联邦风险与授权管理计划-持续监管策略及指南.docx

Continuous Monitoring Strategy & GuideVersion 2.0June 6, 2014Executive SummaryThe OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization throughout the system development life cycle. Consistent with this new direction favored by OMB and supported in NIST guidelines, FedRAMP developed an ongoing assessment and authorization program for the purpose of maintaining the authorization of Cloud Service Providers (CSP). 2010年4月21日，美国政府管理预算局（OMB）发布了M-10-15备忘录，将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB，NIST指导方针也支持了这个新动向，FedRAMP开发了一套持续评估和授权程序用以维持云服务商（CSP）的授权。After a system receives a FedRAMP authorization, it is probable that the security posture of the system could change over time due to changes in the hardware or software on the cloud service offering, or also due to the discovery and provocation of new exploits. Ongoing assessment and authorization provides federal agencies using cloud services a method of detecting changes to the security posture of a system for the purpose of making risk-based decisions.系统获得FedRAMP授权后，由于云服务产品的硬件或软件变化，或是因为新漏洞，系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势变化的方法，这样机构就可以做风险导向决策。 This guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisional Authorization. CSPs must continuously monitor the cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. This guide instructs CSPs on the FedRAMP strategy to continuously monitor their systems. 一旦云服务商（CPSs）收到FedRAMP的临时授权，就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策，CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。Document Revision HistoryDatePage(s)DescriptionAuthor06/06/2014Major revision for SP800-53 Revision 4. Includes new template and formatting changes.FedRAMP PMOTable of ContentsAbout this document7Who should use this document?7How this document is organized7How to contact us71.Overview81.1.Purpose of This Document81.2.Continuous Monitoring Process82.Continuous Monitoring Roles & Responsibilities102.1.Authorizing Official102.2.FedRAMP PMO102.3.Department of homeland security (DHS)102.4.Third Party Assessment Organization (3PAO)113.Continuous Monitoring Process Arease113.1.Operational Visibility113.2.Change Control123.3.Incident Response13Appendix A Control Frequencies14Appendix B Template Monthly Reporting Summary34JAB P-ATO Continuous Monitoring Analysis34List of TablesTable 3-1 Control Selection Criteria13Table A-1 Summary of Continuous Monitoring Activities & Deliverables40List of FiguresFigure 1 NIST Special Publication 800-137 Continuous Monitoring Process10ABOUT THIS DOCUMENTThis document has been developed to provide guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. This document is not a FedRAMP template - there is nothing to fill out in this document. 本文档为FedRAMP要求的维持安全授权所需的持续监控和持续授权提供指导，本文档不是FedRAMP模版无需填写。WHO SHOULD USE THIS DOCUMENT?本文档的适用对象This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP projects. This document may also prove useful for other organizations that are developing a continuous monitoring program. 云服务商、第三方评估机构、涉及FedRAMP项目的政府合约商以及政府雇员可以使用本文档，正在开发持续监管程序的其他组织也可使用。HOW THIS DOCUMENT IS ORGANIZED文档结构This document is divided into seven sections and one appendix. Section 1Provides an overview of the continuous monitoring process.Section 2Describes roles and responsibilities for stakeholders other than CSPs.Section 3Describes how operational visibility, change control and incident response support continuous monitoring.Appendix ADescribes the security control frequencies. HOW TO CONTACT US 联系方式Questions about FedRAMP or this document may be directed to . For more information about FedRAMP, visit the website at .1. Overview 概述Within the FedRAMP Security Assessment Framework, once an authorization has been granted, the CSPs security posture is monitored according to the assessment and authorization process. Monitoring security controls is part of the overall risk management framework for information security and is a requirement for CSPs to maintain a security authorization that meets the FedRAMP requirements. 在FedRAMP安全评估框架内，一旦CSP获得授权，那么就会依据评估和授权过程对CSP的安全态势进行监控。监视安全控制是整个信息安全风险管理框架的一部分，也是对CSP的要求，以保持满足FedRAMP要求的安全授权。Traditionally, this process has been referred to as “Continuous Monitoring” as noted in NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations. Other NIST documents such as NIST SP 800-37, Revision 1 refer to “ongoing assessment of security controls”. It is important to note that both the terms “Continuous Monitoring” and “Ongoing Security Assessments” mean essentially the same thing and should be interpreted as such. 从传统意义上来说，这个过程也就是NIST SP 800-137联邦信息系统及组织的信息安全持续监管中提到的 “持续监管 ”。其他NIST文档如NIST SP 800-37修订版1中提到了“安全控制的持续评估”。重要的是要注意“持续监管”和“持续安全评估”的意义在本质上是一样的，也应理解为相同的事件。Performing ongoing security assessments determines whether the set of deployed security controls in a cloud information system remains effective in light of new exploits and attacks, and planned and unplanned changes that occur in the system and its environment over time. To maintain an authorization that meets the FedRAMP requirements, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. 实施持续的安全评估可以确定在云信息系统中已部署的某套安全措施对新的渗透和攻击、及在系统和自身环境中随时间出现的计划和非计划变更是否依然有效。CSP为了维持满足FedRAMP要求的授权，必须定期监视、评估其安全措施、并证明其提供的服务的安全态势持续满足要求。Ongoing assessment of security controls results in greater control over the security posture of the CSP system and enables timely risk-management decisions. Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing due diligence and review of security controls enables the security authorization package to remain current which allows agencies to make informed risk management decisions as they use cloud services. 安全控制措施的持续评估使CSP系统的安全态势得到更强的安全控制，并能及时实施风险管理决策。持续监管过程中收集到的安全相关信息用于不断更新安全评估组件。持续的严格评估和安全措施检查使安全授权包保持最新，即允许代理在使用云服务时做出有据可循的风险管理决策。1.1. Purpose of This Document 本文档的目的This document is intended to provide CSPs with guidance and instructions on how to implement their continuous monitoring program. Certain deliverables and artifacts related to continuous monitoring that FedRAMP requires from CSPs are discussed in this document本文档目的是为CSP实施持续监管计划提供指导和说明。某些FedRAMP要求CSP提供的、与持续监管相关的可交付成果和组件会在本文档中讨论。1.2. Continuous Monitoring Process 持续监管过程The FedRAMP continuous monitoring program is based on the continuous monitoring process described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide: (i) operational visibility; (ii) managed change control; (iii) and attendance to incident response duties. For more information on incident response, review the FedRAMP Incident Communications Procedure. FedRAMP持续监管计划是以NIST SP 800-137联邦信息系统和组织信息安全的持续监管中描述的持续监管过程为基础的。目标是提供：(i)运营可视化；(ii)变更控制管理；(iii)参与事件响应职责。想要获取更多事件响应的信息，可以参阅FedRAMP的事件通信规程。The effectiveness of a CSPs continuous monitoring capability supports ongoing authorization and reauthorization decisions. Security-related information collected during continuous monitoring is used to make updates to the security authorization package. Updated documents provide evidence that FedRAMP baseline security controls continue to safeguard the system as originally planned. CSP持续监管能力的有效性支持持续授权和再授权决策。持续监管过程中收集到的安全相关信息用于更新安全授权组件包。更新的文档为FedRAMP的基线安全控制措施按原计划持续保护系统的供证明。As defined by the National Institute of Standards and Technology (NIST), the process for continuous monitoring includes the following initiatives:正如NIST的定义，持续监管的过程包括如下举措：l Define a continuous monitoring strategy based on risk tolerance that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat information.基于风险承受能力定义持续监管策略，这样的监管策略具有资产可见性，知悉安全隐患，并能够利用最新的威胁信息。l Establish measures, metrics, and status monitoring and control assessments frequencies that make known organizational security status and detect changes to information system infrastructure and environments of operation, and status of security control effectiveness in a manner that supports continued operation within acceptable risk tolerances. 建立措施、度量和状态监控，控制报告组织安全状态的评估频率，并在可接受的风险承受能力范围内，以支持持续运营的方式，检测信息系统基础设施和运营环境以及安全控制有效性的状态变更。l Implement a continuous monitoring program to collect the data required for the defined measures and report on findings; automate collection, analysis and reporting of data where possible.实施持续监管计划，收集确定的措施需要的数据，并对发现作报告；尽可能将数据收集、分析和报告过程自动化。l Analyze the data gathered and Report findings accompanied by recommendations. It may become necessary to collect additional information to clarify or supplement existing monitoring data.分析收集到的数据并报告包含建议的发现。收集额外的信息以阐明或补充目前的监控数据可能是必要的。l Respond to assessment findings by making decisions to either mitigate technical, management and operational vulnerabilities; or accept the risk; or transfer it to another authority.通过制定缓解技术上的、管理上的还是操作上的漏洞决策对评估发现做出响应；或者接受风险；或将其转移给另一个授权方。l Review and Update the monitoring program, revising the continuous monitoring strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities; further enhance data driven control of the security of an organizations information infrastructure; and increase organizational flexibility.检查和更新监控计划，校正持续监管策略并使度量能力趋于成熟，以增加资产的可见性和安全隐患意识；更进一步加强组织信息基础设施的数据驱动控制安全，增加组织灵活性。Figure 1 NIST Special Publication 800-137 Continuous Monitoring ProcessSecurity control assessments performed periodically validate whether stated security controls are implemented correctly, operating as intended, and meet FedRAMP baseline security controls. Security status reporting provides federal officials with information necessary to make risk-based decisions and provides assurance to existing customer agencies regarding the security posture of the system. 周期性的执行安全控制评估以验证是否正确地实施规定的安全措施，是否按照计划运行安全措施，以及是否满足FedRAMP的基线安全控制。安全状态报告为联邦机构提供必要的信息以便其制定基于风险的决策，并给当前客户代理提供关于系统安全态势的保证。2. Continuous Monitoring Roles & Responsibilities 持续监管角色及责任2.1. Authorizing Official 授权机构Authorizing Officials and their teams (“AOs”) serve as the focal point for coordination of continuous monitoring activities for CSPs. CSPs must coordinate with their AOs to send security control artifacts at various points in time. The AOs monitor both the Plan of Action & Milestones (POA&M) and any major significant changes and reporting artifacts (such as vulnerability scan reports) associated with the CSP service offering. AOs use this information so that risk-based decisions can be made about ongoing authorization. Agency customers must perform the following tasks in support of CSP continuous monitoring:授权机构及其团队(“AOs”)在CSP的持续监管活动的协调中起关键作用。CSP必须配合其AOs在各个时间点发送安全控制组件。AOs对行动计划和里程碑（POA&M）及任何重大的变更进行监控，并对CSP提供服务的相关组件进行报告（例如漏洞扫描报告）。AOs利用这些信息以便制定出持续授权的基于风险的决策。代理客户必须执行以下任务以支持CSP的持续监管： Notify CSP if the agency becomes aware of an incident that a CSP has not yet reported 如果代理发现CSP还未上报的紧急事件，则通知CSP。 Provide a primary and secondary POC for CSPs and US-CERT as described in agency 为CSP和美国计算机紧急响应小组（United States Computer Emergency Readiness Team）提供以代理描述的主要和次要的POC（points of contact联系点）。 and CSP Incident Response Plans CSP应急响应计划 Notify US-CERT when a CSP reports an incident 当CSP报告紧急事件时，通知US-CERT Work with CSPs to resolve incidents; provide coordination with US-CERT if necessary与CSP一起解决紧急事件；如果有必要的话，配合US-CERT。 Notify FedRAMP ISSO of CSP incident activity 通知FedRAMP的ISSO（信息系统安全官） CSP紧急事件活动。 Monitor security controls that are agency responsibilities. 监视代理负责的安全控制措施。During incident response, both CSPs and leveraging agencies are responsible for coordinating incident handling activities together, and with US-CERT. The team based approach to incident handling ensures that all parties are informed and enables incidents to be closed as quickly as possible. 在应急响应中，CSPs，利益相关的代理，以及US-CERT，一起负责协调处理紧急事件。 基于紧急事件处理的团队确保通知所有相关部门，确保尽快解决问题。 2.2. FedRAMP PMO The FedRAMP Program Management Office (PMO) acts as the liaison for the Joint Authorization Board for ensuring that CSPs with a JAB P-ATO strictly adhere to their established Continuous Monitoring Plan. The JAB and FedRAMP PMO only perform Continuous Monitoring activities for those CSPs that have a JAB P-ATO. FedRAMP计划管理办公室作为Joint Authorization Board（联合授权董事会）的联络员，确保拥有JAB P-ATO（Joint Authorization Board Provisional Authorities to Operate）的CSP严格遵守其制定的持续监管计划。JAB和FedRAMP PMO只为获得JAB P-ATO的CSP实施持续监管活动。注：JAB是FedRAMP 计划的主要管理团队，由国防部、国土安全部以及美国总务管理局的首席信息官组成2.3. Department of homeland security (DHS) 国土安全部The FedRAMP Policy Memo released by OMB defines the DHS FedRAMP responsibilities to include: OMB发布的FedRAMP政策备忘录定义了DHS FedRAMP的责任包括： Assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity协助全政府和特定代理努力提供充足的、基于风险的和性价比高的网络安全。 Coordinating cybersecurity operations and incident response and providing appropriate assistance协调网络安全运营与应急响应并提供适当的帮助 Developing continuous monitoring standards for ongoing cybersecurity of Federal information systems to include real-time monitoring and continuously verified operating configurations为联邦信息系统的持续网络安全开发持续监管标准，该标准要囊括实时监管和持续验证的操作配置 Developing guidance on agency implementation of the Trusted Internet Connection (TIC) program for cloud services. 为云服务开发可信互联网连接计划的代理实施指南 The FedRAMP PMO works with DHS to incorporate DHSs guidance into the FedRAMP program guidance and documents. FedRAMP PMO 和DHS协作将DHS的指南纳入到FedRAMP计划指南和文档中。2.4. Third Party Assessment Organization (3PAO) 第三方评估机构Third Party Assessment Organizations (3PAO) are responsible for independently verifying and validating the control implementation and test results for CSPs in the continuous monitoring phase of the FedRAMP process. Specifically, 3PAOs are responsible for:在FedRAMP过程中，第三方评估机构负责为CPS独立验证和确认控制措施实施以及测试结果。第三方评估机构尤其要负责： Assessing a defined subset of the security controls annually. 安全控制措施确定子集的年度评估 Submitting the assessment report to the ISSO one year after the CSPs authorization date and each year thereafter.CSP授权日期之后的一年以及往后的每一年，提交评估报告给ISSO Performing announced penetration testing.实施正规的渗透测试 Perform annual scans of web applications, databases, and operating systems.每年对web应用、数据库和操作系统进行扫描 Assessing changed controls on an ad hoc basis as requested by the AOs for any changes made to the system by the CSP.按照AOs（授权机构）的要求，一旦CPS对系统做出任何变更，随时对变更的控制措施进行评估。 In order to be effective in this role, 3PAOs are responsible for ensuring that the chain of custody is maintained for any 3PAO authored documentation. 3PAOs must also be able to vouch for the veracity and integrity of data provided by the CSP for inclusion in 3PAO authored documentation. As an example:为了使这一作用更有效，3PAOs负责保证维护3PAOs授权文档的监管链。3PAOs也必须有能力保证CSP为3PAO授权文档提供的数据精确性和完整性。例如： If scans are performed by the CSP, the 3PAO must either be on site and observe the CSP performing the scans or be able to monitor or verify the results of the scans through other means documented and approved by the AO.如果CSP执行扫描，3PAO要么必须在现场观察CSP实施扫描，要么能够通过其他登记在案并经AO批准的方式进行监控或验证扫描结果。 Documentation provided to the CSP must be placed in a format that either the CSP cannot alter or that allows the 3PAO to verify the integrity of the document.提供给CSP的文档必须以CSP无法更改或允许3PAO验证文档完整性的格式放置。3. Continuous Monitoring Process Arease持续监管过程3.1. Operational Visibility运营可见性An important aspect of a CSPs continuous monitoring program is to provide evidence that demonstrates the efficacy of its program. CSPs and its independent assessors are required to provide evidentiary information to AOs at a minimum of a monthly, annually, every 3 years, and on an as-needed frequency after authorization is granted. The submission of these deliverables allow AOs to evaluate the risk posture of the CSPs service offering. CSP持续监管计划的一个重要作用就是提供证据证明其计划的有效性。 CSP和其独立评估人在获得授权之后，至少以每月、每年、每三年及需要的频率提供证据信息给AOs。这些交付件的提交能让AOs评估CSP提供的服务的风险态势。Table A-1 notes which deliverables are required as part of continuous monitoring activities. These deliverables include providing evidence, such as providing monthly vulnerability scans of CSPs operating systems/infrastructure, databases, and web applications.表A-1 所示的是作为持续监管活动的一部分，所要求的交付件。这些交付件包括提供证据，例如每月提供CSP操作系统/基础设施、数据库和web应用的漏洞扫描。As part of the continuous monitoring process CSPs are required to have a 3PAO perform an assessment on an annual basis for a subset of the overall controls implemented on the system. During the annual assessment the controls listed in Table A-1 are tested along with an additional number of controls selected by the AO. The AO has the option to vary the total number of controls tested to meet the desired level of effort for testing. The AO selects the additional controls for testing based on the following criteria in Table 3-1. 作为持续监管过程的一部分，要求CSP有3PAO每年为其系统中实施的全面控制措施的一个子集实施评估。在每年的评估期间，对表A-1中所列的控制措施连同AO选择的一些额外控制措施一起进行测试。为了满足测试要求，AO可以选择改变要测试的控制措施总数。AO以下面表3-1中的标准为测试选择附加的控制措施。There are additional requirements for testing and con