(风险管理)联邦风险与授权管理计划持续监管策略及指南
- 格式:docx
- 大小:477.09 KB
- 文档页数:41
Continuous Monitoring Strategy & Guide v2.0 June 6, 2014
Continuous Monitoring Strategy & Guide
Version 2.0
June 6, 2014
Continuous Monitoring Strategy & Guide v2.0 June 6, 2014
Page 2
Executive Summary
The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time
security authorization processes to Ongoing Assessment and Authorization throughout the
system development life cycle. Consistent with this new direction favored by OMB and
supported in NIST guidelines, FedRAMP developed an ongoing assessment and authorization
program for the purpose of maintaining the authorization of Cloud Service Providers (CSP).
2010年4月21日,美国政府管理预算局(OMB)发布了M-10-15备忘录,将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB,NIST指导方针也支持了这个新动向,FedRAMP开发了一套持续评估和授权程序用以维持云服务商(CSP)的授权。
After a system receives a FedRAMP authorization, it is probable that the security posture of the
system could change over time due to changes in the hardware or software on the cloud service
offering, or also due to the discovery and provocation of new exploits. Ongoing assessment and
authorization provides federal agencies using cloud services a method of detecting changes to the
security posture of a system for the purpose of making risk-based decisions.
系统获得FedRAMP授权后,由于云服务产品的硬件或软件变化,或是因为新漏洞,系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势变化的方法,这样机构就可以做风险导向决策。
This guide describes the FedRAMP strategy for CSPs to use once they have received a
FedRAMP Provisional Authorization. CSPs must continuously monitor the cloud service
offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. This guide instructs CSPs on the FedRAMP strategy to continuously
monitor their systems.
一旦云服务商(CPSs)收到FedRAMP的临时授权,就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策,CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。
Document Revision History
Date Page(s) Description Author
06/06/2014 Major revision for SP800-53 Revision 4.
Includes new template and formatting changes. FedRAMP PMO Continuous Monitoring Strategy & Guide v2.0 June 6, 2014
Page 3 Date Page(s) Description Author
Continuous Monitoring Strategy & Guide v2.0 June 6, 2014
Page 4
Table of Contents
About this document ....................................................................................................................... 7
Who should use this document? ................................................................................................. 7
How this document is organized ................................................................................................. 7
How to contact us........................................................................................................................ 7
1. Overview ................................................................................................................................. 8
1.1. Purpose of This Document ............................................................................................... 9
1.2. Continuous Monitoring Process ....................................................................................... 9
2. Continuous Monitoring Roles & Responsibilities ................................................................. 11
2.1. Authorizing Official ....................................................................................................... 11
2.2. FedRAMP PMO ............................................................................................................. 12
2.3. Department of homeland security (DHS)....................................................................... 12
2.4. Third Party Assessment Organization (3PAO) .............................................................. 12
3. Continuous Monitoring Process Arease ................................................................................ 14
3.1. Operational Visibility ..................................................................................................... 14
3.2. Change Control .............................................................................................................. 16
3.3. Incident Response .......................................................................................................... 17
Appendix A – Control Frequencies .............................................................................................. 18
Appendix B – Template Monthly Reporting Summary ................................................................ 39
JAB P-ATO Continuous Monitoring Analysis ......................................................................... 39