FedRAMP Privacy Threshold Analysis And Privacy Impact
FedRAMP Privacy Threshold Analysisand Privacy Impact AssessmentDistributed Solutions Inc.AEONVersion 2.3January 9, 2018
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018Prepared byOrganization Name that prepared this documentStreet Address12350 Pinecrest RoadSuite/Room/BuildingClick here to enter text.City, State, ZIPReston, VA 20191Prepared forOrganization Name for whom this document was preparedStreet Address888 1st Street, NortheastSuite/Room/BuildingClick here to enter text.City, State, ZIPWashington, D.C. 20426Revision HistoryComplete 15.4 Attachment 4 – PTA and PIA Revision History in the System Security Plan.Detail specific changes in the table .0AllDSI SaaS PIA/PTADSI2/13/20172.0AllAll sections were reviewed and updatedDSI05/18/20172.11Change POC title and updated dates onApplicable LawsDSI10/30/20172.2AllSmall updates made throughoutDSI11/13/20172.3AllRemoved CUI, Updated the Applicable Laws& Regulation and Added FERC as theagency document is prepared for, updatedsection 3.11 Assessor and SignaturesDSIPageii
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018Table of Contents1PRIVACY OVERVIEW AND Point of Contact (POC) . 11.1Applicable Laws and Regulations . 11.2Applicable Standards and Guidance . 21.3Personally Identifiable Information (PII) . 42Privacy Threshold Analysis . 42.1Qualifying Questions . 52.2Designation . 53Privacy Impact Assessment. 53.1PII Mapping of Components . 53.2PII in Use. 63.3Sources of PII and Purpose. 63.4Access to PII and Sharing . 73.5PII Safeguards and Liabilities . 83.6Contracts, Agreements, and Ownership . 103.7Attributes and Accuracy of the PII . 113.8Maintenance and Administrative Controls . 113.9Business Processes and Technology . 133.10 Privacy Policy. 133.11 ASSESSOR AND SIGNATURES . 134ACRONYMS . 15List of TablesTable 1-1 - System Name Privacy POC . 1Table 1-2 Information System Name Laws and Regulations . 1Table 1-3 Information System Name Standards and Guidance . 3Table 3-1 PII Mapped to Components . 5Pageiii
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 20181 PRIVACY OVERVIEW AND POINT OF CONTACT (POC)The Table 1-1 - System Name Privacy POC individual is identified as the System Name PrivacyOfficer and POC for privacy at Distributed Solutions Inc.Table 1-1 - System Name Privacy POCNameRon FalconeTitleExecutive Vice PresidentCSP / OrganizationDistributed Solutions Inc.Address12350 Pinecrest Road, Reston, VA 20191Phone Number703-471-7530Email Addressprivacyofficer@distributedinc.com1.1 APPLICABLE LAWS AND REGULATIONSThe FedRAMP Laws and Regulations may be found on: www.fedramp.gov Templates. Asummary of FedRAMP Laws and Regulations is included in the System Security Plan (SSP) inATTACHMENT 12 – FedRAMP Laws and Regulations.Table 1-2 Information System Name Laws and Regulations include additional laws andregulations specific to AEON. These will include laws and regulations from the FederalInformation Security Management Act (FISMA), Office of Management and Budget (OMB)circulars, Public Law (PL), United States Code (USC), and Homeland Security PresidentialDirectives (HSPD).Table 1-2 Information System Name Laws and RegulationsIdentificationNumberPL 104-2315 USC 552aPublic Law 100503PL 107-347FTCTitleDateElectronic Freedom of Information Act AsAmended in 2002 [PL 104-231, 5 USC 552],October 2, 1996Title 5 Government Organization andEmployees; Chapter 5 Administrative Procedure;Section 552a Records maintained on individuals(Privacy Act of 1974 as amended)Computer Matching and Privacy Act of 1998October 1996PL 104-231January 20145 USC 552AOctober,1998December2002June 20085 USC 522AE-Government Act [includes FISMA Title III]Federal Trade Commission Act Section 5: Unfairor Deceptive Acts or PracticesLinkPL 107-347FTC Sec-5Page1
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018IdentificationNumberNARAECFROMB Circular A130OMB M-10-23OMB M-99-18OMB M-17-12OMB M-03-22PL 104-191PL 108-447PL 113-187TitleDateLink44 U.S.C. Federal Records Act, Chapters 21, 29,31, 33 (see Public Law 113-187) Ch 21 as of November 26, 2014 Ch 29 as of November 26, 2014 Ch 31 as of October 21, 1976 Ch 33 as of November 16, 2014November2014NARA 44USCTitle 36, Code of Federal Regulations, ChapterXII, Subchapter BManaging Information as a Strategic ResourceMarch 2017e-CFR data7/1/2016OMB A-130Guidance for Agency Use of Third-PartyWebsitesPrivacy Policies on Federal Web SitesJune 2010OMB M-10-23June 1999OMB M-99-18Preparing and Responding to a Breach ofPersonally Identifiable Information.OMB Guidance for Implementing the PrivacyProvisionsHealth Insurance Portability and AccountabilityAct of 1996 (HIPAA)Consolidated Appropriations Act of 2005,Section 52244 U.S.C The Presidential and Federal RecordsAct Amendments of 2014 showing changes toNARA Statutes found below in Chapters 21, 22,29, 31, 33, of Title 44 in PDF. Ch 21 as of November 26, 2014 Ch 22 as of November 26, 2014 Ch 29 as of November 26, 2014 Ch 31 as of October 21, 1976 Ch 33 as of November 16, 2014January 2017OMB M-17-12September2003August 1996OMB M-03-22December2004December2014PL 100-503PL 104-191PL 113-1871.2 APPLICABLE STANDARDS AND GUIDANCEThe FedRAMP Standards and Guidance may be found on: www.fedramp.gov Templates. TheFedRAMP Standards and Guidance is included in the System Security Plan (SSP)ATTACHMENT 12 – FedRAMP Laws and Regulations. For more information, see the ProgramDocuments Overview section of the FedRAMP website.Table 1-3 Information System Name Standards and Guidance includes any additional standardsand guidance specific to AEON. These will include standards and guidance from FederalInformation Processing Standard (FIPS) and National Institute of Standards and Technology(NIST) Special Publications (SP).Page2
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018Table 1-3 Information System Name Standards and GuidanceIdentificationNumberFIPS PUB 140-2FIPS PUB 199FIPS PUB 200FIPS PUB 201-2NIST SP 800-18NIST 800-26NIST SP 800-27NIST SP 800-30NIST SP 800-34NIST SP 800-37NIST SP 800-39NIST 800-47NIST SP 800-53NIST SP 800-53ANIST SP 800-60NIST SP 800-61NIST SP 800-632NIST SP 800-64NIST SP 800-115TitleDateSecurity Requirements for CryptographicModulesStandards for Security Categorization of FederalInformation and Information SystemsMinimum Security Requirements for FederalInformation and Information SystemsPersonal Identity Verification (PIV) of FederalEmployees and ContractorsGuide for Developing Security Plans for FederalInformation Systems, Revision 1Security Self-Assessment Guide for InformationTechnology Systems, April 2013October 2001FIPS 140-2February2004March 2006FIPS 199August 2013FIPS 201-2February2006SupersededBy: FIPS 200,SP 800-53, SP800-53AJune 2004SP 800-18September2012May 2010SP 800-30June 2014SP 800-37March 2011SP 800-39August 2002SP 800-47February2016SP 800-53December2014SP 800-53AAugust 2008SP 800-60August 2012SP 800-61Engineering Principles for InformationTechnology Security Revision A (A Baseline forAchieving Security)Guide for Conducting Risk Assessments, Revision1Contingency Planning Guide for FederalInformation Systems Revision 1 [includesupdates as of 11-11-10]Guide for Applying the Risk ManagementFramework toFederal Information SystemsManaging Information Security Risk:Organization, Mission, and Information SystemViewNIST 800-47, Security Guide for InterconnectingInformation Technology SystemsSecurity and Privacy Controls for FederalInformation Systems and Organizations, Revision4 [Includes updates as of 01-22-2015]Assessing Security and Privacy Controls inFederal Information Systems and Organizations:Building Effective Assessment Plans, Revision 4Guide for Mapping Types of Information andInformation Systems to Security Categories,Revision 1Computer Security Incident Handling Guide,Revision 2Electronic Authentication Guideline: ComputerSecurity, Revision 2Security Considerations in the SystemDevelopment Life Cycle, Revision 2Technical Guide to Information Security Testingand AssessmentLinkFIPS 200Archived NIST SPSP 800-27SP 800-34August 2013October 2008September2008SP 800-63-2SP 800-64SP 800-115Page3
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018IdentificationNumberNIST SP 800-128NIST SP 800-137NIST SP 800-144NIST SP 800-145FTCNARA 2010-05FDICTitleDateGuide for Security-Focused ConfigurationManagement of Information SystemsInformation Security Continuous Monitoring forFederal Information Systems and OrganizationsGuidelines on Security and Privacy in PublicCloud ComputingThe NIST Definition of Cloud ComputingAugust 2011SP 800-128September2011December2011September2011June 1998SP 800-137September2010June 2004NARA 2010-05Privacy Online: Fair Information Practices in theElectronic Marketplace: A Federal TradeCommission Report to CongressGuidance on Managing Records in CloudComputing Environments (NARA Bulletin)Offshore Outsourcing of Data Services byInsured Institutions and Associated ConsumerPrivacy RisksLinkSP 800-144SP 800-145FTC Privacy OnlineFDIC Privacy Risks1.3 PERSONALLY IDENTIFIABLE INFORMATION (PII)Personally Identifiable Information (PII) as defined in OMB Memorandum M-07-16 refers toinformation that can be used to distinguish or trace an individual’s identity, either alone or whencombined with other personal or identifying information that is linked or linkable to a specificindividual. Information that could be tied to more than one person (date of birth) is notconsidered PII unless it is made available with other types of information that together couldrender both values as PII (for example, date of birth and street address). A non-exhaustive list ofexamples of types of PII includes: Social Security numbersPassport numbersDriver’s license numbersBiometric informationDNA informationBank account numbersPII does not refer to business information or government information that cannot be traced backto an individual person.2 PRIVACY THRESHOLD ANALYSISDistributed Solutions, Inc. (DSI) performs a Privacy Threshold Analysis annually to determine ifPII is collected by any of the Information System Name (Information System Abbreviation)components. If PII is discovered, a Privacy Impact Assessment is performed. The Privacy ImpactAssessment template used by DSI can be found in Section 3. This section constitutes the PrivacyThreshold Analysis and findings.Page4
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 20182.1 QUALIFYING QUESTIONSYes1. Does the Interconnection Security Agreement (ISA) collect, maintain, orshare PII in any identifiable form?No2. Does the ISA collect, maintain, or share PII information from or about thepublic?No3. Has a Privacy Impact Assessment ever been performed for the ISA?No4. Is there a Privacy Act System of Records Notice (SORN) for this ISAsystem?If yes; the SORN identifier and name is: Enter SORN ID/Name.If answers to Questions 1-4 are all “No” then a Privacy Impact Assessment may be omitted. Ifany of the answers to Question 1-4 are “Yes” then complete a Privacy Impact Assessment.2.2 DESIGNATIONCheck one. A Privacy Sensitive SystemNot a Privacy Sensitive System (in its current version)3 PRIVACY IMPACT ASSESSMENTA Privacy Impact Assessment has not been conducted for the DSI SaaS. This is the first PIA forthe DSI SaaS.3.1 PII MAPPING OF COMPONENTSAEON consists of Microsoft Structured Query Language (SQL) Server key components. Eachcomponent has been analyzed to determine if any elements of that component collect PII. Thetype of PII collected by AEON and the functions that collect it are recorded in Table 3-1 PIIMapped to Components.Table 3-1 PII Mapped to ComponentsComponentsSQL ServerDoes this functioncollect or store PII?(Yes/No)Yes (Store)Type of PIIVendor cationNumber (TIN),System for AwardReason forCollection of PIISafeguardsFERC: Allows user tomake necessarypurchases fromknown vendor(s),associates thevendor informationFIPS 140-2cryptographyapplied to specifictable and table rowwhere such data isencryptedPage5
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018Does this functioncollect or store PII?(Yes/No)ComponentsType of PIIManagementSAM.gov usernameand passwordReason forCollection of PIISafeguardswith contract awardinformation3.2 PII IN USEComplete the following questions:1. What PII (name, social security number, date of birth, address, etc.) is contained in theDistributed Solutions, Inc. (DSI) service offering?DSI SaaS contains PII; however, the type of PII varies based on the Federal EnergyRegulatory Commission (FERC and the nature of the configuration of the application, whichare based on customer requirements. The PII contained in the Automated AcquisitionManagement Solution (AAMS)is the vendor’s EIN, TIN and SAM user name and password.See Table 3-1 above.2. Can individuals “opt-out” by declining to provide PII or by consenting only to a particularuse (e.g., allowing basic use of their personal information, but not sharing with othergovernment agencies)?YesExplain the issues and circumstances of being able to opt-out (either for specific data elements or specific uses of the data): NoIf and when the situation arises, DSI leaves this decision to the discretion ofFERC.3.3 SOURCES OF PII AND PURPOSE3. Does DSI have knowledge of federal agencies that provide PII to the system?Yes.4. Has any agency that is providing PII to the system provided a stated purpose for populatingthe system with PII?Yes. The purpose is stated in the agency’s tailoring of security controls where NIST SP 80053 Rev.4 requires an organizational defined setting(s).5. Does DSI populate the system with PII? If yes, what is the purpose?No.Page6
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 20186. What other third party sources will be providing PII to the system? Explain the PII that willbe provided and the purpose for it.DSI does not have the authority to allow third party sources to provide PII to the system. DSIis unaware whether the customer receives PII from any third-party sources. The informationcontained in the system is what has been provided directly from the customer. See Table 3.1.AAMS imports the TIN from the SAM, the official United States government system thatmanages data related to the peripheral acquisition systems.3.4 ACCESS TO PII AND SHARING7. What federal agencies have access to the PII, even if they are not the original provider? Whoestablishes the criteria for what PII can be shared?None. FERC has not permitted DSI to provide other Federal agencies with access to PIIstored in the system.8. What DSI personnel will have access to the system and the PII (e.g., users, managers, systemadministrators, developers, contractors, other)? Explain the need for DSI personnel to haveaccess to the PII.DSI’s Application Engineer(s) and SQL Administrator(s) will have access to the system andthe PII, and are the staff who will need to configure the solution to capture the necessary PII,set the necessary encryption levels, test and validate the encryption and/or cryptographicmodule being used. There are no known contractors or other third-parties who have beengiven direct access to the system and/or the PII captured within the system.9. How is access to the PII determined? Are criteria, procedures, controls, and responsibilitiesregarding access documented? Does access require manager approval? With the exception of DSI’s authorized personnel who are required to configure, test,and validate encryption for PII data; the criteria, procedures, controls, andresponsibilities regarding access to PII data from the information system is all withinthe discretion and responsibility of FERC. DSI’s SaaS provides role-based securitywhere FERC is responsible for authorizing access to such data. DSI’s authorizedpersonnel are those who upon hire and based on related experience have beendesignated as either Application Engineers, SQL Administrators, and/or NetworkEngineers. In most cases, such individuals also are cleared and credentialed by agencycustomers in order to manage and maintain customer instance. It should be noted,however, that PII data is encrypted and therefore unviable by network and/or SQLadministrators and application engineers since the encryption and decryption happensat application level. Access to the AAMS application is governed through our Financial System and TravelStaff (FSTS) Security Administration Standard Operating Procedure, which require aPage7
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018manager’s approval. Specifically, the Acquisition Services Division’s Director, or theirdesignee, is responsible for requesting all new access to the AAMS application. Theseinitiators are also considered approving authorities and the conventional stepsassociated with granting access to AAMS application are listed below:1) The initiator will electronically complete the AAMS User Access Request Form. Eachnew access request must be accompanied by a Rules of Behavior (ROB)acknowledgement that is signed by the employee.2) The initiator emails the access request form to FSTS at: CFOsystems@ferc.gov.3) The employee will be emailed a link to the rules of behavior and must sign itelectronically and send back to FSTS.4) FSTS checks the request form for completeness, correctness, and appropriateness, andworks with the initiator to make any necessary changes and is also responsible forvalidating that the initiator is also the appropriate approving authority (DivisionDirector or designee).5) FSTS validates that a ROB acknowledgement form has been completed, signed by thenew user requesting access, and submitted to FSTS.6) Once the request package (including the AAMS User Access Request Form, the signedROB, and any supporting email traffic) is validated, FSTS grants the documentedaccess within the AAMS application.7) For new users, FSTS sends an email notifying the user of their ID and calls them torelay their password.8) All security documentation is archived for audit purposes.10. Do other systems share, transmit, or have access to the PII in the system? If yes, explain thepurpose for system to system transmission, access, or sharing.No.3.5 PII SAFEGUARDS AND LIABILITIES11. What controls are in place to prevent the misuse (e.g., browsing) of data by those havingaccess?DSI’s SaaS provides role-based security where users are either authorized and/or prohibitedaccess to PII data pending on role assignments. FERC is solely responsible for grantingaccess to users. Furthermore, each cloud module for FERC adheres to DSI’s customizedinfrastructure where additional security protocols are in place to restrict access and preventPage8
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018misuse of PII data. Additionally, security is strengthened with the implementation of FIPS140-2.12. Who will be responsible for protecting the privacy rights of the individuals whose PII iscollected, maintained, or shared on the system? Have policies and/or procedures beenestablished for this responsibility and accountability?The SaaS/FERChas policies and procedures for proper PII handling. In addition, DSI has itsown internal policies and procedures in place for the protection of PII contained within itssystem.In addition, FERC is responsible for protecting the privacy rights of the individuals whose PIIis collected, maintained, or stored on the system. The Commission has procedures forhandling PII and rules of behavior that every employee must adhere to protect the privacyrights of individuals.13. Does DSI’s annual security training include privacy training? Does DSI require contractorsto take the training?Yes. DSI provides annual security awareness and privacy training to its employees on at leastan annual basis and upon employment. Should DSI hire any contractors, the contractor(s)will also be subject to such training.14. Who is responsible for assuring safeguards for the PII?For the infrastructure and at the security boundaries of the information system, DSI relies onEdge Hosting Commerical Cloud Service as its PaaS partner. The SaaS/FERC, withassistance from DSI, are responsible in providing a PTA and PIA that would determine thelevel of protection necessary for the type of PII being captured. DSI is responsible at theapplication level to ensure that the appropriate encryption and securities are in place toensure safeguards for the PII are in place. In addition, DSI has its own internal policies andprocedures in place for the protection of PII contained within its system.15. What is the magnitude of harm to the corporation if privacy related data is disclosed,intentionally or unintentionally? Would the reputation of the corporation be affected?The magnitude of harm or impact would ultimately depend on the nature of the PII data andthe threat exploiting the vulnerability that would have caused the initial breach ofconfidentiality, availability, or integrity of the data. The reputation of the CSP or itscustomers could potentially be affected if an after-the-fact investigation revealed that eitherthe CSP or the customer did not secure the system properly or sufficiently at theinfrastructure/platform levels (IaaS/PaaS) or application level (SaaS/FERC).16. What is the magnitude of harm to the individuals if privacy related data is disclosed,intentionally or unintentionally?Page9
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 2018The magnitude of harm or impact would ultimately depend on the nature of the PII data andthe threat exploiting the vulnerability that would have caused the initial breach ofconfidentiality, availability, or integrity of the data. The reputation of the CSP or itscustomers could potentially be affected if an after-the-fact investigation revealed that eitherthe CSP or the customer did not secure the system properly or sufficiently at the infrastructureor platform levels (IaaS/PaaS) or application level (SaaS/FERC). The affect or harm to theindividual is dependent upon the nature of the PII the agency customers wish to havecollected; therefore, agency customers will be required to perform their own privacyassessment to determine the risk and/or harm to individuals based on PII being collected.17. What involvement will contractors have with the design and maintenance of the system? Hasa contractor confidentiality agreement or a Non-Disclosure Agreement (NDA) beendeveloped for contractors who work on the system?Contractors will not have any involvement with the design and/or maintenance of the system.DSI maintains all system components. Yes, NDAs have been developed for contractors whomay work on the system. For each contractor DSI works with, all such contractors and theiremployees who are engaged in the project are required to sign NDAs.18. Is the PII owner advised about what federal agencies or other organizations share or haveaccess to the data?Yes. DSI in its personnel policies and its engagement contracts with contractors advises PIIowners that federal agencies or other organizations may require PII data and that DSI may berequired to divulge such information as required. Each PII owner is also advised of DSI SaaSstructure, which segregates, physically and/or logically, one Federal information system fromanother.3.6 CONTRACTS, AGREEMENTS, AND OWNERSHIP19. NIST SP 800-144 states, “Organizations are ultimately accountable for the security andprivacy of data held by a cloud provider on their behalf.” Is this accountability described incontracts with customers? Why or why not?Yes, this principle when applicable is covered in our contracts on an as-needed basis. As acloud provider, Distributed Solutions Inc., (“DSI”) accepts limited liability in the event DSIfails to deliver its security services as defined in each contract. However, the contractprovides that in the absence of negligence or other improper conduct the supplyingorganization is ultimately accountable for the security and privacy of the data supplied by it.20. Do contracts with customers establish who has ownership rights over data including PII?Yes, unless otherwise agreed to any data provided by customer in its raw form remains theproperty of the customer.Page10
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 201821. Do contracts with customers require that customers notify DSI if the customer intends topopulate the service platform with PII? Why or why not?DSI requires each customer to disclose if PII will be included in their infrastructure during thepre-sales process. Customer infrastructure requiring PII protection is designed with securityprotections appropriate to secure PII data. Customer’s PII requirements are specified in eachcustomer contract, and customer is obligated to notify DSI of any changes to customer’s PIIrequirements.22. Do DSI contracts with customers establish record retention responsibilities for both thecustomer and DSI?Yes, DSI retains financial and contracts records for a period of three (3) years, or such otherperiod of time as determined in a specific Agreement. With respect to client data, DSI followsclient directions with respect to the retention or disposal of customer data.23. Is the degree to which DSI will accept liability for exposure of PII clearly defined inagreements with customers?Yes, DSI only accepts limited liability for exposure of PII to the extent that DSI breaches thedelivery of the security services contracted. However, the contract provides that in theabsence of negligence or other improper conduct the supplying organization is ultimatelyaccountable for the security and privacy of the data supplied by it.3.7 ATTRIBUTES AND ACCURACY OF THE PII24. Is the PII collected verified for accuracy? Why or why not?This is the responsibility of theSaaS/FERC. The SaaS/FERC relies on the informationcollected directly from the data subject to be accurate and complete.25. Is the PII current? How is this determined?This is the responsibility of the SaaS/FERC.Yes. FERC relies on the information it receives from the individual to be current and to notifythe Commission if information submitted is inaccurate or needs to be updated.3.8 MAINTENANCE AND ADMINISTRATIVE CONTROLS26. If the system is operated in more than one site, how is consistent use of the system and PIImaintained in all sites? Are the same controls be used?Yes. PaaS’s Disaster Recovery (DR) site will have the same configuration.Page11
AEON Privacy Threshold Analysis and Privacy Impact AssessmentVersion 2.3 January 9, 201827. What are the retention periods of PII for this system? Under what guidelines are theretention periods determined? Who establishes the retention guidelines?This is primarily the responsibility of the SaaS/FERC in collaboration with DSI. Unlessotherwise agreed to, DSI shall retain PII records for a period of three (3) years, however, withrespect to client data; DSI follows client directions with respect to the retention or disposal ofcustomer data.28. What are the procedures for disposition of the PII at the end of the retention period? Howlong will any reports that contain PII be maintained? How
August 2012 SP 800-61 NIST SP 800-63-2 Electronic Authentication Guideline: Computer Security, Revision 2 August 2013 SP 800-63-2 NIST SP 800-64 Security Considerations in the System Development Life Cycle, Revision 2 October 2008 SP 800-64 NIST SP 800-115 Technical
FedRAMP PMO 06/06/2017 2.0 Cover Updated logo. FedRAMP PMO 1/31/2018 3.0 All General changes to grammar and use of terminology to add clarity, as well as consistency with other FedRAMP documents. FedRAMP PMO 1/31/2018 3.0 Appendix A, B, and C Updated ConMon Report Template and other outdated information. FedRAMP PMO 1/31/2018 3.0 19
The FedRAMP Program Management Office (PMO) updated the FedRAMP baseline security controls, documentation, and templates to reflect the changes in NIST SP 800-53, . 06/06/2017 1.0 Cover Updated logo FedRAMP PMO 11/24/2017 2.0 All Updated to the new template FedRAMP PMO
Document System Security Plan (SSP) 1.2.1. 1.2. . must use the FedRAMP security requirements - which includes the FedRAMP baseline set of controls as well as all FedRAMP templates ** A&A packages without a FedRAMP 3PAO do not meet the independence requirements
Updated ConMon Report Template and other outdated information. FedRAMP PMO 1/31/2018 3.0 19 Added remediation time frame for low risk vulnerabilities. FedRAMP PMO 1/31/2018 3.0 All Updated to newest template. FedRAMP PMO 2/21/2018 3.1 3 Added a docum
Cloud Service Providers Third-Party Assessment Organizations Tailored Process Current FedRAMP One Size Fits All FedRAMP was designed to be agnostic to all types of clouds Infrastructure, Platform, and Software Private, Public, Hybrid, Community High impact, moderate impact, low impact FedRAMP Designed to Iterate
Course 200-A button, FedRAMP System Security Plan (SSP) Required Documents. You will learn how to populate the SSP. Course 200-B button, How to Write a Control. You will learn to write a security control implementation description. Course 200-C button, Continuous Monitoring (or ConMon) Overview. You will learn the CSP role and responsibilities .
2.FedRAMP System Security Plan (SSP) Required Documents - 200A 3.Security Assessment Plan (SAP) Overview - 200B . The System Security Plan is a document that requires an eye for detail. A few small mistakes can create a lot of questions following the review by the FedRAMP PMO, Agency, or JAB and slow down the assessment .
A CSP is FedRAMP compliant when their system: Security package has been created using the FedRAMP templates. Meets FedRAMP baseline security control requirements. Has been assessed by an independent assessor (3PAO). FedRAMP certified 3PAO required for JAB; recommended, but optional, for Agency ATO.
