联邦风险与授权管理计划-持续监管策略及指南

1、Con ti nu ous Mon itori ng Strategy & GuideVersio n 2.0June 6, 2014The OMB memorandum M-10-15, issued on April 21,2010, changed from static point in time security authorizati on processes to Ongoing Assessme nt and Authorizati on throughout the system developme nt life cycle. Con siste nt with t

2、his new direct ion favored by OMB and supported in NIST guideli nes, FedRAMP developed an ongoing assessme nt and authorizati on program for the purpose of main ta ining the authorizati on of Cloud Service Providers (CSP).2010年4月21日，美国政府管理预算局(OMB发布了 M-10-15备忘录，将时间安全授 权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了O

3、MB NIST指导方针也支持了这个新动向，FedRAM开发了一套持续评估和授权程序用以维持云服务商(CSP的授权。After a system receives a FedRAMP authorization, it is probable that the security posture of the system could cha nge over time due to cha nges in the hardware or software on the cloud service offering, or also due to the discovery and provoca

4、tion of new exploits. Ongoing assessment and and authorizati on provides federal age ncies using cloud services a method of detect ing cha nges to the security posture of a system for the purpose of making risk-based decisi ons.系统获得FedRAMP授权后，由于云服务产品的硬件或软件变化，或是因为新漏洞，系统 的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的

5、联邦机构提供了检测 系统安全态势变化的方法，这样机构就可以做风险导向决策。This guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisi onal Authorizati on. CSPs must continu ously mon itor the cloud service offeri ng to detect cha nges in the security posture of the system to en able well-i nforme

6、d riskbased decision making. This guide instructs CSPs on the FedRAMP strategy to continuously mon itor their systems.一旦云服务商(CPSs收到FedRAMP的临时授权，就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策，CPS必须持续监控检测系统安全态势变化的云服 务产品。本指南在FedRAM策略方面指导CPS如何持续监控系统。Docume nt Revisi on HistoryDatePage(s)DescriptionAuthor06/06/2014

7、Major revision for SP800-53 Revision 4.In cludes new template and formatt ing cha nges.FedRAMP PMODatePage(s)DescriptionAuthorTable of ContentsAbout this document7Who should use this docume nt?7How this docume nt is organized7How to con tact us71. Overview81.1. Purpose of This Document91.2. Continuo

8、us Monitoring Process.92. Continuous Monitoring Roles & Responsibilities112.1. Authorizi ng Official112.2. FedRAMP PMO122.3. Departme nt of homela nd security (DHS)122.4. Third Party Assessme nt Orga ni zatio n (3PAO)123. Continuous Monitoring Process Arease143.1. Operational Visibility 143.2. C

9、hange Con trol163.3. In cide nt Resp onse17Appendix A -Control Frequencies18Appendix B -Template Monthly Reporting Summary.39JAB P-ATO Continuous Monitoring Analysis39List of TablesTable 3-1 -Con trol Selecti on Criteria16Table A-1 -Summary of Continuous Monitoring Activities & Deliverables38Lis

10、t of Figures10Figure 1 -NIST Special Publication 800-137 Contin uous Mo nitori ng ProcessABOUT THIS DOCUMENTThis document has been developed to provide guidanee on continuous monitoring and ongoing authorizati on in support of maintaining a security authorizati on that meets the FedRAMP requirements

11、. This document is not a FedRAMP template - there is nothing to fill out in this docume nt.本文档为FedRAMP要求的维持安全授权所需的持续监控和持续授权提供指导，本文档不 是FedRAMP模版一一无需填写。WHO SHOULD USE THIS DOCUMENT?本文档的适用对象This docume nt is inten ded to be used by Cloud Service Providers (CSPs), Third Party Assessor Orga ni zati ons (

12、3PAOs), gover nment con tractors worki ng on FedRAMP projects, and gover nment employees worki ng on FedRAMP projects. This docume nt may also prove useful for other orga ni zati ons that are develop ing a continu ous mon itori ng program.云服务商、第三方评估机构、涉及FedRAMP项目的政府合约商以及政府雇员可以使用本文档，正在开发持续监管程序的其他组织也可

13、使用。HOW THIS DOCUMENT IS ORGANIZED文档结构This docume nt is divided into seve n secti ons and one appe ndix.Section 1Provides an overview of the continuous monitoring process.Section 2Describes roles and responsibilities for stakeholders other than CSPs.Section 3Describes how operational visibility, chan

14、ge control and incident response support con ti nu ous mon itor ing.Appe ndix ADescribes the security con trol freque ncies.HOW TO CONTACT US 联系方式Questi ons about FedRAMP or this docume nt may be directed .For more in formatio n about FedRAMP, visit the website at http:/www.fedramp.g

15、ov.1. OVERVIEW 概述With in the FedRAMP Security Assessme nt Framework, once an authorizati on has bee n gran ted, the CSP ' s security posture is riiored according to the assessment and authorization process. Mon itori ng security con trols is part of the overall risk man ageme nt framework for in

16、 formatio n security and is a requirement for CSPs to maintain a security authorization that meets the FedRAMP requireme nts.在FedRAMP安全评估框架内，一旦CSP获得授权，那么就会依据评估和授权过程对 CSP 的安全态势进行监控。监视安全控制是整个信息安全风险管理框架的一部分，也是对CSP的要求，以保持满足FedRAMP要求的安全授权。Traditio nally, this process has bee n referred to as “ Cn ti nu o

17、us Mon itori ng ” as no ted in NIST SP 800-137 In formatio n Security Continu ous Mon itori ng for Federal In formatio n Systems and Orga ni zatio ns. Other NIST docume nts such as NIST SP 800-37, Revision refer to “ ongoing assessmenbf security controls . It is important to note that both the terms

18、 “ Continuous Monitoring ” andngoing Security Assessments mean essentially the same thing and should be in terpreted as such.从传统意义上来说，这个过程也就是NIST SP 800-137联邦信息系统及组织的信息安全 持续监管中提到的“持续监管”。其他NIST文档如NIST SP 800-37修订版1中提到 了“安全控制的持续评估”。重要的是要注意“持续监管”和“持续安全评估”的意义在 本质上是一样的，也应理解为相同的事件。Perform ing ongoing secu

19、rity assessme nts determ ines whether the set of deployed security controls in a cloud information system remains effective in light of new exploits and attacks, and planned and unplanned changes that occur in the system and its environment over timeTo mai ntai n an authorizatio n that meets the Fed

20、RAMP requireme nts, CSPs must mon itor their security con trols, assess them on a regular basis, and dem on strate that the security posture of their service offeri ng is continu ously acceptable.实施持续的安全评估可以确定在云信息系统中已部署的某套安全措施对新的渗透和攻击、 及在系统和自身环境中随时间出现的计划和非计划变更是否依然有效。CSP为了维持满足FedRAMP要求的授权，必须定期监视、评估其安

21、全措施、并证明其提供的服务的安全态 势持续满足要求。Ongoing assessme nt of security con trols results in greater con trol over the security posture of the CSP system and en ables timely risk-ma nageme nt decisi on s.Security-related in formatio n collected through continuous monitoring is used to make recurring updates to th

22、e security assessme nt package. Ongoing due dilige nee and review of security con trols en ables the security authorizati on package to rema in curre nt which allows age ncies to make in formed risk man ageme nt decisi ons as they use cloud services.安全控制措施的持续评估使CSP系统的安全态势得到更强的安全控制，并能及时实施风险 管理决策。持续监管

23、过程中收集到的安全相关信息用于不断更新安全评估组件。持续的严格评估和安全措施检查使安全授权包保持最新，即允许代理在使用云服务时做出有据可循 的风险管理决策。1.1. PURPOSE OF THIS DOCUMENT 本文档的目的This document is intended to provide CSPs with guidance and instructions on how to implement their continuous monitoring program. Certain deliverables and artifacts related to continuous

24、 monitoring that FedRAMP requires from CSP 'arse discussed in this document本文档目的是为CSP实施持续监管计划提供指导和说明。某些FedRAMP要求CSP提供的、与持续监管相关的可交付成果和组件会在本文档中讨论。1.2. CONTINUOUS MONITORING PROCESS 持续监管过程The FedRAMP continuous monitoring program is based on the continuous monitoring process described inNIST SP 800

25、-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide: (i) operational visibility; (ii) managed change control; (iii) and attendance to incident response duties.For more information on incident response, review the FedRAMPIncident C

26、ommunications Procedure.FedRAMP持续监管计划是以NIST SP 800-137联邦信息系统和组织信息安全的持续监管 中描述的持续监管过程为基础的。目标是提供：(i)运营可视化；(ii)变更控制管理；(iii)参与事件响应职责。想要获取更多事件响应的信息，可以参阅 FedRAMP 的事件通信规 程。The effectiveness of a CSP c'onstinuous monitoring capability supports ongoing authorization and reauthorization decisions. Security

27、-related information collected during continuous monitoring is used to make updates to the security authorization package.Updated documents provide evidence that FedRAMP baseline security controls continue to safeguard the system as originally planned.CSP持续监管能力的有效性支持持续授权和再授权决策。持续监管过程中收集到的安全相 关信息用于更新

28、安全授权组件包。更新的文档为FedRAMP的基线安全控制措施按原计划持续保护系统的供证明。As defined by the National Institute of Standards and Technology (NIST), the process for continuous monitoring includes the following initiatives:正如NIST的定义，持续监管的过程包括如下举措：Define a continuous monitoring strategy based on risk tolerance that maintains clear

29、visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat in formati on.基于风险承受能力定义持续监管策略，这样的监管策略具有资产可见性， 知悉安全隐患，并能够利用最新的威胁信息。Establishmeasures, metrics, and status monitoring and control assessments frequencies that make known organizational security status and detect ch

30、anges to information system infrastructure and environments of operation, and status of security control effectiveness in a manner that supports continued operati on with in acceptable risk tolera nces.建立措 施、度量和状态监控，控制报告组织安全状态的评估频率，并在可接受的风险承受 能力范围内，以支持持续运营的方式，检测信息系统基础设施和运营环境以及安全 控制有效性的状态变更。Implement

31、 a continuous monitoring program to collect the data required for the defined measures and report on findin gs; automate collect ion, an alysis and report ing of data where possible.实施持续监管计划，收集确定的措施需要的数据，并对发现作报告； 尽可能将数据收集、分析和报告过程自动化。Analyze the data gathered an (Report findings accompa nied by recom

32、me ndati ons. It may become n ecessary to collect additi onal in formati on to clarify or suppleme nt exist ing mon itori ng data分析收集到的数据并报告包含建议的发现。收集额外的信息以阐明 或补充目前的监控数据可能是必要的。Respondto assessme nt findings by making decisi ons to either mitigate tech ni cal, management and operational vulnerabiliti

33、es; or accept the risk; or transfer it to another authority .通过制定缓解技术上的、管理上的还是操作上的漏洞决策对评估发现做出 响应；或者接受风险；或将其转移给另一个授权方。Review and Update the mon itori ng program, revis ing the continu ous mon itori ng strategy and maturi ng measureme nt capabilities to in crease visibility into assets and aware ness

34、of vulnerabilities; further enhance data driven control of the security of an organization in formatio n in frastructure; and in crease orga ni zatio nal flexibility.检查和更新监控计戈 9， 校正持续监管策略并使度量能力趋于成熟，以增加资产的可见性和安全隐患意识； 更进一步加强组织信息基础设施的数据驱动控制安全，增加组织灵活性。Figure 1 -NIST Special Publication 800-137 Continuou

35、s Monitoring ProcessSecurity con trol assessme nts performed periodically validate whether stated security con trols are impleme nted correctly, operat ing as inten ded, and meet FedRAMP baseli ne security con trols. Security status report ing provides federal officials with in formatio n n ecessary

36、 to make risk-based decisi ons and provides assura nee to existi ng customer age ncies regard ing the security posture of the system.周期性的执行安全控制评估以验证是否正确地实施规定的安全措施，是否按 照计划运行安全措施，以及是否满足FedRAMP的基线安全控制。安全状态报告为联邦机构提供必要的信息以便其制定基于风险的决策，并给当前客户代理提供关于系统安全态势 的保证。2. CONTINUOUS MONITORING ROLES &RESPONSIBILI

37、TIES 持续监管角色及责任21 AUTHORIZING OFFICIAL授权机构Authorizing Officials and their teams (“ AOS' ) serve as the focal point for coordination ofcontinuous monitoring activities for CSPs. CSPs must coordinate with their AOs to send security control artifacts at various points in time. The AOs monitor both t

38、he Plan of Action & Milest ones (POA&M) and any major sig nifica nt cha nges and report ing artifacts (such as vuln erability sca n reports) associated with the CSP service offeri ng. AOs use this in formatio n so that risk-based decisi ons can be made about ongoing authorizati on Age ncy cu

39、stomers must perform the following tasks in support of CSP continuous monitoring:授权机构及其团队(“AOs在 CSP的持续监管活动的协调中起关键作用。 CSP必须配合其 AOs在各个时间点发送安全控制组件。AOs对行动计划和里程碑(POA&M及任何重大的 变更进行监控，并对CSP提供服务的相关组件进行报告(例如漏洞扫描报告)。 AOs利 用这些信息以便制定出持续授权的基于风险的决策。代理客户必须执行以下任务以支持CSP的持续监管：« Notify CSP if the age ncy becom

40、es aware of an in cide nt that a CSP has not yet reported 如果代理发现CSP还未上报的紧急事件，则通知 CSP* Provide a primary and sec on dary POC for CSPs and US-CERT as described in age ncy 为CSP和美国计算机紧急响应小组(United States Computer EmergencyReadi ness Team)提供以代理描述的主要和次要的 POC( poi nts of con tact 联系 点)。* and CSPIn cide nt

41、Resp onse Pla nsCSP应急响应计划* Notify US-CERT whe n a CSP reports an in cide nt当CSP报告紧急事件时，通知 US-CERT* Work with CSPs to resolve in cide nts; provide coord in ati on with US-CERT if n ecessary与CSP-起解决紧急事件；如果有必要的话，配合US-CERT。* Notify FedRAMP ISSO of CSP in cide nt activity通知FedRAMP的ISSO (信息系统安全官)CSP紧急事件活动

42、。* Mon itor security con trols that are age ncy resp on sibilities.监视代理负责的安全控制措施。During in cide nt resp on se, both CSPs and leveragi ng age ncies are resp on sible for coord in at ing incident handling activities together, and with US-CERT. The team based approach to incident han dli ng en sures th

43、at all parties are in formed and en ables in cide nts to be closed as quickly as possible.在应急响应中，CSPs利益相关的代理，以及US-CERT，一起负责协调处理紧 急事件。基于紧急事件处理的团队确保通知所有相关部门，确保尽快解决问题。22FEDRAMP PMOThe FedRAMP Program Man ageme nt Office (PMO) acts as the liais on for the Joi nt Authorizati on Board for en suri ng that

44、CSPs with a JAB P-ATO strictly adhere to their established Continuous Monitoring Plan. The JAB and FedRAMP PMO only perform Contin uous Mo nitori ng activities for those CSPs that have a JAB P-ATO.FedRAMP计划管理办公室作为Joi nt Authorization Board (联合授权董事会)的联络员， 确保拥有 JAB P-ATO ( Joi nt Authorization Board P

45、rovisio nal Authorities to Operate)的 CSP 严格遵守其制定的持续监管计划。JAB和FedRAMP PMO只为获得JAB P-ATO的CSP实 施持续监管活动。注：JAB是FedRAMP计划的主要管理团队，由国防部、国土安全部以及美国总务管理局的首席信息官组成23 DEPARTMENT OF HOMELAND SECURITY (DHS) 国土安全 部The FedRAMP Policy Memo released by OMB defi nes the DHS FedRAMP respo nsibilities to include: OM发布的FedRA

46、MP政策备忘录定义了 DHSedRAMP的责任包括：« Assisti ng gover nmen t-wide and age ncy-specific efforts to provide adequate, risk-based and cost-effective cybersecurity协助全政府和特定代理努力提供充足的、基于风险的和性价比高的网络安全。* Coord in at ing cybersecurity operati ons and in cide nt resp onse and provid ing appropriate assista nee协调网络

47、安全运营与应急响应并提供适当的帮助« Develop ing con ti nu ous mon itori ng sta ndards for ongoing cybersecurity of Federalin formati on systems to in clude real-time mon itori ng and continu ously verified operati ng con figurati ons为联邦信息系统的持续网络安全开发持续监管标准，该标准要囊括实时监管和持续 验证的操作配置« Develop ing guida nee on age

48、 ncy impleme ntati on of the Trusted Internet Conn ecti on (TIC) program for cloud services.为云服务开发可信互联网连接计划的代理实施指南The FedRAMP PMO works with DHS to incorporate DHS sguidanee into the FedRAMP program guidanee and documents. FedRAMP PMO和 DHS 协作将 DHS 的指南纳入到 FedRAMP计划指南和文档中。2.4. THIRD PARTY ASSESSMENT O

49、RGANIZATION (3PAO) 第三 方评估机构Third Party Assessme nt Orga ni zati ons (3PAO) are resp on sible for in depe nden tly verify ing and validating the control implementation and test results for CSPs in the continuous monitoring phase of the FedRAMP process. Specifically, 3PAOs are resp on sible for:在FedRA

50、MP过程中，第三方评估机构负责为CPS虫立验证和确认控制措施实施以及测试结 果。第三方评估机构尤其要负责：« Assess ing a defi ned subset of the security con trols annu ally.安全控制措施确定子集的年度评估* Submitting the assessment report to the ISSO one year after theSP authorization date and each year thereafter.CSP授权日期之后的一年以及往后的每一年，提交评估报告给ISSO* Perform ing an

51、noun ced pen etrati on testi ng.实施正规的渗透测试* Perform annual sca ns of web applicati ons, databases, and operat ing systems. 每年对web应用、数据库和操作系统进行扫描* Assess ing cha nged con trols on an ad hoc basis as requested by the AOs for any cha nges made to the system by the CSP.按照AOs （授权机构）的要求，一旦 CPS对系统做出任何变更，随时对

52、变更的控 制措施进行评估。In order to be effective in this role, 3PAOs are responsible for ensuring that the chain of custody is maintained for any 3PAO authored documentation. 3PAOs must also be able to vouch for the veracity and in tegrity of data provided by the CSP for in clusi on in 3PAO authored documentat

53、ion. As an example:为了使这一作用更有效，3PAOs负责保证维护3PAOs授权文 档的监管链。3PAOs也必须有能力保证CS为3PAO授权文档提供的数据精确性和完整性。例如：* If scans are performed by the CSP, the 3PAO must either be on site and observe the CSP performing the scans or be able to monitor or verify the results of the scans through other means docume nted and a

54、pproved by the AO.如果CS执行扫描，3PAO要么必须在现场观察CS实施扫描，要么能够通过其他登 记在案并经AO比准的方式进行监控或验证扫描结果。* Docume ntati on provided to the CSP must be placed in a format that either the CSP cannot alter or that allows the 3PAO to verify the integrity of the document. 提供给CS的文档必须以CS无法更改或允许3PAO验证文档完整性的格式放置。3. CONTINUOUS MONIT

55、ORING PROCESS AREASE 持续监 管过程31 OPERATIONAL VISIBILITY 运营可见性An important aspect of a CSP sontinuous monitoring program is to provide evidenee that dem on strates the efficacy of its program. CSPs and its in depe ndent assessors are required to provide evide ntiary in formati on to AOs at a minimum of

56、 a mon thly, annu ally, every 3 years, and on an as-n eeded freque ncy after authorizati on is gran ted.The submissi on of these deliverables allow AOs to evaluate the risk posture of the CSP' s service offeringCSP持续监管计划的一个重要作用就是提供证据证明其计划的有效性。CSP和其独立评估人在获得授权之后，至少以每月、每年、每三年及需要的频率提供证据信息给AOs。这些交付件的

57、提交能让AOs评估CSP提供的服务的风险态势。Table A-1 notes which deliverables are required as part of continuous monitoring activities. These deliverables in clude provid ing evide nee, such as provid ing mon thly vuln erability sca ns of CSPs operati ng systems/i nfrastructure, databases, and web applicati ons.表A-1所示的

58、是作为持续监管活动的一部分，所要求的交付件。这些交付件包括提供证 据，例如每月提供CSP操作系统/基础设施、数据库和web应用的漏洞扫描。As part of the con ti nu ous mon itori ng process CSPs are required to have a 3PAO perform an assessme nt on an annual basis for a subset of the overall con trols impleme nted on the system. During the annual assessment the controls listed in Table A-1 are tested along with an additiona