, ,

FedRAMP 3PAO Program – Have we Heard of this Idea Before?

In a packed auditorium in 2006, I recall sitting in the “Red Auditorium” at NIST to participate in a workshop hosted by the Computer Security Division. The goal of the workshop was to discuss the implementation of Phase II of the FISMA Implementation Project. At the time, the Phase read like this:

“The second phase of the FISMA Implementation Project focuses on the development of a program for credentialing public and private sector organizations to provide security assessment services. Security assessment services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessments may be part of an information system certification and accreditation effort, in support of continuous monitoring of security controls, or for other types of information system security assessments.

Organizations that participate in the credentialing program need to demonstrate competence in the application of the NIST security standards and guidelines and the information security practices consistent with FISMA and OMB requirements. Developing a network of credentialed organizations with demonstrated competence in the provision of security assessment services will give federal agencies and other customers of security assessment services greater confidence in the acquisition and use of such services.”

Although the focus and characteristics of the program may be different, the idea has many similarities. Following the “NIST FISMA Phase II: Workshop of Credentialing Program for Security Assessment Providers”, NIST published, NISTIR 7328, “Security Assessment Provider Requirements and Customer Responsibilities, a document that was intended to supplement the workshop focused, in part, on establishing criteria for the Security Assessment Team capabilities. One of the most important criteria for measurement of a Security Assessment Provider was the composition of the Assessment Team in regards to the Knowledge, Skills, and Abilities (KSAs). The references referred to the Federal Information Systems Controls Audit Manual (FISCAM), the 1999 version which has been superseded in 2009. FISCAM defined KSAs as follows:

  • Knowledge is the foundation upon which skills and abilities are built. Knowledge is an organized body of information, facts, principles, or procedures which, if applied, makes adequate performance of a job possible.
  • A skill is the proficient manual, verbal, or mental manipulation of people, ideas, or things. A skill is demonstrable and implies a degree of proficiency.
  • An ability is the power to perform a job function while applying or using the essential knowledge. Abilities are evidenced through activities or behaviors required to do a job.

In the above list, the 3PAO program focused an effort on ensuring the Third Party Assessment Provider Organization (3PAO):

  • Maintained knowledge, understanding, and competency in the application of the FedRAMP program security assessment standards, guidelines, and requirements;
  • Maintained knowledge, understanding, and competency in the application and assessment of cloud-based information system-related technologies and practices.
  • Maintained knowledge and understanding in the use of supporting NIST publications/ programs
  • Maintained instructions, procedures, methods, worksheets, etc., relevant to the work of security assessment of cloud-based information systems that are consistent with the FedRAMP program requirements, and supporting NIST publications/programs.
  • Selected assessment team personnel that collectively have the relevant knowledge, skills, and abilities for conduct of the given security assessment.
  • Prepared a security assessment plan for each assessment consistent with the FedRAMP program requirements.
  • Reviewed the assessment plan with the cloud service provider to ensure that the security assessment plan is appropriate for the assessment; and that all necessary cloud provider information, documentation, data, artifacts, personnel, etc., for the security assessment is (or will be) available.
  • Conducted the security assessment, following the security assessment plan.
  • Prepared a security assessment report consistent with the FedRAMP program requirements.

Of the requirements detailed in the 3PAO Application (above), one in particular, the selection of the assessment team personnel, was left for the Cloud Service Provider and/or the 3PAO to ensure was addressed as part of their hiring practices for the Assessment Team. This requirement focused on ensuring the security assessors had the relevant knowledge, skills, and abilities for conducting the given security assessment of the cloud service.

Placing a focus on knowledge, as we recall from earlier in this article, is the “foundation upon which skills and abilities are built”. This specific attribute of an assessor requires more than pure security knowledge, but also a supplemental knowledge of cloud computing. Previously, I have written two articles on the Cloud Security Alliance, Certification of Cloud Knowledge (CCSK).

In March 2011, I sent an email to David McClure (Associate Administrator GSA’s Office of Citizen Services and Innovative Technologies) noting a similar need for a program focused on the qualifications of third party assessors.

“In reading an article published in the Government Computer News today (http://gcn.com/Articles/2011/03/23/FedRAMP-myths-GSA-McClure.aspx?p=1), a series of 7 specific areas where noted as being focus areas for government improvement of FedRAMP. Specifically #2 (“More guidance on third-party assessors’ independence”), something I believe should be expanded to address additionally is the qualifications of the independent assessors. Unlike the PCI Council (PCI DSS) Qualified Security Assessor (QSA) designation for approved companies and providers (https://www.pcisecuritystandards.org/approved_companies_providers/index.php) that can validate a companies adherence to PCI DSS, a qualification is needed for a Cloud Security Assessor that understands cloud-specific security risks (e.g., Cloud Security Alliance’s Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/certifyme.html) and adherence to the FedRAMP requirements such the application of the NIST 800 series – the RMF and NIST SP 800-53 security controls (e.g., the (ISC)2 Certified Authorization Professional (https://www.isc2.org/cap/Default.aspx)).

I have specifically highlighted the necessity for criteria to be established for independent assessors on FedRAMP.net (http://www.fedramp.net/selecting-an-independent-third-party-assessor) to include some additional credential that would adequately address some measure of knowledge both about security in general and secuity specific aspects of cloud computing environments which would enable reports submitted to the government to be valuable in facilitating a “credible, risk-based decision” as necessary to properly authorize a cloud service to operate under the auspice of the FedRAMP program.”

Here, the knowledge is not necessarily focused on mastering the CCSK exam, but rather understanding the material to ensure the knowledge created provides a foundation for supporting the skills and abilities many successful auditors/assessors/inspectors already have working within traditional IT environments. The CCSK provides the 3PAO with the knowledge to support federal agencies in the adoption of secure cloud solutions with confidence. The CSA has developed a partner training (see sources below) that is structured and delivered through a comprehensive training program geared to ensure instructors provide a consistent and high quality training atmosphere.

1ECG provides classes in the Washington D.C. area. Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

Leave a Comment

2 Comments

Leave a Reply

Chris Cairns

So if I’m a vendor, submit my 3PAO app and receive approval, why should I care about getting a CCSK? Are CCSK’s provisioned at an individual or corporate level?

Matthew Metheny

Good questions.

The 3PAO is an organizational accreditation and in no way measures the full scope of all cloud security issues. More specifically it does not address the knowledge of individual security assessors that will be part of the assessment team conducting an inspection of a cloud service.

The CCSK establishes some basic level of knowledge of an individual about cloud computing and security issues across a number different domains. Therefore, the CCSK, depending on the source selection process of a Cloud Service Provider (CSP), could be a useful requirement in an RFP to down-select those 3PAOs on the list for bidding on a security assessment service. On the other side, it could also be seen a useful discriminator for the 3PAO that must sort through applicants that have responded to a job requisite.