Upload
akamai-technologies
View
763
Download
1
Tags:
Embed Size (px)
DESCRIPTION
This interactive session is designed to deliver deeper insights into the Federal Risk and Authorization Management Program (FedRAMP), a U.S. Federal Government-wide initiative intended to provide “a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services” to be used in support of Federal agency operations. The speakers will update attendees on current FedRAMP progress and ongoing initiatives, as well as a detailed review of the recently received provisional approval to operate (P-ATO) granted to Akamai Technologies. The Akamai approach is distinct among the others approved to date by FedRAMP—as it authorizes core cloud services to operate using Akamai’s highly distributed commercial network. While others are focused on government-only cloud environments, Akamai can offer government-wide accreditation and assurance to the defense and civilian agencies it serves. Plan to attend this session to build on your understanding of FedRAMP and the expanding cloud computing options available to agency professionals—regardless of mission or location. See the full Edge Presentation: http://www.akamai.com/html/custconf/edgetv-forum.html#session-fedramp Panelists Include: Matthew Goodrich, Matt Mitchell, Christine Schweickert The Akamai Edge Conference is a gathering of the industry revolutionaries who are committed to creating leading edge experiences, realizing the full potential of what is possible in a Faster Forward World. From customer innovation stories, industry panels, technical labs, partner and government forums to Web security and developers' tracks, there’s something for everyone at Edge 2013. Learn more at http://www.akamai.com/edge
Citation preview
Federal Risk and Authorization
Management Program (FedRAMP)
Moderator: Fran Trentley, Akamai
Vera Ashworth, US Federal, CGI
Christine Schweickert, Akamai
Matt Mitchel, Knowledge Consulting Group
Why FedRAMP?
2
Problem:• A duplicative, inconsistent, time consuming,
costly, and inefficient cloud security risk
management approach with little incentive to
leverage existing Authorizations to Operate
(ATOs) among agencies.
Solution: FedRAMP• Uniform risk management approach
• Standard set of approved, minimum security
controls (FISMA Low and Moderate Impact)
• Consistent assessment process
• Provisional ATO
FedRAMP Policy Framework
3Management Act (FISMA)
eGov Act of 2002 includes
Federal Information Security
Management Act (FISMA)
Requirements
FedRAMP
Security
Requirements
Agency Agency
ATO
Congress passes FISMA as part of
2002 eGov Act
137,
800-53
OMB A-130
NIST SP 800-37, 800-137,
800-53
OMB A-130 provide policy, NIST Special
Publications provide risk management
framework
FedRAMP builds upon NIST SPs establishing
common cloud computing baseline
supporting risk based decisions
Agencies leverage FedRAMP process, heads of
agencies understand, accept risk and grant ATOs
FedRAMP Authorizations
4
Mandatory Federal Requirement• OMB Policy Memo – December 2011.
• Mandates FedRAMP compliance for all cloud services used by the
Federal government.
Granting Authorizations• Federal agencies are required by FISMA to individually grant an
ATO.
• Federal agencies must ensure all cloud providers they use meet
the FedRAMP requirements.
Authorizations that meet the FedRAMP requirements:• Address the FedRAMP baseline controls
• Use the mandatory FedRAMP templates
• Are listed within the FedRAMP repository
• Have an ATO letter on file with FedRAMP PMO
©2013 AKAMAI | FASTER FORWARDTM
JAB FedRAMP Governance Model: Focus on Security
and Transparency
� In October 2010, the White House launched the Federal Risk and
Authorization Management Program (FedRAMPSM
)
• Provides framework for a standard and secure approach to Assessing and
Authorizing (A&A) cloud computing services and products
• Allows joint authorizations and continuous security monitoring services for
Government/Private cloud computing systems intended for multi-agency use
CGI Proprietary Information
©2013 AKAMAI | FASTER FORWARDTM
Only 1 Path to ATO is JAB Granted & Requires
Continuous Monitoring, Future FedRAMP Compliance
CGI Proprietary Information
Higher Level of Review (lower risk for Government)
©2013 AKAMAI | FASTER FORWARDTM
Total Cost of Ownership: Who Pays Over Time?
CGI Proprietary Information
Look beyond compute cost comparisons to know what you are signing up for in the long term
©2013 AKAMAI | FASTER FORWARDTM
Akamai FedRAMP
Service Name: Akamai Content Delivery Network
(Akamai CDN)
Service Model: Infrastructure as a Service (IaaS)
Deployment Model: Public Cloud
Impact Level: Moderate
Authorization Date: August 22, 2013 (JAB
Provisional Authorization)
Package ID: F1206061353
3PAO: Knowledge Consulting Group, Inc. (KCG)
FedRAMP Accredited)
Contact Information: Christine Schweickert
Akamai was awarded an JAB P-ATO on August 26, 2013 under FedRAMP
assessment package number F1206061353.
Akamai C&A documentation will be found in the FedRAMP repository. Our
Government customers should plan on leveraging the FedRAMP repository to
view our SSP, and associated documentation. This link shows the process:
http://www.gsa.gov/portal/content/133763.
The Akamai FedRAMP accreditation boundary includes:
• the HTTP (Content Delivery) Edge Servers
• the HTTPS (Secure Content Delivery) Edge servers
• NetStorage
• HD Streaming
• Global Traffic Management (GTM) System
• Enhanced DNS Service with DNSSEC
• the Luna Control Center Portal
• Additionally, the Akamai NOCC, Akamai Domain Name Servers, and the
Akamai internal systems: KMI, Authgate, and AMS.
©2013 AKAMAI | FASTER FORWARDTM
Matt Mitchell: Director- Risk Advisory ServicesContact: [email protected]
� One of the largest pure cyber security services companies
� Over 260 information security professionals
� Expertise in each of the major domains of cybersecurity:
� Governance & Risk Management
� Compliance
� Operations
� Cyber attack simulation and exploitation
� Supporting over 15 agencies along with leading private sector clients:
� Hi-tech
� Financial services
� Cloud providers
� Power and energy
� Leads KCG’ FedRAMP services practice
� 15 years of public and private security experience
� Currently supporting leading cloud providers:
� Develop and execute cloud security and compliance management strategies
� Implement security, compliance, and risk management programs
� Implement security governance and workforce transformation programs
� Build and manage rationalized compliance control frameworks:
� FedRAMP, NIST, PCI DSS, SOC2, SOX, HIPAA, ISO, BITS