Cloud Computing Concerns of the U.S. Government by Michael Erbschloe - HTML preview

PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub for a complete version.

IA-8 (3); IDENTIFICATION AND AUTHENTICATION; Identification And Authentication (Non-Organization Users) - Enhancement:
Use Of FICAM-Approved Products

The organization employs only FICAM-approved information system components in
    [Assignment: organization-defined information systems]
to accept third-party credentials.

References: None.

IA-8 (3)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-1; INCIDENT RESPONSE; Incident Response Policy And Procedures:

The organization:
a. Develops, documents, and disseminates to
    [Assignment: organization-defined personnel or roles]:
    1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls;
and
b. Reviews and updates the current:
    1. Incident response policy
    [Assignment: organization-defined frequency];
and
    2. Incident response procedures
    [Assignment: organization-defined frequency].

References: NIST Special Publications 800-12, 800-61, 800-83, 800-100.

IR-1
a. all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO

b. (1) every 5 years
b. (2) annually


Source:
DoD RMF TAG
-------------------

IR-1.b.1 [at least every 3 years]
IR-1.b.2 [at least annually]

Source:
FedRAMP v2
-------------------

IR-2; INCIDENT RESPONSE; Incident Response Training:

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within
    [Assignment: organization-defined time period]
of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency]
thereafter.

References: NIST Special Publications 800-16, 800-50.

IR-2
a. 30 working days

c. Annually

Source:
DoD RMF TAG
-------------------

IR-2b. [at least annually]

Source:
FedRAMP v2
-------------------

IR-3; INCIDENT RESPONSE; Incident Response Testing And Exercises RENAMED: Incident Response Testing:

The organization tests the incident response capability for the information system
    [Assignment: organization-defined frequency]
using
    [Assignment: organization-defined tests]
to determine the incident response effectiveness and documents the results.

References: NIST Special Publications 800-84, 800-115.

IR-3
At least every six months for high availability and at least annually for low/med availability

Tests as defined in the incident response plan

Source:
DoD RMF TAG
-------------------

IR-3. [at least annually]

Source:
FedRAMP v2
-------------------

FedRAMP Additional Requirements and Guidance:
IR-3. Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended).
Requirement: For JAB Authorization, the service provider provides test plans to the Authorizing Official (AO) annually.

Requirement: Test plans are approved and accepted by the Authorizing Official prior to test commencing.

IR-4 (3); INCIDENT RESPONSE; Incident Handling - Enhancement:
Continuity Of Operations

The organization identifies
    [Assignment: organization-defined classes of incidents]
and
    [Assignment: organization-defined actions to take in response to classes of incidents]
to ensure continuation of organizational missions and business functions.

References: None.

IR-4 (3)
Classes of incidents defined in CJCSM 6510.01B Appendix A- Enclosure B

Actions defined in CJCSM 6510.01B

Source:
DoD RMF TAG
-------------------

IR-4 (7); INCIDENT RESPONSE; Incident Handling - Enhancement:
Insider Threats - Intra-Organization Coordination

The organization coordinates incident handling capability for insider threats across
    [Assignment: organization-defined components or elements of the organization].

References: None.

IR-4 (7)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-4 (8); INCIDENT RESPONSE; Incident Handling - Enhancement:
Correlation With External Organizations

The organization coordinates with
    [Assignment: organization-defined external organizations]
to correlate and share
    [Assignment: organization-defined incident information]
to achieve a cross-organization perspective on incident awareness and more effective incident responses.

References: None.

IR-4 (8)
The appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT)

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-6; INCIDENT RESPONSE; Incident Reporting:

The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within
    [Assignment: organization-defined time period];
and
b. Reports security incident information to
    [Assignment: organization-defined authorities].

References: NIST Special Publication 800-61: Web: WWW.US-CERT.GOV.

IR-6
a. the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance

b. The appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT)

Source:
DoD RMF TAG
-------------------

IR-6a. [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]

Source:
FedRAMP v2
-------------------

FedRAMP Additional Requirements and Guidance:
Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.

IR-6 (2); INCIDENT RESPONSE; Incident Reporting - Enhancement:
Vulnerabilities Related To Incidents

The organization reports information system vulnerabilities associated with reported security incidents to
    [Assignment: organization-defined personnel or roles].

References: None.

IR-6 (2)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-8; INCIDENT RESPONSE; Incident Response Plan:

The organization:
a. Develops an incident response plan that:
    1. Provides the organization with a roadmap for implementing its incident response capability;
    2. Describes the structure and organization of the incident response capability;
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
    5. Defines reportable incidents;
    6. Provides metrics for measuring the incident response capability within the organization;
    7. Defines the resources and management support needed to effectively maintain and mature an incident
response capability; and
    8. Is reviewed and approved by
    [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to
    [Assignment: organization-defined incident response personnel (identified by name
and/or by role) and organizational elements]
;
c. Reviews the incident response plan
    [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to
    [Assignment: organization-defined incident response personnel (identified by name
and/or by role) and organizational elements]
;
and
f. Protects the incident response plan from unauthorized disclosure and modification.

References: NIST Special Publication 800-61

IR-8
a. at a minimum, the ISSM and ISSO
b.all stakeholders identified in the incident response plan
c. at least annually (incorporating lessons learned from past incidents)
e. all stakeholders identified in the incident response plan, not later than 30 days after the change is made

Source:
DoD RMF TAG
-------------------

IR-8c. [at least annually]


Source:
FedRAMP v2
-------------------

FedRAMP Additional Requirements and Guidance:
IR-8(b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.
IR-8(e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

IR-9; INCIDENT RESPONSE; Information Spillage Response:

The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting
    [Assignment: organization-defined personnel or roles]
of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other
    [Assignment: organization-defined actions].

References: None.

IR-9
b. at a minimum, the OCA, the information owner/originator, the ISSM, the activity security manager, and the responsible computer incident response center

f. Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-9 (1); INCIDENT RESPONSE; Information Spillage Response - Enhancement:
Responsible Personnel

The organization assigns
    [Assignment: organization-defined personnel or roles]
with responsibility for responding to information spills.

References: None.

IR-9 (1)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-9 (2); INCIDENT RESPONSE; Information Spillage Response - Enhancement:
Training

The organization provides information spillage response training
    [Assignment: organization-defined frequency].

References: None.

IR-9 (2)
Annually

Source:
DoD RMF TAG
-------------------

IR-9 (3); INCIDENT RESPONSE; Information Spillage Response - Enhancement:
Post-Spill Operations

The organization implements
    [Assignment: organization-defined procedures]
to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

References: None.

IR-9 (3)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

IR-9 (4); INCIDENT RESPONSE; Information Spillage Response - Enhancement:
Exposure To Unauthorized Personnel

The organization employs
    [Assignment: organization-defined security safeguards]
for personnel exposed to information not within assigned access authorizations.

References: None.

IR-9 (4)
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

MA-1; MAINTENANCE; System Maintenance Policy And Procedures:

The organization:
a. Develops, documents, and disseminates to
    [Assignment: organization-defined personnel or roles]:
    1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls;
and
b. Reviews and updates the current:
    1. System maintenance policy
    [Assignment: organization-defined frequency];
and
    2. System maintenance procedures
    [Assignment: organization-defined frequency].

References: NIST Special Publications 800-12, 800-100.

MA-1
a. all stakeholders identified in the maintenance policy

b. (1) every 5 years
b. (2) annually

Source:
DoD RMF TAG
-------------------

MA-1.b.1 [at least every 3 years]
MA-1.b.2 [at least annually]

Source:
FedRAMP v2
-------------------

MA-2; MAINTENANCE; Controlled Maintenance:

The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that
    [Assignment: organization-defined personnel or roles]
explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes
    [Assignment: organization-defined maintenance-related information]
in organizational maintenance records.

References: None.

MA-2
c. Not appropriate for DoD to define for all CSP's infrastructure or service offerings

f. Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

MA-3 (3); MAINTENANCE; Maintenance Tools - Enhancement:
Prevent Unauthorized Removal

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from
    [Assignment: organization-defined personnel or roles]
explicitly authorizing removal of the equipment from the facility.

References: None.

MA-3 (3)
d. Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG
-------------------

MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility]

Source:
FedRAMP v2
-------------------

MA-6; MAINTENANCE; Timely Maintenance:

The organization obtains maintenance support and/or spare parts for
    [Assignment: organization-defined information system components]
within
    [Assignment: organization-defined time period]
of failure.

References: None.

MA-6
Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability)

Source:
DoD RMF TAG
-------------------

MP-1; MEDIA PROTECTION; Media Protection Policy And Procedures:

The organization:
a. Develops, documents, and disseminates to
    [Assignment: organization-defined personnel or roles]:
    1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls;
and
b. Reviews and updates the current:
    1. Media protection policy
    [Assignment: organization-defined frequency]; and
    2. Media protection procedures
    [Assignment: organization-defined frequency].

References: NIST Special Publications 800-12, 800-100.

MP-1
a. all users

b. (1) every 5 years
b. (2) annually

Source:
DoD RMF TAG
-------------------

MP-1.b.1 [at least every 3 years]
MP-1.b.2 [at least annually]

Source:
FedRAMP v2
-------------------

MP-2; MEDIA PROTECTION; Media Access:

The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined personnel or roles].

References: FIPS Publication 199; NIST Special Publication 800-111

MP-2
All types of digital and/or non-digital media containing information not cleared for public release

Not appropriate for DoD to define for all CSP's infrastructure or service offerings, but types of media must be identified IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001

Source:
DoD RMF TAG
-------------------

MP-3; MEDIA PROTECTION; Media Marking:

The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts
    [Assignment: organization-defined types of information system media]
from marking as long as the media remain within
    [Assignment: organization-defined controlled areas].

References: FIPS Publication 199.

MP-3
b. nothing unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4

b. all areas unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4

Source:
DoD RMF TAG
-------------------

MP-3b. [no removable media types]

Source:
FedRAMP v2
-------------------

FedRAMP Additional Requirements and Guidance:
MP-3b. Guidance: Second parameter not-applicable

MP-4; MEDIA PROTECTION; Media Storage:

The organization:
a. Physically controls and securely stores
    [Assignment: organization-defined types of digital and/or non-digital media]
within
    [Assignment: organization-defined controlled areas];
and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-11

MP-4
a (1). all digital and non-digital media containing sensitive, controlled, and/or classified information.

a (2). areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media.

Source:

You may also like...