Federal Cloud Computing This pageintentionallyleftblank Federal Cloud Computing The Definitive Guide for Cloud Service Providers Second Edition Matthew Metheny Technical Editor Waylon Krush SyngressisanimprintofElsevier 50HampshireStreet,5thFloor,Cambridge,MA02139,UnitedStates Copyright©2013,2017ElsevierInc.Allrightsreserved. ExcerptsfromFederalInformationProcessingStandards,SpecialPublications,andInteragencyReports referencedinthisbookcourtesyoftheNationalInstituteofStandardsandTechnology(NIST). Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronic ormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem, withoutpermissioninwritingfromthepublisher.Detailsonhowtoseekpermission,further informationaboutthePublisher’spermissionspoliciesandourarrangementswithorganizations suchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency,canbefoundatour website:www.elsevier.com/permissions. Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperience broadenourunderstanding,changesinresearchmethods,professionalpractices,ormedicaltreatment maybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluating andusinganyinformation,methods,compounds,orexperimentsdescribedherein.Inusingsuch informationormethodstheyshouldbemindfuloftheirownsafetyandthesafetyofothers,including partiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assume anyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability, negligenceorotherwise,orfromanyuseoroperationofanymethods,products,instructions,orideas containedinthematerialherein. BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress ISBN:978-0-12-809710-6 ForInformationonallSyngresspublications visitourwebsiteathttps://www.elsevier.com Publisher:ToddGreen AcquisitionEditor:ChrisKatsaropoulos EditorialProjectManager:AnnaValutkevich ProductionProjectManager:PriyaKumaraguruparan Designer:MarkRogers TypesetbyMPSLimited,Chennai,India This bookis dedicated tomybeautifulwife and amazing son. To my dear, loving wife Erin,you make me complete. Thank you for tirelessly standing by my side and supporting me every step of the way. There are many times in one’s life where the task may seem too difficult, but having someone like you there as a guiding arm to encourage and toconsulthasbeen a blessing. You have always been there when the times were challenging. It is with great honor toshare thisaccomplishment with you. To my wife,with love. To my dear, babyboyGreyson, you are my greatest accomplishment. Your daily smiles inspire me. Although you are too young to read this book, I hope one day to share this with you. To my son, Ilove you. This page intentionallyleftblank Contents Aboutthe Author...................................................................................................xiii Aboutthe Technical Editor.....................................................................................xv Forewordby WilliamCorrington.........................................................................xvii Forewordby JimReavis.........................................................................................xix CHAPTER 1 Introduction to the federal cloud computing strategy..........................................................................1 Introduction....................................................................................1 AHistorical View of Federal IT...................................................6 The Early Years and the Mainframe Era..................................7 Shifting to Minicomputer..........................................................9 Decentralization:TheMicrocomputer (“PersonalComputer”)............................................................10 Transitioning toMobility........................................................11 Evolution ofFederal ITPolicy...............................................13 Cloud Computing:DriversinFederal IT Transformation.........23 Driversfor Adoption...............................................................25 Cloud Benefits.........................................................................28 DecisionFrameworkfor Cloud Migration..................................30 Selecting Services toMove tothe Cloud...............................31 Provisioning Cloud Services Effectively................................32 Managing Services Rather Than Assets..................................33 Summary......................................................................................33 References....................................................................................33 CHAPTER 2 Cloud computing standards........................................35 Introduction..................................................................................35 Standards Development Primer...................................................39 Cloud Computing Standardization Drivers.................................42 Federal Laws and Policy.........................................................43 AdoptionBarriers....................................................................44 Identifying Standards for Federal Cloud Computing Adoption......................................................................................45 Standards Development Organizations (SDOs) and Other Community-Driven Organizations.........................48 Standards Inventory.................................................................48 vii viii Contents Summary......................................................................................57 References....................................................................................57 CHAPTER 3 A case for open source..............................................59 Introduction..................................................................................59 Open Source Software and the Federal Government.................63 Open Source Software Adoption Challenges: Acquisition andSecurity.............................................................68 Acquisition Challenges............................................................68 Security Challenges.................................................................71 Open Source Software and Federal Cloud Computing..............72 Summary......................................................................................75 References....................................................................................76 CHAPTER 4 Security and privacy in public cloud computing......79 Introduction..................................................................................79 Security andPrivacy in the Contextofthe Public Cloud..........81 Federal Privacy Laws and Policies.........................................83 Privacy Act of1974.................................................................86 Federal Information Security Modernization Act(FISMA).......88 OMB Memorandum Policies.......................................................89 Safeguarding Privacy Information..............................................90 Privacy Controls......................................................................94 Data Breaches, Impacts, and Consequences.........................109 Security andPrivacy Issues.......................................................112 Summary....................................................................................113 References..................................................................................113 CHAPTER 5 Applying the NIST risk management framework.....117 Introduction toFISMA..............................................................117 Purpose...................................................................................117 Roles andResponsibilities.....................................................119 Risk Management FrameworkOverview.................................125 TheRole ofRisk Management.............................................126 TheNISTRMF andthe System DevelopmentLife Cycle..128 NIST RMF Process....................................................................128 Information System Categorization......................................131 Security Controls Selection...................................................146 Security Controls Implementation........................................159 Contents ix SecurityControls Assessment...............................................161 Information System Authorization........................................166 SecurityControls Monitoring................................................175 Summary....................................................................................182 References..................................................................................182 CHAPTER 6 Risk management......................................................185 Introduction toRisk Management.............................................185 Federal Information Security Risk Management Practices......188 Overview ofEnterprise-WideRisk Management.....................191 Components ofthe NIST Risk Management Process..........191 Multitiered Risk Management...............................................195 NISTRisk Management Process...............................................198 Framing Risk.........................................................................199 AssessingRisk.......................................................................200 Responding toRisk................................................................202 MonitoringRisk.....................................................................203 Comparing the NISTand ISO/IEC Risk Management Processes....................................................................................204 Summary....................................................................................209 References..................................................................................209 CHAPTER 7 Comparison of federal and international security certification standards...............................211 Introduction................................................................................211 Overview ofCertification and Accreditation............................212 Evolution ofthe Federal C&A Processes.............................214 Towards a Unified Approach to C&A..................................220 NISTand ISO/IEC Information Security Standards.................222 Boundary andScopeDefinition............................................225 SecurityPolicy.......................................................................226 Risk Management Strategy (Context)...................................227 Risk Management Process.....................................................227 SecurityObjectives andControls..........................................228 Summary....................................................................................236 References..................................................................................236