《联邦风险与授权管理计划-持续监管策略及指南.docx》由会员分享,可在线阅读,更多相关《联邦风险与授权管理计划-持续监管策略及指南.docx(41页珍藏版)》请在三一办公上搜索。
1、Continuous Monitoring Strategy & GuideVersion 2.0June 6, 2014Executive SummaryThe OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization throughout the system development life cycle. Consistent with
2、 this new direction favored by OMB and supported in NIST guidelines, FedRAMP developed an ongoing assessment and authorization program for the purpose of maintaining the authorization of Cloud Service Providers (CSP). 2010年4月21日,美国政府管理预算局(OMB)发布了M-10-15备忘录,将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB,NI
3、ST指导方针也支持了这个新动向,FedRAMP开发了一套持续评估和授权程序用以维持云服务商(CSP)的授权。After a system receives a FedRAMP authorization, it is probable that the security posture of the system could change over time due to changes in the hardware or software on the cloud service offering, or also due to the discovery and provocation
4、of new exploits. Ongoing assessment and authorization provides federal agencies using cloud services a method of detecting changes to the security posture of a system for the purpose of making risk-based decisions.系统获得FedRAMP授权后,由于云服务产品的硬件或软件变化,或是因为新漏洞,系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势
5、变化的方法,这样机构就可以做风险导向决策。 This guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisional Authorization. CSPs must continuously monitor the cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision m
6、aking. This guide instructs CSPs on the FedRAMP strategy to continuously monitor their systems. 一旦云服务商(CPSs)收到FedRAMP的临时授权,就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策,CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。Document Revision HistoryDatePage(s)DescriptionAuthor06/06/2014Major revision for SP80
7、0-53 Revision 4. Includes new template and formatting changes.FedRAMP PMOTable of ContentsAbout this document7Who should use this document?7How this document is organized7How to contact us71.Overview81.1.Purpose of This Document81.2.Continuous Monitoring Process82.Continuous Monitoring Roles & Respo
8、nsibilities102.1.Authorizing Official102.2.FedRAMP PMO102.3.Department of homeland security (DHS)102.4.Third Party Assessment Organization (3PAO)113.Continuous Monitoring Process Arease113.1.Operational Visibility113.2.Change Control123.3.Incident Response13Appendix A Control Frequencies14Appendix B
9、 Template Monthly Reporting Summary34JAB P-ATO Continuous Monitoring Analysis34List of TablesTable 3-1 Control Selection Criteria13Table A-1 Summary of Continuous Monitoring Activities & Deliverables40List of FiguresFigure 1 NIST Special Publication 800-137 Continuous Monitoring Process10ABOUT THIS
10、DOCUMENTThis document has been developed to provide guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. This document is not a FedRAMP template - there is nothing to fill out in this document. 本文档为FedRAMP
11、要求的维持安全授权所需的持续监控和持续授权提供指导,本文档不是FedRAMP模版无需填写。WHO SHOULD USE THIS DOCUMENT?本文档的适用对象This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP projec
12、ts. This document may also prove useful for other organizations that are developing a continuous monitoring program. 云服务商、第三方评估机构、涉及FedRAMP项目的政府合约商以及政府雇员可以使用本文档,正在开发持续监管程序的其他组织也可使用。HOW THIS DOCUMENT IS ORGANIZED文档结构This document is divided into seven sections and one appendix. Section 1Provides an o
13、verview of the continuous monitoring process.Section 2Describes roles and responsibilities for stakeholders other than CSPs.Section 3Describes how operational visibility, change control and incident response support continuous monitoring.Appendix ADescribes the security control frequencies. HOW TO C
14、ONTACT US 联系方式Questions about FedRAMP or this document may be directed to infofedramp.gov. For more information about FedRAMP, visit the website at http:/www.fedramp.gov.1. Overview 概述Within the FedRAMP Security Assessment Framework, once an authorization has been granted, the CSPs security posture
15、is monitored according to the assessment and authorization process. Monitoring security controls is part of the overall risk management framework for information security and is a requirement for CSPs to maintain a security authorization that meets the FedRAMP requirements. 在FedRAMP安全评估框架内,一旦CSP获得授权
16、,那么就会依据评估和授权过程对CSP的安全态势进行监控。监视安全控制是整个信息安全风险管理框架的一部分,也是对CSP的要求,以保持满足FedRAMP要求的安全授权。Traditionally, this process has been referred to as “Continuous Monitoring” as noted in NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations. Other NIST documents
17、 such as NIST SP 800-37, Revision 1 refer to “ongoing assessment of security controls”. It is important to note that both the terms “Continuous Monitoring” and “Ongoing Security Assessments” mean essentially the same thing and should be interpreted as such. 从传统意义上来说,这个过程也就是NIST SP 800-137联邦信息系统及组织的信
18、息安全持续监管中提到的 “持续监管 ”。其他NIST文档如NIST SP 800-37修订版1中提到了“安全控制的持续评估”。重要的是要注意“持续监管”和“持续安全评估”的意义在本质上是一样的,也应理解为相同的事件。Performing ongoing security assessments determines whether the set of deployed security controls in a cloud information system remains effective in light of new exploits and attacks, and plann
19、ed and unplanned changes that occur in the system and its environment over time. To maintain an authorization that meets the FedRAMP requirements, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continu
20、ously acceptable. 实施持续的安全评估可以确定在云信息系统中已部署的某套安全措施对新的渗透和攻击、及在系统和自身环境中随时间出现的计划和非计划变更是否依然有效。CSP为了维持满足FedRAMP要求的授权,必须定期监视、评估其安全措施、并证明其提供的服务的安全态势持续满足要求。Ongoing assessment of security controls results in greater control over the security posture of the CSP system and enables timely risk-management decision
21、s. Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing due diligence and review of security controls enables the security authorization package to remain current which allows agencies to make informed risk
22、 management decisions as they use cloud services. 安全控制措施的持续评估使CSP系统的安全态势得到更强的安全控制,并能及时实施风险管理决策。持续监管过程中收集到的安全相关信息用于不断更新安全评估组件。持续的严格评估和安全措施检查使安全授权包保持最新,即允许代理在使用云服务时做出有据可循的风险管理决策。1.1. Purpose of This Document 本文档的目的This document is intended to provide CSPs with guidance and instructions on how to imple
23、ment their continuous monitoring program. Certain deliverables and artifacts related to continuous monitoring that FedRAMP requires from CSPs are discussed in this document本文档目的是为CSP实施持续监管计划提供指导和说明。某些FedRAMP要求CSP提供的、与持续监管相关的可交付成果和组件会在本文档中讨论。1.2. Continuous Monitoring Process 持续监管过程The FedRAMP contin
24、uous monitoring program is based on the continuous monitoring process described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide: (i) operational visibility; (ii) managed change control; (iii) and attendance to in
25、cident response duties. For more information on incident response, review the FedRAMP Incident Communications Procedure. FedRAMP持续监管计划是以NIST SP 800-137联邦信息系统和组织信息安全的持续监管中描述的持续监管过程为基础的。目标是提供:(i)运营可视化;(ii)变更控制管理;(iii)参与事件响应职责。想要获取更多事件响应的信息,可以参阅FedRAMP的事件通信规程。The effectiveness of a CSPs continuous moni
26、toring capability supports ongoing authorization and reauthorization decisions. Security-related information collected during continuous monitoring is used to make updates to the security authorization package. Updated documents provide evidence that FedRAMP baseline security controls continue to sa
27、feguard the system as originally planned. CSP持续监管能力的有效性支持持续授权和再授权决策。持续监管过程中收集到的安全相关信息用于更新安全授权组件包。更新的文档为FedRAMP的基线安全控制措施按原计划持续保护系统的供证明。As defined by the National Institute of Standards and Technology (NIST), the process for continuous monitoring includes the following initiatives:正如NIST的定义,持续监管的过程包括如
28、下举措:l Define a continuous monitoring strategy based on risk tolerance that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat information.基于风险承受能力定义持续监管策略,这样的监管策略具有资产可见性,知悉安全隐患,并能够利用最新的威胁信息。l Establish measures, metrics, and status monitoring and c
29、ontrol assessments frequencies that make known organizational security status and detect changes to information system infrastructure and environments of operation, and status of security control effectiveness in a manner that supports continued operation within acceptable risk tolerances. 建立措施、度量和状
30、态监控,控制报告组织安全状态的评估频率,并在可接受的风险承受能力范围内,以支持持续运营的方式,检测信息系统基础设施和运营环境以及安全控制有效性的状态变更。l Implement a continuous monitoring program to collect the data required for the defined measures and report on findings; automate collection, analysis and reporting of data where possible.实施持续监管计划,收集确定的措施需要的数据,并对发现作报告;尽可能将
31、数据收集、分析和报告过程自动化。l Analyze the data gathered and Report findings accompanied by recommendations. It may become necessary to collect additional information to clarify or supplement existing monitoring data.分析收集到的数据并报告包含建议的发现。收集额外的信息以阐明或补充目前的监控数据可能是必要的。l Respond to assessment findings by making decisio
32、ns to either mitigate technical, management and operational vulnerabilities; or accept the risk; or transfer it to another authority.通过制定缓解技术上的、管理上的还是操作上的漏洞决策对评估发现做出响应;或者接受风险;或将其转移给另一个授权方。l Review and Update the monitoring program, revising the continuous monitoring strategy and maturing measurement
33、 capabilities to increase visibility into assets and awareness of vulnerabilities; further enhance data driven control of the security of an organizations information infrastructure; and increase organizational flexibility.检查和更新监控计划,校正持续监管策略并使度量能力趋于成熟,以增加资产的可见性和安全隐患意识;更进一步加强组织信息基础设施的数据驱动控制安全,增加组织灵活性
34、。Figure 1 NIST Special Publication 800-137 Continuous Monitoring ProcessSecurity control assessments performed periodically validate whether stated security controls are implemented correctly, operating as intended, and meet FedRAMP baseline security controls. Security status reporting provides fede
35、ral officials with information necessary to make risk-based decisions and provides assurance to existing customer agencies regarding the security posture of the system. 周期性的执行安全控制评估以验证是否正确地实施规定的安全措施,是否按照计划运行安全措施,以及是否满足FedRAMP的基线安全控制。安全状态报告为联邦机构提供必要的信息以便其制定基于风险的决策,并给当前客户代理提供关于系统安全态势的保证。2. Continuous
36、Monitoring Roles & Responsibilities 持续监管角色及责任2.1. Authorizing Official 授权机构Authorizing Officials and their teams (“AOs”) serve as the focal point for coordination of continuous monitoring activities for CSPs. CSPs must coordinate with their AOs to send security control artifacts at various points in
37、 time. The AOs monitor both the Plan of Action & Milestones (POA&M) and any major significant changes and reporting artifacts (such as vulnerability scan reports) associated with the CSP service offering. AOs use this information so that risk-based decisions can be made about ongoing authorization.
38、Agency customers must perform the following tasks in support of CSP continuous monitoring:授权机构及其团队(“AOs”)在CSP的持续监管活动的协调中起关键作用。CSP必须配合其AOs在各个时间点发送安全控制组件。AOs对行动计划和里程碑(POA&M)及任何重大的变更进行监控,并对CSP提供服务的相关组件进行报告(例如漏洞扫描报告)。AOs利用这些信息以便制定出持续授权的基于风险的决策。代理客户必须执行以下任务以支持CSP的持续监管: Notify CSP if the agency becomes aw
39、are of an incident that a CSP has not yet reported 如果代理发现CSP还未上报的紧急事件,则通知CSP。 Provide a primary and secondary POC for CSPs and US-CERT as described in agency 为CSP和美国计算机紧急响应小组(United States Computer Emergency Readiness Team)提供以代理描述的主要和次要的POC(points of contact联系点)。 and CSP Incident Response Plans CSP应
40、急响应计划 Notify US-CERT when a CSP reports an incident 当CSP报告紧急事件时,通知US-CERT Work with CSPs to resolve incidents; provide coordination with US-CERT if necessary与CSP一起解决紧急事件;如果有必要的话,配合US-CERT。 Notify FedRAMP ISSO of CSP incident activity 通知FedRAMP的ISSO(信息系统安全官) CSP紧急事件活动。 Monitor security controls that
41、are agency responsibilities. 监视代理负责的安全控制措施。During incident response, both CSPs and leveraging agencies are responsible for coordinating incident handling activities together, and with US-CERT. The team based approach to incident handling ensures that all parties are informed and enables incidents to
42、 be closed as quickly as possible. 在应急响应中,CSPs,利益相关的代理,以及US-CERT,一起负责协调处理紧急事件。 基于紧急事件处理的团队确保通知所有相关部门,确保尽快解决问题。 2.2. FedRAMP PMO The FedRAMP Program Management Office (PMO) acts as the liaison for the Joint Authorization Board for ensuring that CSPs with a JAB P-ATO strictly adhere to their establish
43、ed Continuous Monitoring Plan. The JAB and FedRAMP PMO only perform Continuous Monitoring activities for those CSPs that have a JAB P-ATO. FedRAMP计划管理办公室作为Joint Authorization Board(联合授权董事会)的联络员,确保拥有JAB P-ATO(Joint Authorization Board Provisional Authorities to Operate)的CSP严格遵守其制定的持续监管计划。JAB和FedRAMP
44、PMO只为获得JAB P-ATO的CSP实施持续监管活动。注:JAB是FedRAMP 计划的主要管理团队,由国防部、国土安全部以及美国总务管理局的首席信息官组成2.3. Department of homeland security (DHS) 国土安全部The FedRAMP Policy Memo released by OMB defines the DHS FedRAMP responsibilities to include: OMB发布的FedRAMP政策备忘录定义了DHS FedRAMP的责任包括: Assisting government-wide and agency-spe
45、cific efforts to provide adequate, risk-based and cost-effective cybersecurity协助全政府和特定代理努力提供充足的、基于风险的和性价比高的网络安全。 Coordinating cybersecurity operations and incident response and providing appropriate assistance协调网络安全运营与应急响应并提供适当的帮助 Developing continuous monitoring standards for ongoing cybersecurity
46、of Federal information systems to include real-time monitoring and continuously verified operating configurations为联邦信息系统的持续网络安全开发持续监管标准,该标准要囊括实时监管和持续验证的操作配置 Developing guidance on agency implementation of the Trusted Internet Connection (TIC) program for cloud services. 为云服务开发可信互联网连接计划的代理实施指南 The Fe
47、dRAMP PMO works with DHS to incorporate DHSs guidance into the FedRAMP program guidance and documents. FedRAMP PMO 和DHS协作将DHS的指南纳入到FedRAMP计划指南和文档中。2.4. Third Party Assessment Organization (3PAO) 第三方评估机构Third Party Assessment Organizations (3PAO) are responsible for independently verifying and valida
48、ting the control implementation and test results for CSPs in the continuous monitoring phase of the FedRAMP process. Specifically, 3PAOs are responsible for:在FedRAMP过程中,第三方评估机构负责为CPS独立验证和确认控制措施实施以及测试结果。第三方评估机构尤其要负责: Assessing a defined subset of the security controls annually. 安全控制措施确定子集的年度评估 Submitting the assessment report to the ISSO one year a
