"Federal Cloud ComputingProviders" offers an in-depth look at topics surrounding federal cloud computing within the federal government, including the Federal Cloud Computing Strategy, Cloud Computing Standards, Security and Privacy, and Security Automation. You will learn the basics of the NIST risk management framework (RMF) with a specific focus on cloud computing environments, all aspects of the Federal Risk and Authorization Management Program (FedRAMP) process, and steps for cost-effectively implementing the Assessment and Authorization (A&A) process, as well as strategies for implementing Continuous Monitoring, enabling the Cloud Service Provider to address the FedRAMP requirement on an ongoing basis. This text provides a common understanding of the federal requirements as they apply to cloud computing. It also provides a targeted and cost-effective approach for applying the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). It provides both technical and non-technical perspectives of the Federal Assessment and Authorization (A&A) process that speaks across the organization.
About the Author xv
About the Technical Editor xvii
Foreword xix
William Corrington
Foreword xxi
Jim Reavis
Chapter 1 Introduction to the Federal Cloud 1 (30)
Computing Strategy
Introduction 1 (4)
A Historical View of Federal IT 5 (1)
The Early Years and the Mainframe Era 5 (2)
Shifting to Minicomputer 7 (1)
Decentralization: The Microcomputer 8 (2)
("Personal Computer")
Transitioning to Mobility 10 (1)
Evolution of Federal IT Policy 11 (8)
Cloud Computing: Drivers in Federal IT 19 (1)
Transformation
Drivers for Adoption 20 (3)
Cloud Benefits 23 (2)
Decision Framework for Cloud Migration 25 (1)
Selecting Services to Move to the Cloud 26 (1)
Provisioning Cloud Services Effectively 27 (1)
Managing Services Rather Than Assets 28 (1)
Summary 28 (3)
Chapter 2 Cloud Computing Standards 31 (22)
Introduction 31 (3)
Standards Development Primer 34 (2)
Cloud Computing Standardization Drivers 36 (1)
Federal Laws and Policy 36 (1)
Adoption Barriers 37 (2)
Identifying Standards for Federal Cloud 39 (1)
Computing Adoption
Standards Development Organizations 40 (1)
(SDOs) and Other Community-Driven
Organizations
Standards Inventory 40 (10)
Summary 50 (3)
Chapter 3 A Case for Open Source 53 (18)
Introduction 53 (2)
Open Source and the Federal Government 55 (5)
OSS Adoption Challenges: Acquisition and 60 (1)
Security
Acquisition Challenges 61 (1)
Security Challenges 62 (3)
OSS and Federal Cloud Computing 65 (3)
Summary 68 (3)
Chapter 4 Security and Privacy in Public 71 (32)
Cloud Computing
Introduction 71 (2)
Security and Privacy in the Context of 73 (2)
the Public Cloud
Federal Privacy Laws and Policies 75 (2)
Privacy Act of 1974 77 (2)
E-Government Act of 2002, Federal 79 (2)
Information Security Management Act
(FISMA)
OMB Memorandum Policies 81 (1)
Safeguarding Privacy Information 82 (2)
Privacy Controls 84 (13)
Data Breaches, Impacts, and Consequences 97 (2)
Security and Privacy Issues 99 (2)
Summary 101 (2)
Chapter 5 Applying the NIST Risk Management 103 (66)
Framework
Introduction to FISMA 103 (1)
Purpose 103 (1)
Role and Responsibilities 104 (5)
Risk Management Framework Overview 109 (1)
The Role of Risk Management 110 (1)
The NIST RMF and the System Development 110 (2)
Life Cycle
NIST RMF Process 112 (3)
Information System Categorization 115 (14)
Security Control Selection 129 (12)
Security Controls Implementation 141 (2)
Security Controls Assessment 143 (5)
Information System Authorization 148 (9)
Security Controls Monitoring 157 (8)
Summary 165 (4)
Chapter 6 Risk Management 169 (26)
Introduction to Risk Management 169 (3)
Federal Information Security Risk 172 (3)
Management Practices
Overview of Enterprise-Wide Risk 175 (1)
Management
Components of the NIST Risk Management 175 (4)
Process
Multi-Tiered Risk Management 179 (3)
NIST Risk Management Process 182 (1)
Framing Risk 183 (2)
Risk Assessment 185 (1)
Responding to Risk 186 (2)
Monitoring Risk 188 (1)
Comparing the NIST and ISO/IEC Risk 189 (4)
Management Processes
Summary 193 (2)
Chapter 7 Comparison of Federal and 195 (22)
International Security Certification
Standards
Introduction 195 (1)
Overview of Certification and 196 (3)
Accreditation
Evolution of the Federal C&A Processes 199 (5)
Towards a Unified Approach to C&A 204 (1)
NIST and ISO/IEC Information Security 205 (1)
Standards
Boundary and Scope Definition 206 (3)
Security Policy 209 (1)
Risk Management Strategy (Context) 210 (1)
Risk Management Process 210 (1)
Security Objectives and Controls 211 (4)
Summary 215 (2)
Chapter 8 FedRAMP Primer 217 (24)
Introduction to FedRAMP 217 (2)
FedRAMP Policy Memo 219 (2)
Primary Stakeholders 221 (4)
FedRAMP Concept of Operations 225 (1)
Operational Processes 226 (11)
Third Party Assessment Organization 237 (1)
Program
Summary 238 (3)
Chapter 9 The FedRAMP Cloud Computing 241 (88)
Security Requirements
Security Control Selection Process 241 (1)
Selecting the Security Control Baseline 242 (1)
Tailoring and Supplementing Security 242 (1)
Control Baseline
FedRAMP Cloud Computing Overlay 243 (1)
FedRAMP Cloud Computing Security 243 (2)
Requirements
Policy and Procedures 245 (2)
Harmonizing FedRAMP Requirements 247 (2)
Assurance of External Service Providers 249 (1)
Compliance
Approaches to Implementing FedRAMP 250 (3)
Security Controls
FedRAMP Security Control Requirements 253 (73)
Summary 326 (3)
Chapter 10 Security Assessment and 329 (20)
Authorization: Governance, Preparation, and
Execution
Introduction to the Security Assessment 329 (2)
Process
Governance in the Security Assessment 331 (3)
Preparing for the Security Assessment 334 (2)
Security Assessment Customer 336 (3)
Responsibilities
Security Assessment Provider 339 (7)
Responsibilities
Executing the Security Assessment Plan 346 (2)
Summary 348 (1)
Chapter 11 Strategies for Continuous 349 (26)
Monitoring
Introduction to Continuous Monitoring 349 (2)
Organizational Governance 351 (3)
CM Strategy 354 (2)
CM Program 356 (1)
The Continuous Monitoring Process 356 (1)
Defining a CM Strategy 357 (1)
Implementing a CM Program 358 (5)
Review and Update CM Strategy and Program 363 (1)
Continuous Monitoring within FedRAMP 364 (9)
Summary 373 (2)
Chapter 12 Cost-Effective Compliance Using 375 (20)
Security Automation
Introduction 375 (2)
CM Reference Architectures 377 (1)
Continuous Asset Evaluation, Situational 378 (1)
Awareness, and Risk Scoring Reference
Architecture
CAESARS Framework Extension Reference 378 (10)
Architecture
Security Automation Standards and 388 (1)
Specifications
Security Content Automation Protocol 389 (1)
Cybersecurity Information Exchange 389 (1)
Framework
Operational Visibility and Continuous 390 (3)
Monitoring
Summary 393 (2)
Chapter 13 A Case Study for Cloud Service 395 (26)
Providers
Case Study Scenario: "Healthcare Exchange" 395 (1)
Applying the Risk Management Framework 396 (1)
within FedRAMP
Categorize Information System 396 (16)
Select Security Controls 412 (3)
Implement and Document Security Controls 415 (1)
Assessing Security Controls 415 (4)
Summary 419 (2)
Index 421
新书报道