« Multitenancy and Cloud Platforms: Four Big Problems | Main | ISACA Guiding Principles for Cloud Computing Adoption and Use »

2012.02.26

FedRAMP (クラウドサービスのセキュリティ評価の標準アプローチ)

 こんにちは、丸山満彦です。米国連邦政府が2011年12月に発表した、クラウドサービスを安全に利用するためのプログラムが、The Federal Risk and Authorization Management Program (FedRAMP)です。
 FedRAMPは、クラウドサービスのセキュリティ評価の標準アプローチだそうです。

 
■U.S. General Services Administration
FedRAMP

Recent Updates & Releases

FedRAMP Policy Memo (OMB)
3PAO Program Description
FedRAMP Security Controls
FedRAMP Concept of Operations (CONOPS)

・FedRAMP Policy Memo (OMB)
=====
FedRAMP will provide a cost-effective, risk-based approach for the adoption and use of cloud services by making available to Executive departments and agencies:
 Standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels;
 A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by CSPs;
 Authorization packages2 of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the DHS, DOD, and GSA;
 Standardized contract language to help Executive departments and agencies integrate FedRAMP requirements and best practices into acquisition; and
 A repository of authorization packages for cloud services that can be leveraged government-wide.
FedRAMP will reduce duplicative efforts, inconsistencies and cost inefficiencies associated with the current security authorization process. FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies.
=====

FedRAMP Concept of Operations (CONOPS)
=====
1. About this document
 1.1. Who should use this document?
 1.2. How this document is organized
 1.3. How to contact us
2. FedRAMP Definition and purpose
 2.1. Stakeholders
 2.2. FedRAMP Governance and Roles
3. High Level Operations
 3.1. Phased Approach
 3.2. Priority Queue
 3.3. FedRAMP Program Change
4. How to Use FedRAMP
 4.1. Federal agencies
  4.1.1. Leveraging Authorizations
  4.1.2. Initiating Assessments with FedRAMP
  4.1.3. Implement Continuous Monitoring
  4.1.4. Ensure FedRAMP Requirements Are Met Contractually
 4.2. Cloud Service Providers
 4.3. Third Party Assessment Organizations (3PAO)
5. Third-Party Assessment Organizations
 5.1. Applying for FedRAMP Accreditation
 5.2. 3PAO Accreditation Evaluation
 5.3. Maintaining the Accreditation
 5.4. Transitioning to a Privatized Board
6. Security Assessments
 6.1. Initiating A Request
 6.2. Documenting the Security Controls
 6.3. Performing the Security Testing
 6.4. Finalizing the Security Assessment
7. Leveraging the Provisional Authorization
 7.1. FedRAMP Secure Repository
  7.1.1. CSP Supplied
  7.1.2. Agency ATO
  7.1.3. Agency ATO with Accredited 3PAO
  7.1.4. JAB Provisional Authorization
8. Ongoing Assessment and Authorization (Continuous Monitoring)
 8.1. Operational Visibility
 8.2. Change Control Process
 8.3. Incident Response
9. References
 9.1. Applicable Laws and Regulations
 9.2. Applicable Standards and Guidance
10. Deliverables
11. Acronyms
=====

●TechTarget
・2012.02.09 セキュリティ評価に関するコスト削減が狙い 米国発クラウドセキュリティ標準「FedRAMP」はどれほど効果があるのか?

|

« Multitenancy and Cloud Platforms: Four Big Problems | Main | ISACA Guiding Principles for Cloud Computing Adoption and Use »

Comments

Post a comment



(Not displayed with comment.)




TrackBack

TrackBack URL for this entry:
http://app.cocolog-nifty.com/t/trackback/64462/54079931

Listed below are links to weblogs that reference FedRAMP (クラウドサービスのセキュリティ評価の標準アプローチ):

« Multitenancy and Cloud Platforms: Four Big Problems | Main | ISACA Guiding Principles for Cloud Computing Adoption and Use »