introductions to security compliance?

[afeld]

@pburkholder posed a good question:

For FISMA and ATO overviews...any other talks you would recommend in addition to https://youtu.be/-Nc4GXPxpQg?

That video could use an update, but was (as it says) everything I knew at the time. In terms of documentation, I then put what I knew into Before You Ship.

Anyone else know of good introductory materials? Assuming an audience of tech but not government experience, I guess?

cc @brittag @wslack

[pburkholder]

@afeld Did you ever get answers to your questions:

• Where did "authority to operate" come from?
• Is there anything stopping the AO from saying yes to everything?
• "As far as I know, FedRAMP doesn't have any government-wide authority" (https://youtu.be/-Nc4GXPxpQg?t=885)
  • I think they do. At https://www.fedramp.gov/about/ it reads: "Per an OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized" and they cite: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf

That said, this video pretty concise and easy to follow but

• is pretty specific to 18F/GSA
• has too much on tooling at the end that is out of date
• should have more on what the various FedRAMP authorizations are and mean (Agency vs. JAB, for example).

[brasky]

Everything from 5:00 (The "what" section) to 26:00 (The section where FedRAMP LI SaaS, now FedRAMP Tailored is mentioned) is good information for anyone who wants to know learn about compliance.

Some of your questions have pretty long explanations, and with the NIST website down for the shutdown it's hard to cite all the exact laws.

Q: What is stopping the AO to say yes to everything?
A: Before 2011 (that memorandum) agencies could choose their own controls, but even worse they could manage their own assessments which you can imagine how effective that is. Basically nothing was stopping them. Now there is (slightly) more oversight, see next question.

Q: Does FedRAMP have government authority?
A: FedRAMP does have some authority, but only really through proxy of the OMB. FedRAMP is a program not an agency, which is why FedRAMP can't issue an ATO, only a P-ATO (provisional), which is really more of a thumbs up than a rubber stamp except that the OMB and JAB says it's legit, plus the JAB is made up of CIOs from GSA, DoD, and DHS, which if they give you approval most other agencies will just trust.

The chain of command in a nutshell (without going back too far) goes something like:

• FISMA 2002 required agencies to develop an agencywide information security program, but was very loose because it was really the first time it had been done (besides for PII) and they didn't want to make a real mess. FISMA 2002 assigned the OMB and NIST to oversee federal information security, so this is the basis for the authority.

• Then congress passed GPRA 2010 which required federal agencies to evaluate their effectiveness
  essentially under the oversight of the OMB. During this process the OMB found that cybersecurity was a big place for improvement.

• 2011 the OMB releases the memorandum @pburkholder posted above. This is what kicked off the creation of the FedRAMP program we know and love.

• The OMB in 2016 put out Circular No. A-130 which required federal agencies to make a security plan, assess it regularly, etc. If you want to see the full chain of command up to that point check out section 9. Authority, although I don't recommend it.

And now we're here today (basically)! Sorry for the wall of text but I haven't actually ever had to type this out so it was kind of fun. In terms of talks, there really is next to no content out there... There's fedramp.gov/training ...

[pburkholder]

@brasky That's helpful context. Coincidentally, Aidan's talk was posted 27 July 2016, and A-130 was updated the next day: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource.

[brasky]

This reddit thread just popped up about how to better understand NIST and there was a good comment with a few videos about 800-171 that could be useful.

For anyone diving into the world of Federal government cybersecurity frameworks and compliance, these videos might be helpful. None of this is strictly 800-53, but the 800-171 stuff is pretty useful to understand as well.

4 hours https://youtu.be/6mdVTPk6jlE

8.5 hours https://youtu.be/qk5J4gFysLU

I've found a lot of good resources with webinars like via Brighttalk as well. Might as well start with the free stuff first if you want a starter.

Also, here is a link to a really informative FAQ that NIST published in April of 2018. It’s about 50 pages. The new stuff is highlighted in yellow.

[http://www.berenzweiglaw.com/wp-content/uploads/2018/05/Revision-to-Cyber-DFARS-FAQs-7012-etc.-April-2-2018-37165xC5166.pdf]

[wslack]

@Jkrzy might have ideas?

[afeld]

Launched a new site for this - see #70.

[its-a-lisa]

suggest closing this based on the new site existing