|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Exploring the FedRAMP Cloud Computing Security Requirements Baseline
Post 302478730 by Linux Bot on Wednesday 8th of December 2010 06:30:03 PM
12-08-2010
Exploring the FedRAMP Cloud Computing Security Requirements Baseline
The FedRAMP Security Requirements "describes the U.S. Government's proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing." In chapter 1, the FedRAMP PMO defined the proposed requirements (security controls) for a Low- and Moderate-Impact Cloud Computing environment (although not specifically characterizing any specific applicability to the Cloud Delivery or Service Model). In addition, the FedRAMP (DRAFT) publication draws on the existing NIST standards and guidelines to support the authroization of Cloud Services for the Federal Government. However, the FedRAMP publication limits the scope and tailoring of the control requirements to specifying the control parameters [refer to Section 3.3 within NIST SP 800-53, Rev. 3] and adding some additional Control Requirements and Supplemental Guidance to that which already exists within the Security Control Catalog (refer to NIST SP 800-53, Rev 3 - Appendix F).
In the past, NIST has supplemented NIST SP 800-53 to address "information system that differ significantly from traditional administrative, mission support, and scientific data processing information systems." (Refer to NIST SP 800-53 - Appendix I which establish a security control baseline specific to Industrial Control Systems). Although, Cloud Computing is not a new technology, it is a unique capability with unique security challenges.
The FedRAMP Cloud Computing Security Requirements Baseline section within FedRAMP.net (http://www.fedramp.net/Cloud+Computi...ments+Baseline) will focus on exploring the selected security control baseline as part of the "Proposed Security Assessment & Authorization for U.S. Government Cloud Computing (DRAFT)" to:
If you are interested in contributing your input, register at FedRAMP.net.
More...
In the past, NIST has supplemented NIST SP 800-53 to address "information system that differ significantly from traditional administrative, mission support, and scientific data processing information systems." (Refer to NIST SP 800-53 - Appendix I which establish a security control baseline specific to Industrial Control Systems). Although, Cloud Computing is not a new technology, it is a unique capability with unique security challenges.
The FedRAMP Cloud Computing Security Requirements Baseline section within FedRAMP.net (http://www.fedramp.net/Cloud+Computi...ments+Baseline) will focus on exploring the selected security control baseline as part of the "Proposed Security Assessment & Authorization for U.S. Government Cloud Computing (DRAFT)" to:
- Ensure coverage and applicability within Cloud Computing operating environments and within NIST SP 800-53, Rev. 3;
- Identify and address Cloud-specific security considerations relevant to the objectives of each security control; and
- List relevant references to support implementation and assessment
More...
|
|
4 More Discussions You Might Find Interesting
1. Virtualization and Cloud Computing
Tim Bass
Thu, 15 Nov 2007 23:55:07 +0000
*I predict we may experience less*debates*on the use of the term “event cloud”*related to*CEP in the future, now that both IBM and Google* have made announcements about “cloud computing” and “computing cloud”, IBM Turning Data Centers Into ‘Computing... (0 Replies)
Discussion started by: Linux Bot
0 Replies
2. Virtualization and Cloud Computing
by Eric Knorr, InfoWorld.comSo many vendors have jumped on the cloud computing bandwagon, the phrase already risks jumping the shark. The problem is that “cloud computing” has two distinctly different meanings: The use of commercial Internet-based services, and the architecture for building and... (0 Replies)
Discussion started by: Linux Bot
0 Replies
3. HP-UX
I work for a British based company.
We are looking for a cloud computing provider enabling us to use
HP on Itanium and HP hardware.
anyone know of any?
cheers. (0 Replies)
Discussion started by: bigearsbilly
0 Replies
4. Virtualization and Cloud Computing
Hi,
I am working as Linux system administrator now I want to learn cloud computing too. I tried Googling but couldn't find appropriate information so thought to ask people here.
Can somebody suggest me correct path along with tutorials/PDF/HTMLs?
Really appreciate your help.
thx
Pras (1 Reply)
Discussion started by: prashant2507198
1 Replies
LEARN ABOUT DEBIAN
piv-tool
PIV-TOOL(1) OpenSC tools PIV-TOOL(1) NAME
piv-tool - smart card utility for HSPD-12 PIV cards SYNOPSIS
piv-tool [OPTIONS] The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intened for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor. OPTIONS
--serial Print the derived card serial number from the CHUID object if any. output is in hex byte format. --name, -n Print the name of the inserted card (driver) --admin argument, -A arguement Authenticate to the card using a 2DES or 3DES key. An arguement {A|M}:{ref}:{alg} is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file with the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX --genkeyargument, -G argument Generate a key pair on the card and output the public key. An argument {ref}:{alg} is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384. --object ContainerID, -O ContainerID Load an object on to the card. The ContainerID is defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000 --cert ref, -s ref Load a certificate on to the card. ref is 9A, 9C, 9D or 9E --compresscert ref, -Z ref Load a certificate that has been gziped on to the card. ref is 9A, 9C, 9D or 9E --out file, -o file Output file for any operation that produces output. --in file, -i file Input file for any operation that requires an input file. --key-slots-discovery file Print properties of the key slots. Needs 'admin' authentication. --send-apdu apdu, -s apdu Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF... This option may be repeated. --reader, -r num Use the given reader number. The default is 0, the first reader in the system. --card-driver driver, -c driver Use the given card driver. The default is auto-detected. --wait, -w Wait for a card to be inserted --verbose, -v Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. SEE ALSO
opensc-tool(1) opensc 06/03/2012 PIV-TOOL(1)