk steps through a joint industry/government initiative called OpenControl, which in partnership with GSA and NIST, is working to automate much of the ATO process.
Conference slides also available at https://www.carahsoft.com/download_file/view_inline/44716.
for free. You
can too.
