An open source approach to FedRAMP Shawn Wells Chief Security Strategist, North America Public Sector shawn@redhat.com || 443-534-0130

AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IR-8: Incident Response Plan MA-4: Nonlocal Maintenance

AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 4

FedRAMP High. FedRAMP Moderate. FedRAMP Low. AC-2: Account Management AC-8: System Use Notification AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones …. CM-10: Software Usage Restrictions CM-4: Security Impact Analysis …. CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 5

CONFIDENTIAL Designator The Government created a control catalog. Could we create a response catalog? Can deployment specific ATO materials be dynamically generated?

Structured language for ATO responses, created by 18F

  • control_key: AC-14 standard_key: NIST-800-53 covered_by: [] implementation_status: complete narrative: - text: | ‘Regardless of access mechanism, such as the Ansible Tower console, unauthenticated users will only be shown the system use notifications (as defined in AC-8) and login prompt. This is non-configurable behavior.’

name: DoD-STIG name: FedRAMP-mod name: DHS-4300A standards: standards: standards: NIST-800-53: NIST-800-53: NIST-800-53: AC-1: {} AC-1: {} AC-20 (1): {} AC-14: {} AC-2: {} AC-20 (2): {} AU-2: {} AT-7: {} AC-20 (3): {} SC-3: {} AU-11: {} AC-20 (4): {} SI-7: {} CA-4: {} AC-21: {}

NIST NATIONAL CHECKLIST PROGRAM The National Checklist Program (NCP) is the U.S. Government repository of publicly available security checklists, that provide detailed low level guidance, on setting the security configuration of system components and applications https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

ComplianceAsCode Project https://github.com/ComplianceAsCode

INNOVATION DOES NO GOOD IF YOU CAN’T SECURE IT