𝔖 Scriptorium
✦   LIBER   ✦
πŸ“

Federal Cloud Computing: The Definitive Guide for Cloud Service Providers

✍ Scribed by Matthew Metheny

Publisher
Syngress
Year
2017
Tongue
English
Leaves
538
Edition
2
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Federal Cloud Computing: The Definitive Guide for Cloud Service Providers, Second Edition offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, and Security Automation.

You will learn the basics of the NIST risk management framework (RMF) with a specific focus on cloud computing environments, all aspects of the Federal Risk and Authorization Management Program (FedRAMP) process, and steps for cost-effectively implementing the Assessment and Authorization (A&A) process, as well as strategies for implementing Continuous Monitoring, enabling the Cloud Service Provider to address the FedRAMP requirement on an ongoing basis.

This updated edition will cover the latest changes to FedRAMP program, including clarifying guidance on the paths for Cloud Service Providers to achieve FedRAMP compliance, an expanded discussion of the new FedRAMP Security Control, which is based on the NIST SP 800-53 Revision 4, and maintaining FedRAMP compliance through Continuous Monitoring. Further, a new chapter has been added on the FedRAMP requirements for Vulnerability Scanning and Penetration Testing.

  • Provides a common understanding of the federal requirements as they apply to cloud computing
  • Offers a targeted and cost-effective approach for applying the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
  • Features both technical and non-technical perspectives of the Federal Assessment and Authorization (A&A) process that speaks across the organization

✦ Table of Contents

Front Cover
Federal Cloud Computing
Copyright Page
Dedication
Contents
About the Author
About the Technical Editor
Foreword by William Corrington
Foreword by Jim Reavis
1 Introduction to the federal cloud computing strategy
Introduction
A Historical View of Federal IT
The Early Years and the Mainframe Era
Shifting to Minicomputer
Decentralization: The Microcomputer (β€œPersonal Computer”)
Transitioning to Mobility
Evolution of Federal IT Policy
Cloud Computing: Drivers in Federal IT Transformation
Drivers for Adoption
Cloud Benefits
Improving efficiency
Improving agility
Improving innovation
Decision Framework for Cloud Migration
Selecting Services to Move to the Cloud
Provisioning Cloud Services Effectively
Managing Services Rather Than Assets
Summary
References
2 Cloud computing standards
Introduction
Standards Development Primer
Cloud Computing Standardization Drivers
Federal Laws and Policy
Trade Agreements Act (TAA)
National Technology Transfer and Advancement Act (NTTAA)
Office of Management and Budget (OMB) Circular A-119
Adoption Barriers
Identifying Standards for Federal Cloud Computing Adoption
Standards Development Organizations (SDOs) and Other Community-Driven Organizations
Standards Inventory
Summary
References
3 A case for open source
Introduction
Open Source Software and the Federal Government
Open Source Software Adoption Challenges: Acquisition and Security
Acquisition Challenges
Security Challenges
Open Source Software and Federal Cloud Computing
Summary
References
4 Security and privacy in public cloud computing
Introduction
Security and Privacy in the Context of the Public Cloud
Federal Privacy Laws and Policies
Privacy Act of 1974
Federal Information Security Modernization Act (FISMA)
OMB Memorandum Policies
Safeguarding Privacy Information
Privacy Controls
Data Breaches, Impacts, and Consequences
Security and Privacy Issues
Summary
References
5 Applying the NIST risk management framework
Introduction to FISMA
Purpose
Roles and Responsibilities
Director of OMB
Secretary of DHS
NIST
Federal Agencies
Head of Agency or Equivalent
Federal Agency Information Security Program
Federal Agency Independent Evaluations and Reporting
Risk Management Framework Overview
The Role of Risk Management
The NIST RMF and the System Development Life Cycle
NIST RMF Process
Information System Categorization
Relationship between the NIST RMF and the Federal Enterprise Architecture
Shared Responsibility and the Chain of Trust
Overview of the Security Categorization Process
Identify Information Types
Select Provisional Impact Values for Each Information Type
Adjust the Information Type’s Provisioning Impact Value and Security Category
Determine the System Security Impact Level
Security Controls Selection
Tailoring the Initial Baseline
Applying Scoping Considerations
Selecting Compensating Security Controls
Assigning Security Control Parameter Values
Supplementing the Tailored Baseline
Documenting the Tailoring and Supplementation Process
Continuous Monitoring Strategy
Allocating Security Controls
Decomposition
Security Controls Implementation
Implementing and Documenting Security Controls
Security Controls Assessment
Assessment Preparation
Security Assessment Plan
Assessing Security Controls
Reporting Assessment Results
Information System Authorization
Corrective Action Planning
Developing a Risk Mitigation Strategy
Documenting POA&Ms
Security Authorization Approaches
Security Authorization Process
Security Controls Monitoring
Determining Security Impact
Ongoing Security Controls Assessments
Key Updates and Status Reporting
Ongoing Risk Determination and Acceptance
Summary
References
6 Risk management
Introduction to Risk Management
Federal Information Security Risk Management Practices
Overview of Enterprise-Wide Risk Management
Components of the NIST Risk Management Process
Risk Framing
Risk Assessment
Risk Response
Risk Monitoring
Multitiered Risk Management
Tier 1 Risk Management Activities
Tier 2 Risk Management Activities
Tier 3 Risk Management Activities
NIST Risk Management Process
Framing Risk
Assessing Risk
Responding to Risk
Monitoring Risk
Comparing the NIST and ISO/IEC Risk Management Processes
Summary
References
7 Comparison of federal and international security certification standards
Introduction
Overview of Certification and Accreditation
Evolution of the Federal C&A Processes
Civilian agencies
Department of Defense (DoD)
Intelligence Community (IC)
Committee on National Security Systems (CNSS)
Towards a Unified Approach to C&A
NIST and ISO/IEC Information Security Standards
Boundary and Scope Definition
Security Policy
Risk Management Strategy (Context)
Risk Management Process
Security Objectives and Controls
Summary
References
8 FedRAMP primer
Introduction to FedRAMP
FedRAMP Overview
FedRAMP Policy Memo
FedRAMP Governance and Stakeholders
Primary Stakeholders
DHS
JAB
FedRAMP PMO
Federal Agencies
FedRAMP Accelerated Process
FedRAMP Security Assessment Framework
FedRAMP Security Assessment Framework Phases
Document Phase
Major Milestone Outputs
Assess Phase
Major Milestone Outputs
Authorize Phase
Major Milestone Output
Leveraging the ATO
Monitor Phase
Operational Visibility
Change Control
Incident Response
Third Party Assessment Organization Program
Summary
References
9 The FedRAMP cloud computing security requirements
Security Control Selection Process
Selecting the Security Control Baseline
Tailoring and Supplementing Security Control Baseline
FedRAMP Cloud Computing Overlay
FedRAMP Cloud Computing Security Requirements
Policy and Procedures
Harmonizing FedRAMP Requirements
Assurance of External Service Providers Compliance
Approaches to Implementing FedRAMP Security Controls
FedRAMP Security Control Requirements
Federal Laws, Executive Orders, Policies, Directives, Regulations, Standards and Guidelines
Federal Laws and Executive Orders
Federal Policies, Directives, and Regulations
Federal Standards
Federal Guidelines and Interagency Reports
Summary
References
10 Security testing: vulnerability assessments and penetration testing
Introduction to Security Testing
Vulnerability Assessment
Penetration Testing
FedRAMP Vulnerability Scan and Penetration Testing Requirements
General
Web Application
Social Engineering
Summary
References
11 Security assessment and authorization: Governance, preparation, and execution
Introduction to the Security Assessment Process
Governance in the Security Assessment
Preparing for the security assessment
Security Assessment Customer Responsibilities
Selecting a Security Assessment Provider
Security Assessment Planning
Security Assessment Provider Responsibilities
Selection of Security Assessment Team Members
Developing the Security Assessment Plan
Identify In-Scope Security Controls
Select Assessment Procedures
Tailor Assessment Procedures
Selecting Assessment Methods and Objects
Selecting Depth and Coverage Attributes
Supplementing Assessment Procedures
Optimize Assessment Procedures
Finalize and Approve Assessment Plan
Executing the Security Assessment Plan
Summary
References
12 Strategies for continuous monitoring
Introduction to Continuous Monitoring
Organizational Governance
CM Strategy
CM Program
The Continuous Monitoring Process
Defining a CM Strategy
Implementing a CM Program
Review and Update CM Strategy and Program
Continuous Monitoring within FedRAMP
Summary
References
13 Continuous monitoring through security automation
Introduction
CM Reference Architectures
Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture
CAESARS Framework Extension Reference Architecture
Subsystems and components
Specifications: Workflows, subsystems, and interfaces
Specification layers
Workflows
Subsystems
Interfaces
Security Automation Standards and Specifications
Security Content Automation Protocol
Cybersecurity Information Exchange Framework
Operational Visibility and Continuous Monitoring
Summary
References
14 A case study for cloud service providers
Case Study Scenario: β€œHealthcare Exchange”
Applying the Risk Management Framework within FedRAMP
Categorize Information System
Select Security Controls
Defining the boundary
Tailoring and supplementing
Implement and Document Security Controls
Assessing Security Controls
Summary
References
Index
Back Cover

πŸ“œ SIMILAR VOLUMES

Federal Cloud Computing: The Definitive
πŸ“ Federal Cloud Computing: The Definitive Guide for Cloud Service Providers
✍ Matthew Metheny πŸ“‚ Library πŸ“… 2012 πŸ› Syngress 🌐 English

<p><i>Federal Cloud Computing: The Definitive Guide for Cloud Service Providers</i> offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, and Security Autom

Federal Cloud Computing: The Definitive
πŸ“ Federal Cloud Computing: The Definitive Guide for Cloud Service Providers
✍ Matthew Metheny πŸ“‚ Library πŸ“… 2012 πŸ› Syngress 🌐 English

<p><i>Federal Cloud Computing: The Definitive Guide for Cloud Service Providers</i> offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, and Security Autom

Federal Cloud Computing: The Definitive
πŸ“ Federal Cloud Computing: The Definitive Guide for Cloud Service Providers
✍ Matthew Metheny πŸ“‚ Library πŸ“… 2017 πŸ› Syngress 🌐 English

<p><i>Federal Cloud Computing: The Definitive Guide for Cloud Service Providers, Second Edition</i> offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, an

Federal Cloud Computing: The Definitive
πŸ“ Federal Cloud Computing: The Definitive Guide for Cloud Service Providers
✍ Matthew Metheny πŸ“‚ Library πŸ“… 2012 πŸ› Syngress 🌐 English

<p><i>Federal Cloud Computing: The Definitive Guide for Cloud Service Providers</i> offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, and Security Autom

Architecting the Cloud: Design Decisions
πŸ“ Architecting the Cloud: Design Decisions for Cloud Computing Service Models
✍ Michael J. Kavis πŸ“‚ Library πŸ“… 2014 πŸ› Wiley 🌐 English

Cloud computing is all the rage, allowing for the delivery of computing and storage capacity to a diverse community of end-recipients. However, before you can decide on a cloud model, you need to determine what the ideal cloud service model is for your business.

VMware private cloud computing with vClo
πŸ“ VMware private cloud computing with vCloud Director
✍ Simon Gallagher, Aidan Dalgleish πŸ“‚ Library πŸ“… 2013 πŸ› Sybex 🌐 English

It's All About Delivering Service with vCloud Director Empowered by virtualization, companies are not just moving into the cloud, they're moving into private clouds for greater security, flexibility, and cost savings. However, this move involves more than just infrastructure. It also represents a