An open source approach to FedRAMP

A presentation at Carahsoft FedRAMP Forum in July 2019 in Washington, DC, USA by Shawn Wells

Slide 1

Slide 1

An open source approach to FedRAMP Shawn Wells Chief Security Strategist, North America Public Sector shawn@redhat.com || 443-534-0130

Slide 2

Slide 2

Slide 3

Slide 3

AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IR-8: Incident Response Plan MA-4: Nonlocal Maintenance

Slide 4

Slide 4

AC-2: Account Management FedRAMP High. FedRAMP Moderate. FedRAMP Low. …. …. AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 4

Slide 5

Slide 5

FedRAMP High. FedRAMP Moderate. FedRAMP Low. AC-2: Account Management AC-8: System Use Notification AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones …. CM-10: Software Usage Restrictions CM-4: Security Impact Analysis …. CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance 5

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

CONFIDENTIAL Designator The Government created a control catalog. Could we create a response catalog? Can deployment specific ATO materials be dynamically generated?

Slide 9

Slide 9

Structured language for ATO responses, created by 18F

Slide 10

Slide 10

  • control_key: AC-14 standard_key: NIST-800-53 covered_by: [] implementation_status: complete narrative: - text: | ‘Regardless of access mechanism, such as the Ansible Tower console, unauthenticated users will only be shown the system use notifications (as defined in AC-8) and login prompt. This is non-configurable behavior.’

Slide 11

Slide 11

name: DoD-STIG name: FedRAMP-mod name: DHS-4300A standards: standards: standards: NIST-800-53: NIST-800-53: NIST-800-53: AC-1: {} AC-1: {} AC-20 (1): {} AC-14: {} AC-2: {} AC-20 (2): {} AU-2: {} AT-7: {} AC-20 (3): {} SC-3: {} AU-11: {} AC-20 (4): {} SI-7: {} CA-4: {} AC-21: {}

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

Slide 15

Slide 15

NIST NATIONAL CHECKLIST PROGRAM The National Checklist Program (NCP) is the U.S. Government repository of publicly available security checklists, that provide detailed low level guidance, on setting the security configuration of system components and applications https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

Slide 16

Slide 16

Slide 17

Slide 17

ComplianceAsCode Project https://github.com/ComplianceAsCode

Slide 18

Slide 18

INNOVATION DOES NO GOOD IF YOU CAN’T SECURE IT