Compliance as a Service for Hybrid Cloud-based Systems
The CaaS solution can also be used to certify and authorize hybrid systems of an organization. It is anticipated that this will be predominant model in the early and possibly later stages of Cloud adoption. An example of this setup is given below:
In our example, the SaaS service certification package (PKG3), is incorporated into the System authorization package for the Information System located at the agency. An independent application of the NIST RMF is shown on the agency’s own Information System on the right. As shown in Figure 5, the CaaS solution provides support for multiple Federal and State regulations as well as multiple Information Assurance frameworks from NIST to DIACAP to ISO.
Figure 5: CaaS with a Hybrid System implementation
The initial C&A of a System is the first step in getting the Authority To Operate (ATO), but the on-going Continuous Authorization (CA) is only possible with Continuous Monitoring of all the applicable controls. The Continuous Monitoring requirement has been mandated by the Office of Management and Budget (OMB) and described in NIST SP800-37 Rev.1 as well as NIST SP800-137. Next, we look into the requirements and solution for Continuous Authorization.
The current FISMA law, and the changes it is undergoing, recognizes the interconnected nature of the Internet and agency networks. The OMB is advocating new security reporting requirements that demonstrate compliance, while emphasizing risk based compliance analysis through Continuous Monitoring. These requirements have to be met in the existing systems, as well as new systems being procured by an agency.
The organizations must still maintain formal authorizations and acceptance of risk but may leverage results of continuous monitoring assessments to support the ongoing ATO. The initial ATO and ongoing Continuous Monitoring are required for newly procured systems as well as for continued operation of an existing system. Continuous Monitoring encompasses everything from monitoring changes to the System asset components, Situational Awareness data from assets, to conducting ports and protocol analysis using vulnerability analysis tools and keeping the system related Plan of Action and Milestones (POA&M) updated. It also includes policy monitoring and documentation updates for annual or significant change related re-certifications.
NIST SP 800-37 Rev1 – Risk Management Framework
NIST 800-37 Rev.1 (Chapter 3, P.36) says, “Organizations may choose to eliminate the authorization termination date, if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system”.
The Continuous Monitoring of a system requires compliance with three key requirements:
- Change and Configuration Management of Assets
- Monitoring of Security Controls using Automated Tools
- Documentation Updates and Reporting
Change and Configuration Management of Assets
The Configuration Management controls within NIST SP 800-53rev2/3 address the needs of change and configuration management of a system with the goal of enabling and maintaining security while managing the risks on an on-going basis.
Monitoring of Security Controls Using Automated Tools
The objective of monitoring of security controls is to determine if the controls implemented or inherited by the system continue to be effective over time as the system undergoes changes. This encompasses ALL controls and not a subset. The Continuous Monitoring of controls requires monitoring of each control with varying frequencies based on:
- Control volatility – The more volatile controls need to be monitored more frequently
- Organization and system risk tolerance
- Current threat information that might affect the system
The Continuous Monitoring strategy needs to specify the monitoring frequencies along with the reporting frequency and the details required for reporting. As the size and complexity of today’s system increases, it is hard to gather the required details and the frequency desired manually. The process of monitoring and reporting has to be automated using tools that provide situational awareness data in support of:
- Risk based decisions
- Evaluation of ‘on-going’ authorization
- Asset and configuration management to identify changes and their impact on security posture
- Reporting the system security status at any point in time
Some of the technical and operational controls lend themselves to automation much more easily than others. These controls can be evaluated and monitored using vulnerability assessment tools or event management and alerting systems that provide situational data based on logs and Simple Network Management Protocol (SNMP) alerts.
The supplemental guidance for the Continuous Monitoring control (CA-7) from NIST 800-53 Rev.3 states that, “A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system. The implementation of a continuous monitoring program results in ongoing updates to the security plan, the security assessment report, and the plan of action and milestones – the three principal documents in the security authorization package. A rigorous and well executed continuous monitoring program significantly reduces the level of effort required for the reauthorization of the information system. Continuous monitoring activities are scaled in accordance with the impact level of the information system.”
The Situational Awareness data from an asset needs to be mapped to the System that includes this asset in its system definition and the Information Assurance control that may have been affected. This provides data to the system owner and the DAA on evaluating the risk to the Information System. The remediation action may then be documented as a task or a POA&M item.
Documentation Updates and Reporting
The critical documents such as the SSP, SAR or the ST&E report and the POA&M, need to be updated and kept current as per the Continuous Monitoring process. These three key documents and the supporting artifacts are required for any authorizing official to conduct their evaluation of risk, and granting of continued authorization. The POA&M reports are especially critical, as they need to be made available to OMB upon request or at least quarterly.
There is a significant amount of effort involved in keeping these detailed information documents updated and reflect the current state accurately. Just as the asset information becomes potentially stale within twenty-four hours of documentation, the SSP and SAR documents are equally prone to become stale in a short order. An automation tool is the only way to keep these extensive (sometime 200-300 pages) documents updated on an on-going basis.
The SSPs need to reflect changes to the System and its assets based on Change and Configuration Management process as well as any updates to the control implementation, while the SAR/ST&E documents need to reflect the testing and validation of the controls to identify any risks introduced due to these changes. Any new risk identified or an impact on the existing POA&M item needs to be reflected and reported to the authorizing official and OMB.