聯邦風險與授權管理計劃持續(xù)監(jiān)管策略及指南

1、Con ti nu ous Mon itori ng Strategy & GuideVersio n 2.0June 6, 2014Executive SummarysesysuThe OMB memorandum M-10-15, issued on April 21,2010, changed from static point in time curity authorizatio n processes to Ongoing Assessme nt and Authorizati on throughout the stem developme nt life cycle.

2、Con siste nt with this new direct ion favored by OMB and pported in NIST guideli nes, FedRAMP developed an ongoing assessme nt and authorizati on program for the purpose of maintaining the authorization of Cloud Service Providers (CSP).2(權方(10年4月21日，美國政府管理預算局(OMB發(fā)布了 M-10-15備忘錄，將時間安全授過程中的靜態(tài)點改為貫穿系統(tǒng)開發(fā)生

3、命周期的持續(xù)評估和授權。除了OMB NIST指導針也支持了這個新動向，FedRAM開發(fā)了一套持續(xù)評估和授權程序用以維持云服務商 CSP的授權。syarto系Alter a system receives a FedRAMP authorization, it is probable that the security posture of the stem could cha nge over time due to cha nges in the hardware or software on the cloud service of ering, or also due to the di

4、scovery and provocation of new exploits. Ongoing assessment d authorizati on provides federal age ncies using cloud services a method of detect ing cha nges the security posture of a system for the purpose of making risk-based decisi ons.統(tǒng)獲得FedRAMP授權后，由于云服務產品的硬件或軟件變化，或是因為新漏洞，系 的安全態(tài)勢可能會隨時間發(fā)生變化。持續(xù)評估和授

5、權給使用云服務的聯邦機構提供了 測系統(tǒng)安全態(tài)勢變化的方法，這樣機構就可以做風險導向決策。bamThis guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisi onal Authorizati on. CSPs must con ti nu ously mon itor the cloud service offeri ng to detect cha nges in the security posture of the system to en able w

6、ell-i nformed risk- sed decision making. This guide instructs CSPs on the FedRAMP strategy to continuously on itor their systems.FedRAMP策略。為了更清楚地制定風險導向決策, 勢旦云服務商(CPSs)收到FedRAMP的臨時授權，就可以參考本指南描述的CPS必須持續(xù)監(jiān)控檢測系統(tǒng)安全態(tài) 變化的云服務產品。本指南在FedRAM策略方面指導CPS如何持續(xù)監(jiān)控系統(tǒng)。Docume nt Revisio n HistoryDatePage(s)Descripti onAut

7、hor06/06/2014Major revision for SP800-53 Revision 4.In cludes new template and formatt ing cha nges.FedRAMP PMODatePage(s)Descripti onAuthorTable of ContentsList of TablesList of FiguresABOUT THIS DOCUMENTThis document has been developed to provide guidanee on continuous monitoring and ongoing autho

8、rizati on in support of maintaining a security authorizati on that meets the FedRAMP requirements. This document is not a FedRAMP template - there is nothing to fill out in this docume nt.本文檔為FedRAMP要求的維持安全授權所需的持續(xù)監(jiān)控和持續(xù)授權提供指導，本文檔 不是FedRAMP模版一一無需填寫。WHO SHOULD USE THIS DOCUMENT?本文檔的適用對象This docume nt i

9、s inten ded to be used by Cloud Service Providers (CSPs), Third Party Assessor Orga ni zati ons (3PAOs), gover nment con tractors worki ng on FedRAMP projects, and government employees working on FedRAMP projects. This document may also prove useful for other orga ni zati ons that are develop ing a

10、continu ous mon itori ng program.云服務商、第三方評估機構、涉及 FedRAMP項目的政府合約商以及政府雇員可以使用 本文檔，正在開發(fā)持續(xù)監(jiān)管程序的其他組織也可使用。HOW THIS DOCUMENT IS ORGANIZED文檔結構This docume nt is divided into seve n sect ions and one appe ndix.Section 1Provides an overview of the continuous monitoring process.Section 2Describes roles and respo

11、nsibilities for stakeholders other than CSPs.Section 3Describes how operational visibility, change control and incident response support con ti nu ous mon itor ing.Appe ndix ADescribes the security con trol freque ncies.HOW TO CONTACT US 聯系方式Questi ons about FedRAMP or this docume nt may be directed

12、 toFor more in formatio n about FedRAMP, visit the website at.1. OVERVIEW 概述Within the FedRAMP Security Assessme nt Framework, once an authorizati on has bee n gran ted, the CSP' s security posture isorednaccord ing to the assessme nt and authorizati onprocess. Monitoring security controls is pa

13、rt of the overall risk management framework for information security and is a requirement for CSPs to maintain a security authorization that meets the FedRAMP requireme nts.在FedRAMP安全評估框架內，一旦CSP獲得授權，那么就會依據評估和授權過程對 CSP的安全態(tài)勢進行監(jiān)控。監(jiān)視安全控制是整個信息安全風險管理框架的一部分，也是 對CSP的要求，以保持滿足FedRAMP要求的安全授權。Traditio nally, th

14、is process has bee n referred to as“C nti nu ous Mon itori ng ” as no ted in NIST SP 800-137 In formatio n Security Continu ous Mon itori ng for Federal In formatio n Systems and Orga ni zatio ns. Other NIST docume nts such as NIST SP 800-37, Revisi on 1 refer to“ ongoing assessment of security cont

15、ro.s It is impO'rtant to note that both the terms“ Con ti nu ous Mon itori ng” ago in g'Security Assessme nts mean esse ntially the samething and should be in terpreted as such.從傳統(tǒng)意義上來說，這個過程也就是NIST SP 800-137聯邦信息系統(tǒng)及組織的信息安全 持續(xù)監(jiān)管中提到的“持續(xù)監(jiān)管”。其他NIST文檔如NIST SP 800-37修訂版1中提 到了 “安全控制的持續(xù)評估”。重要的是要注意“持

16、續(xù)監(jiān)管”和“持續(xù)安全評估”的意 義在本質上是一樣的，也應理解為相同的事件。Perform ing ongoing security assessme nts determ ines whether the set of deployed security controls in a cloud information system remains effective in light of new exploits and attacks, and planned and unplanned changes that occur in the system and its environmen

17、t over time. To maintain an authorization that meets the FedRAMP requirements, CSPs must monitor their security con trols, assess them on a regular basis, and dem on strate that the security posture of their service offeri ng is continu ously acceptable.實施持續(xù)的安全評估可以確定在云信息系統(tǒng)中已部署的某套安全措施對新的滲透和攻擊、 及在系統(tǒng)和自

18、身環(huán)境中隨時間出現的計劃和非計劃變更是否依然有效。CSP為了維持滿足FedRAMP要求的授權，必須定期監(jiān)視、評估其安全措施、并證明其提供的服務的安 全態(tài)勢持續(xù)滿足要求。Ongoing assessment of security controls results in greater control over the security posture of the CSP system and en ables timely risk-ma nageme nt decisi on s .Security-related in formatio n collected through conti

19、nuous monitoring is used to make recurring updates to the security assessme nt package. Ongoing due dilige nee and review of security con trols en ables the security authorizatio n package to remai n curre nt which allows age ncies to make in formed risk man ageme nt decisi ons as they use cloud ser

20、vices.安全控制措施的持續(xù)評估使CSP系統(tǒng)的安全態(tài)勢得到更強的安全控制，并能及時實施風 險管理決策。持續(xù)監(jiān)管過程中收集到的安全相關信息用于不斷更新安全評估組件。持續(xù) 的嚴格評估和安全措施檢查使安全授權包保持最新，即允許代理在使用云服務時做出有 據可循的風險管理決策。1.1. PURPOSE OF THIS DOCUMENT 本文檔的目的This docume nt is inten ded to provide CSPs with guida nee and in structi ons on how to impleme nt their con ti nu ous mon itori

21、ng program. Certa in deliverables and artifacts related to continuous monitoring that FedRAMP requires from CSP 'as discussed in this document 本文檔目的是為CSP實施持續(xù)監(jiān)管計劃提供指導和說明。某些FedRAMP要求CSP提供的、與持續(xù)監(jiān)管相關的可交付成果和組件會在本文檔中討論。1.2. CONTINUOUS MONITORING PROCESS 持續(xù)監(jiān)管過程The FedRAMP con ti nu ous mon itori ng prog

22、ram is based on the continu ous mon itori ng process described in NIST SP 800-137, I nformation Security Con tin uous Mo nitori ng for Federal In formatio n Systems and Orga ni zation The goal is to provide: (i) operati onal visibility; (ii) man aged cha nge con trol; (iii) and atte ndance to in cid

23、e nt resp onse duties.For more in formatio n on in cide nt resp on se, review the FedRAMPI ncide nt Com mun icatio ns ProcedureFedRAMP持續(xù)監(jiān)管計劃是以NIST SP 800-137聯邦信息系統(tǒng)和組織信息安全的持續(xù)監(jiān) 管中描述的持續(xù)監(jiān)管過程為基礎的。目標是提供：(i)運營可視化；(ii)變更控制管理；(iii)參與事件響應職責。想要獲取更多事件響應的信息，可以參閱FedRAMP的事件通信規(guī)程。The effectiveness of a CSP c'nii

24、nuous monitoring capability supports ongoing authorization and reauthorization decisions. Security-related information collected during continuous mon itori ng is used to make updates to the security authorizati on package.Updated docume nts provide evide nee that FedRAMP baseli ne security con trol

25、s continue to safeguard the system as orig in ally pla nn ed.CSP寺續(xù)監(jiān)管能力的有效性支持持續(xù)授權和再授權決策。持續(xù)監(jiān)管過程中收集到的安全 相關信息用于更新安全授權組件包。更新的文檔為FedRAMP的基線安全控制措施按原計劃持續(xù)保護系統(tǒng)的供證明。As defi ned by the Nati onal In stitute of Stan dards and Tech no logy (NIST), the process for continuous monitoring includes the following initia

26、tives:正如NIST的定義，持續(xù)監(jiān)管的過程包括如下舉措：Define a continu ous mon itori ng strategy based on risk tolera nee that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat in formati on.基于風險承受能力定義持續(xù)監(jiān)管策略，這樣的監(jiān)管策略具有資產可見 性,知悉安全隱患，并能夠利用最新的威脅信息。Establish measures, metrics

27、, and status mon itori ng and con trol assessme nts freque ncies that make known orga ni zati onal security status and detect cha nges to in formatio n system in frastructure and environments of operatio n, and status of security con trol effective ness in a manner that supports con ti nued operati

28、on with in acceptable risk tolerances.建立措施、度量和狀態(tài)監(jiān)控，控制報告組織安全狀態(tài)的評估頻率， 并在可接受的風險承受能力范圍內，以支持持續(xù)運營的方式，檢測信息系統(tǒng)基礎 設施和運營環(huán)境以及安全控制有效性的狀態(tài)變更。Implement a continuous monitoring program to collect the data required for the defi ned measures and report on findin gs; automate collect ion, an alysis and report ing of da

29、ta where possible實施持續(xù)監(jiān)管計劃，收集確定的措施需要的數據，并對發(fā)現作 報告；盡可能將數據收集、分析和報告過程自動化。An alyze the data gathered an dReport findings accompa nied by recomme ndati ons. It may become n ecessary to collect additi onal in formati on to clarify or suppleme nt existi ng mon itori ng data.分析收集到的數據并報告包含建議的發(fā)現。收集額外的信 息以闡明或補充目

30、前的監(jiān)控數據可能是必要的。Resp ond to assessme nt findings by making decisi ons to either mitigate tech ni cal, man ageme nt and operati on al vuln erabilities; or accept the risk; or tran sfer it to ano ther authority .通過制定緩解技術上的、管理上的還是操作上的漏洞決策對評估發(fā)現做 出響應；或者接受風險；或將其轉移給另一個授權方。Review and Update the mon itori ng pr

31、ogram, revis ing the con ti nu ous mon itori ng strategy and maturi ng measureme nt capabilities to in crease visibility into assets and aware ness of vuln erabilities; further enhance data drive n con trol of the security of an orga ni zati on' s in f(biom nfrastructure; and in crease orga ni z

32、ati onal flexibility.檢查和更新監(jiān)控計劃，校正持續(xù)監(jiān)管策略并使度量能力趨于成熟，以增加資產的可見性 和安全隱患意識；更進一步加強組織信息基礎設施的數據驅動控制安全，增加組 織靈活性。Figure 1-NIST Special Publication 800-137 Continuous Monitoring ProcessSecurity con trol assessme nts performed periodically validate whether stated security con trols are impleme nted correctly, ope

33、rati ng as inten ded, and meet FedRAMP baseli ne security con trols. Security status report ing provides federal officials with in formatio n n ecessary to make risk-based decisi ons and provides assura nee to existi ng customer age ncies regard ing the security posture of the system.周期性的執(zhí)行安全控制評估以驗證

34、是否正確地實施規(guī)定的 安全措施，是否按照計劃運行安全措施，以及是否滿足 FedRAMP的基線安全控制。安 全狀態(tài)報告為聯邦機構提供必要的信息以便其制定基于風險的決策，并給當前客戶代理 提供關于系統(tǒng)安全態(tài)勢的保證。2. CONTINUOUS MONITORING ROLES &RESPONSIBILITIES 持續(xù)監(jiān)管角色及責任2.1. AUTHORIZING OFFICIAL 授權機構Authoriz ing Officials and their teams （“ AOs' ） serve as the focal point for coord in atio n ofco

35、n ti nu ous mon itori ng activities for CSPs. CSPs must coord in ate with their AOs to send security control artifacts at various points in time. The AOs monitor both the Plan of Action& Milest ones （POA&M） and any major sig ni fica nt cha nges and report ing artifacts （such as vuln erabilit

36、y scan reports） associated with the CSP service offeri ng. AOs use this in formatio n so that risk-based decisions can be made about ongoing authorization Agency customers must perform the following tasks in support of CSP continuous monitoring:授權機構及其團隊（“AOs在 CSP的持續(xù)監(jiān)管活動的協(xié)調中起關鍵作用。 CSP必須配合 其AOs在各個時間點發(fā)

37、送安全控制組件。AOs對行動計劃和里程碑（POA&）及任何重 大的變更進行監(jiān)控，并對 CSP提供服務的相關組件進行報告（例如漏洞掃描報告）。AOs利用這些信息以便制定出持續(xù)授權的基于風險的決策。代理客戶必須執(zhí)行以下任務 以支持CSP的持續(xù)監(jiān)管：? Notify CSP if the age ncy becomes aware of an in cide nt that a CSP has not yet reported 如果代理發(fā)現CSP還未上報的緊急事件，則通知 CSP? Provide a primary and sec on dary POC for CSPs and US-C

38、ERT as described in age ncy為CSP和美國計算機緊急響應小組（United States Computer EmergencyReadi ness Team）提供以代理描述的主要和次要的 POC（ poi nts of con tact聯系點）? and CSPIn cide nt Resp onse Pla nsCSP應急響應計劃? Notify US-CERT whe n a CSP reports an in cide nt當CSF報告緊急事件時，通知 US-CERT? Work with CSPs to resolve in cide nts; provide

39、 coordi nati on with US-CERT if n ecessary 與CSP-起解決緊急事件；如果有必要的話，配合US-CERT0? Notify FedRAMP ISSO of CSP in cide nt activity通知FedRAMP的ISSO （信息系統(tǒng)安全官）CSPR急事件活動。? Mon itor security con trols that are age ncy resp on sibilities.監(jiān)視代理負責的安全控制措施。During in cide nt resp on se, both CSPs and leverag ing age ncie

40、s are resp on sible for coord in at ing incident handling activities together, and with US-CERT. The team based approach to in cide nt han dli ng en sures that all parties are in formed and en ables in cide nts to be closed asquickly as possible.在應急響應中，CSPs利益相關的代理，以及 US-CERT, 起負責 協(xié)調處理緊急事件?；诰o急事件處理的團

41、隊確保通知所有相關部門，確保盡快解決問題。2.2. FEDRAMP PMOThe FedRAMP Program Ma nageme nt Office (PMO) acts as the liais on for the Joi nt Authorizati on Board for en suri ng that CSPs with a JAB P-ATO strictly adhere to their established Continuous Monitoring Plan. The JAB and FedRAMP PMO only perform Contin uous Mo n

42、itori ng activities for those CSPs that have a JAB P-ATO.FedRAMP計劃管理辦公室作為Joi nt Authorization Board(聯合授權董事會)的聯絡員， 確保擁有 JAB P-ATO ( Joi nt Authorization Board Provisio nal Authorities to Operate)的 CSP嚴格遵守其制定的持續(xù)監(jiān)管計劃。JAB和FedRAMP PMO只為獲得JAB P-ATO的 CSP實施持續(xù)監(jiān)管活動。注：JAB是FedRAMP計劃的主要管理團隊，由國防部、國土安全部以及美國總務管理局的首

43、席信息官組成2.3. DEPARTMENT OF HOMELAND SECURIT Y (DHS) 國土安 全部The FedRAMP Policy Memo released by OMB defi nes the DHS FedRAMP respo nsibilities to include: OM發(fā)布的FedRAMP政策備忘錄定義了 DHSFedRAMP的責任包括：? Assisti ng gover nmen t-wide and age ncy-specific efforts to provide adequate, risk-based and cost-effective c

44、ybersecurity協(xié)助全政府和特定代理努力提供充足的、基于風險的和性價比高的網絡安全。? Coord in at ing cybersecurity operati ons and in cide nt resp onse and providi ng appropriate assista nee協(xié)調網絡安全運營與應急響應并提供適當的幫助? Develop ing con ti nu ous mon itori ng sta ndards for ongoing cybersecurity of Federal in formati on systems to in clude rea

45、l-time mon itori ng and continu ously verified operating configurations為聯邦信息系統(tǒng)的持續(xù)網絡安全開發(fā)持續(xù)監(jiān)管標準，該標準要囊括實時監(jiān)管和持 續(xù)驗證的操作配置? Develop ing guida nee on age ncy impleme ntati on of the Trusted Internet Conn ecti on (TIC) program for cloud services.為云服務開發(fā)可信互聯網連接計劃的代理實施指南The FedRAMP PMO works with DHS to incorpo

46、rate DHS sguidanee into the FedRAMP program guidanee and documents. FedRAMP PMO和 DHS 協(xié)作將 DHS 的指南納入到 FedRAMP計劃指南和文檔中。24 THIRD PART Y ASSESSMENT ORGANIZATION (3PAO) 第 三方評估機構Third Party Assessme nt Orga ni zati ons (3PAO) are resp on sible for in depe nden tly verify ing and validating the control impl

47、ementation and test results for CSPs in the continuous monitoring phase of the FedRAMP process. Specifically, 3PAOs are resp on sible for:在FedRAMP過程中，第三方評估機構負責為CPS蟲立驗證和確認控制措施實施以及測試 結果。第三方評估機構尤其要負責：? Assessing a defined subset of the security controls annually. 安全控制措施確定子集的年度評估? Submitting the assessm

48、ent report to the ISSO one year after thCeSP' sauthorization date and each year thereafter.CSP授權日期之后的一年以及往后的每一年，提交評估報告給ISSO? Performing announced penetration testing. 實施正規(guī)的滲透測試? Perform annual scans of web applications, databases, and operating systems. 每年對web應用、數據庫和操作系統(tǒng)進行掃描? Assessing changed c

49、ontrols on an ad hoc basis as requested by the AOs for any changes made to the system by the CSP.按照AOs （授權機構）的要求，一旦 CPS對系統(tǒng)做出任何變更，隨時對變更的控 制措施進行評估。In order to be effective in this role, 3PAOs are responsible for ensuring that the chain of custody is maintained for any 3PAO authored documentation. 3PAO

50、s must also be able to vouch for the veracity and integrity of data provided by the CSP for inclusion in 3PAO authoreddocumentation. As an example:為了使這一作用更有效，3PAOs負責保證維護3PAOs授權文 檔的監(jiān)管鏈。3PAOs也必須有能力保證CS為3PAO授權文檔提供的數據精確性和完整性。 例如：? If scans are performed by the CSP, the 3PAO must either be on site and ob

51、serve the CSP performing the scans or be able to monitor or verify the results of the scans through other means documented and approved by the AO.如果CS執(zhí)行掃描，3PAO要么必須在現場觀察CS實施掃描，要么能夠通過其他登 記在案并經AO比準的方式進行監(jiān)控或驗證掃描結果。? Documentation provided to the CSP must be placed in a format that either the CSP cannot a

52、lter or that allows the 3PAO to verify the integrity of the document. 提供給CSP勺文檔必須以CS無法更改或允許3PAO驗證文檔完整性的格式放置。3. CONTINUOUS MONITORING PROCESS AREASE 持續(xù)監(jiān) 管過程3.1. OPERATIONAL VISIBILITY 運營可見性An important aspect of a CSP'csontinuous monitoring program is to provide evidence that demonstrates the eff

53、icacy of its program. CSPs and its independent assessors are required to provide evidentiary information to AOs at a minimum of a monthly, annually, every 3 years, and on an as-needed frequency after authorization is granted.The submission of these deliverables allow AOs to evaluate the risk posture

54、 of the CSP' s i snegr. vi ce offerCSP持續(xù)監(jiān)管計劃的一個重要作用就是提供證據證明其計劃的有效性。CSP和其獨立評估人在獲得授權之后，至少以每月、每年、每三年及需要的頻率提供證據信息給AOs。這些交付件的提交能讓AOs評估CSP提供的服務的風險態(tài)勢。Table A-1 notes which deliverables are required as part of continuous monitoring activities. These deliverables in clude provid ing evide nee, such as pr

55、ovid ing mon thly vuln erability sca ns of CSPs operati ng systems/i nfrastructure, databases, and web applicati ons.表A-1所示的是作為持續(xù)監(jiān)管活動的一部分，所要求的交付件。這些交付件包括提供證 據，例如每月提供CSP操作系統(tǒng)/基礎設施、數據庫和web應用的漏洞掃描。As part of the con ti nu ous mon itori ng process CSPs are required to have a 3PAO perform an assessme nt o

56、n an annual basis for a subset of the overall con trols impleme nted on the system. During the annual assessment the controls listed in Table A-1 are tested along with an additional number of controls selected by the AO. The AO has the option to vary the total number of controls tested to meet the d

57、esired level of effort for testing. The AO selects the additional controls for testing based on the following criteria in Table 3-1.作為持續(xù)監(jiān)管過程的一部分，要求CSP有 3PAO每年為其系統(tǒng)中實施的全面控制措施的一個子集實施評估。在每年的評估期間，對表A-1中所列的控制措施連同AO選擇的一些額外控制措施一起進行測試。為了滿足測試要求，AO可以選擇改變要測試的控制措施總數。AO以下面表3-1中的標準為測試選擇附加的控制措施。There are additi ona

58、l requireme nts for testi ng and con trol selecti on for CSPs that are tran siti oning to the FedRAMP 800-53 Revision 4 baseline. For additional guidance to on Revision 4 tran siti on test ing guida nce, review theFedRAMP Revisio n 4 Tran siti on Guide測試的附加要求和CPS的可選控制措施，正在成為 FedRAMP 800-53版本4的基線。對 于版本4的轉變測試指南的額外指南，請參考 FedRAMP Revision 4 Tran sition GuideCriteriaDescripti on1.Con diti on of previous assessme ntAny conditions made by th