Cloud Security Authorizations
U.S. federal agencies are mandated by the Federal Information Security Management Act (FISMA) to understand the security risks posed to their infrastructure and to take appropriate actions to mitigate the risks. Federal agencies are increasingly leveraging cloud computing services. Cloud computing offers benefits but also poses cybersecurity risks. OMB requires agencies to use the Federal Risk and Authorization Management Program to authorize their use of cloud services. 1ClickSecurity has worked directly with the FedRAMP PMO to obtain access to sensitive cloud service provider security documentation. We review this documentation to identify weaknesses and risks that exist in cloud infrastructure. We use the Customer Responsibility Matrix to clearly delineate security control responsibilities, i.e. hybrid versus system-specific.
Security Assessment and Authorization (SA&A), formerly Certification and Accreditation (C&A), is the process by which Federal agencies evaluate their information technology infrastructure and document evidence necessary for security assurance accreditation. Working through the SA&A process can be a heavy lift and many agencies require additional resources to meet their SA&A needs. Assessment is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system. The evaluation process compares the current system’s security posture with specific standards. The assessment process ensures that security weaknesses are identified and plans for mitigation strategies are in place. Authorization, on the other hand, is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.
We have developed SA&A packages for 10 cloud-based General Support Systems and Major Applications in accordance with NIST 800-53 R4 and the Risk Management Framework (RMF).