FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

«Compliance Section FedRAMP Information Technology Systems Security Requirements: In his December 8, 2011 memo titled “Security Authorization of ...»

-- [ Page 1 ] --

FedRAMP Standard Contract Language

FedRAMP has developed a security contract clause template to assist federal agencies in procuring

cloud-based services. This template should be reviewed by a Federal agency’s Office of General Counsel

(OGC) to ensure it meets all agency requirements, and then incorporated into the security assessment

section of a solicitation. The clauses cover FedRAMP requirements for areas like the security

assessment process and related ongoing assessment and authorization. The template also provides basic security requirements identifying Cloud Service Provider responsibilities for privacy and security, protection of government data, personnel background screening and security deliverables with associated frequencies.

The FedRAMP process discretely identifies some security control implementations as either the consumer's responsibility to implement or as a shared responsibility between provider and consumer.

Consumer responsibility controls are incumbent upon the agency to implement and agencies are advised to consider security responsibilities in their program planning. Federal agencies must still make a risk-based decision about the applicability of storing and using Federal data in an information system.

Ultimately, the security clauses are templates; they should be reviewed against mission requirements and tailored if agency policy warrants modification.

Compliance Section

FedRAMP Information Technology Systems Security Requirements:

In his December 8, 2011 memo titled “Security Authorization of Information Systems in Cloud Computing Environments,” the Federal CIO established policy for the protection of Federal information in cloud services under the Federal Risk and Authorization Management Program (FedRAMP). Under the FedRAMP policy, agencies with leveraging existing cloud based -services or acquiring cloud based services (other than private cloud-based services) must initiate an authorization and use the FedRAMP information security and privacy requirements (including security and privacy controls, and controls selected for continuous monitoring) for cloud services to support authorization decisions.

Agencies can leverage cloud services assessed and granted provisional authorization through the FedRAMP process to increase efficiency and ensuring security compliance. The following security requirements apply to the services provided in the (contact/task order description).

The Federal agency will determine the security category for the cloud system in accordance with Federal Information Processing Standard 199; then, the contractor1 shall apply the appropriate set of impact baseline controls as required in the FedRAMP Cloud Computing Security Requirements Baseline document to ensure compliance to security standards. The FedRAMP baseline controls are based on NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information 1 Contractor shall refer to cloud service providers, or contract holders who are providing cloud computing services to the Federal Government through this contract.

Systems and Organizations (as amended), and also includes a set of additional controls for use within systems providing cloud services to the federal government.

The contractor shall maintain a security management continuous monitoring environment that meets or exceeds the requirements in the Reporting and Continuous Monitoring (section xxx of this contract/Task Order) based upon the latest edition of FedRAMP Cloud Computing Security Requirements Baseline and FedRAMP Continuous Monitoring Requirements.

*Additional Text for cloud services implemented or acquired before operation

of FedRAMP:

*For all currently implemented cloud services and those services currently in the acquisition process prior to June 5, 2012, Federal agencies are required to submit an authorization package to the FedRAMP PMO (or have the contractor prepare the authorization package and submit the package to the FedRAMP PMO) upon completion. All cloud services currently implemented or those in the acquisition process prior to June 5, 2012 must meet all FedRAMP requirements by June 5, 2014.

FedRAMP Privacy Requirements:

Contractor shall be responsible for the following privacy and security safeguards:

1. To the extent required to carry out the FedRAMP assessment and authorization process and FedRAMP continuous monitoring, to safeguard against threats and hazards to the security, integrity, and confidentiality of any non-public Government data collected and stored by the Contractor, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.

2. If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

3. The contractor shall also comply with any additional FedRAMP privacy requirements.

4. The Government has the right to perform manual or automated audits, scans, reviews, or other inspections of the vendor’s IT environment being used to provide or facilitate services for the Government. In accordance with the Federal Acquisitions Regulations (FAR) clause 52.239-1,

contractor shall be responsible for the following privacy and security safeguards:

(a)The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. Exception

- Disclosure to a Consumer Agency for purposes of C&A verification.

–  –  –

(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

If the vendor chooses to run its own automated scans or audits, results from these scans may, at the Government’s discretion, be accepted in lieu of Government performed vulnerability scans.

In these cases, scanning tools and their configuration shall be approved by the Government. In addition, the results of vendor-conducted scans shall be provided, in full, to the Government.


Sensitive But Unclassified (SBU) information, data, and/or equipment will only be disclosed to authorized personnel on a Need-To-Know basis. The contractor shall ensure that appropriate administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, and/or equipment is properly protected. When no longer required, this information, data, and/or equipment will be returned to Government control, destroyed, or held until otherwise directed. Destruction of items shall be accomplished by following NIST Special Publication 800-88, Guidelines for Media Sanitization.

The disposition of all data will be at the written direction of the COR, this may include documents returned to Government control; destroyed; or held as specified until otherwise directed. Items returned to the Government shall be hand carried or sent by certified mail to the COR.


The contractor shall be responsible for properly protecting all information used, gathered, or developed as a result of work under this contract. The contractor shall also protect all Government data, equipment, etc. by treating the information as sensitive. All information about the systems gathered or created under this contract should be considered as SBU information. It is anticipated that this information will be gathered, created, and stored within the primary work location. If contractor personnel must remove any information from the primary work area they should protect it to the same extent they would their proprietary data and/or company trade secrets. The use of any information that is subject to the Privacy Act will be utilized in full accordance with all rules of conduct as applicable to Privacy Act Information.

The government will retain unrestricted rights to government data. The ordering activity retains ownership of any user created/loaded data and applications hosted on vendor’s infrastructure, as well as maintains the right to request full copies of these at any time.

The data that is processed and stored by the various applications within the network infrastructure contains financial data as well as personally identifiable information (PII). This data and PII shall be protected against unauthorized access, disclosure or modification, theft, or destruction. The contractor shall ensure that the facilities that house the network infrastructure are physically secure.

The data must be available to the Government upon request within one business day or within the timeframe specified otherwise, and shall not be used for any other purpose other than that specified herein. The contractor shall provide requested data at no additional cost to the government.

No data shall be released by the Contractor without the consent of the Government in writing. All requests for release must be submitted in writing to the COR/CO.


The preparation of the deliverables in this contract will be completed at a Sensitive but Unclassified level.


The preliminary and final deliverables and all associated working papers and other material deemed relevant by the agency that have been generated by the contractor in the performance of this contract, are the property of the U.S. Government and must be submitted to the COTR at the conclusion of the contract. The U.S. Government has unlimited data rights to all deliverables and associated working papers and materials in accordance with FAR 52.227-14.

All documents produced for this project are the property of the U.S. Government and cannot be reproduced, or retained by the contractor. All appropriate project documentation will be given to the agency during and at the end of this contract. The contractor shall not release any information without the written consent of the Contracting Officer.

Personnel working on any of the described tasks may, at Government request, be required to sign formal non-disclosure and/or conflict of interest agreements to guarantee the protection and integrity of Government information and documents.

Additionally, Disclosure of Information Any information made available to the Contractor by the Government shall be used only for the purpose of carrying out the provisions of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of the contract. In performance of this contract, the Contractor assumes responsibility for protection of the confidentiality of Government records and shall ensure that all work performed by its subcontractors shall be under the supervision of the Contractor or the Contractor’s responsible employees. Each officer or employee of the Contractor or any of its subcontractors to whom any Government record may be made available or disclosed shall be notified in writing by the Contractor that information disclosed to such officer or employee can be used only for that purpose and to the extent authorized herein. Further disclosure of any such information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 18 U.S.C. §§ 1030.

Security Requirements Section

FedRAMP Security Requirements Overview:

The minimum requirements for low and moderate impact cloud systems are contained within the FedRAMP Cloud Computing Security Requirements Baseline. The contractor and Federal Government Agency share responsibility to ensure compliance with security requirements.

The implementation of a new Federal Government cloud system requires a formal process, known as Assessment and Authorization, which provides guidelines for performing the assessment.

FedRAMP requires cloud service providers to utilize a Third-Party Assessment Organization (3PAO) to perform an assessment of the cloud service provider’s security controls to determine the extent to which security controls are implemented correctly, operate as intended, and produce the desired outcome with respect to meeting security requirements.2 The FedRAMP PMO security staff will be available for consultation during the process. Both the FedRAMP PMO staff and JAB will review the results before issuing a Provisional Authorization decision.

The Government reserves the right to verify the infrastructure and security test results before issuing an Authorization decision.

Federal agencies will be able to leverage the provisional Authorization granted by FedRAMP and any documentation prepared by the contractor to issue their own authority to operate.

The vendor is advised to review the FedRAMP guidance documents (see References below) to determine the level of effort that will be necessary to complete the requirements. All FedRAMP documents and templates are available at http://FedRAMP.gov.

FedRAMP Security Compliance Requirements:

The contractor shall implement the controls contained within the FedRAMP Cloud Computing Security Requirements Baseline and FedRAMP Continuous Monitoring Requirements for low and moderate impact system (as defined in FIPS 199). These documents define requirements for compliance to meet minimum Federal information security and privacy requirements for both low and moderate impact systems. While the FedRAMP baseline controls are based on NIST Special Publication 800-53, Revision 3.

2 The FedRAMP JAB will not review authorization packages assembled by non-accredited third-party assessors.

Contractors can find the list of FedRAMP-accredited 3PAOs at www.FedRAMP.gov.

Pages:   || 2 |

Similar works:

«The Making of the Zo: The Chin of Burma and the Lushai and Kuki of India through Colonial and Local Narratives 1826 – 1988 Bianca Son Suantak School of Oriental and African Studies, University of London 1 Declaration for PhD thesis I have read and understood regulation 17.9 of the Regulations for students of the SOAS, University of London concerning plagiarism. I undertake that all the material presented for examination is my own work and has not been written for me, in whole or in part, by...»

«RETIRED STAFF ASSOCIATION NEWSLETTER March 2013 Issue 31 A somewhat belated Happy New Year to all CONTENTS our Members. The University of Warwick Retired Staff Association (WRSA for short) have introduced a few changes to help keep Introduction 1 costs down and to make sure more AGM 2 Members take an active part. The Questionnaire, sent out with the last Transcript of talk by David Coates 2 Newsletter, has given the Committee many Walking group reports 7 ideas for different activities, hoping...»

«Seljruter i grønlandske farvande Februar 2008 Indholdsfortegnelse Kapitel 1 Indledning Kapitel 2 Forhold med indflydelse på oprettelse af sejlruter.5 Opmåling og afmærkning af ruter Meteorologiske og oceanografiske forhold Vejledning af skibe Kapitel 3 Grundlag for sejlruter Lovgrundlag for at indføre sejlruter i grønlandske farvande Typer af sejlruter Hensyn inden sejlruter kan oprettes Kapitel 4 Konklusioner og anbefalinger Anbefaling af ruter ind til miner og offshoreanlæg Anbefaling...»

«i Traces In and Out: A Deconstructionist Reading of English translations of Jacques Prévert’s Paroles (1946/1947) Diane Malabo A Translation Research Report submitted to the Faculty of Humanities, University of the Witwatersrand, in partial fulfilment of the requirements for the degree of Master of Arts in Translation Johannesburg, August 2009 ii Abstract This study is a comparative analysis of selected poems from Jacques Prévert’s Paroles (1946/1947). It is an application of a...»

«A Separate Peace by John Knowles Chapter 1 I went back to the Devon School not long ago, and found it looking oddly newer than when I was a student there fifteen years before. It seemed more sedate than I remembered it, more perpendicular and strait-laced, with narrower windows and shinier woodwork, as though a coat of varnish had been put over everything for better preservation. But, of course, fifteen years before there had been a war going on. Perhaps the school wasn’t as well kept up in...»

«PLAGUE YEAR by Jeff Carlson Release Date: July 31, 2007 Ace Books/Penguin Group $7.99 U.S./$10.99 CAN ISBN 978-0-441-01514-6 © Jeff Carlson All Rights Reserved Chapter One They ate Jorgensen first. He'd twisted his leg bad—his long white leg. The man hadn't been much more than a stranger, but Cam remembered five hundred things about him. It was a weakness. Cam remembered someone who never cursed, who kept his credit cards and driver's license for some reason. He remembered a hard worker who...»


«INDIAN SOCIAL INSTITUTE INDIAN SOCIAL INSTITUTE BANGALORE Indian Social Institute, Bangalore is a ‘Training and Resource Centre’, enabled by research, facilitating advocacy engagements. ANNUAL REPORT 2015 16 24, Benson Road Benson Town Bangalore – 560 046 +91-80-23536364,, 23536189 Fax: +91-80-23537700 E-mail: infoisiblr@gmail.com Website: www.isibangalore.com 3 Annual Report 2015-16 INDIAN SOCIAL INSTITUTE © Indian Social Institute 2016 For Private Circulation only Published by Indian...»

«1 The stratigraphic status of the Anthropocene S.J. Gale and P.G. Hoare The University of the South Pacific, Fiji Corresponding author: S.J. Gale, School of Geography, Earth Science and Environment, The University of the South Pacific, Laucala Campus, Suva, Fiji Email: gale_s@usp.ac.fj Abstract The term Anthropocene was coined to describe the present geological epoch, in which human activity dominates many of the processes acting on the surface of the Earth. The expression has been widely...»

«Lesson 026 The Sons Of Jacob Genesis 29:31-30:24; 35:16-26 MEMORY VERSE PS ALM 127:3, 5 “Behold, c hildren are a heritage from the LORD. Happy is the m an w ho has his quiv er full of them.” WHAT YOU WILL NEED: Four pie pans, half as many Ping-Pong balls as you have children, markers of various colors, and a body of Christ basket (use your imagination). A glass bottle or glass for each child (not to keep), food coloring, an eye dropper or spoon or ladle, 4 bowls, water a metal spoon or...»

«Original citation: Wright, David, Purhonen, Semi and Heikkilä, Riie. (2013) Comparing “cosmopolitanism” : taste, nation and global culture in Finland and the UK. Comparative Sociology, Volume 12 (Number 3). pp. 330-360. ISSN 1569-1322 Permanent WRAP url: http://wrap.warwick.ac.uk/54831 Copyright and reuse: The Warwick Research Archive Portal (WRAP) makes the work of researchers of the University of Warwick available open access under the following conditions. Copyright © and all moral...»

«Part 2D.1 – Duties and powers [181.20] s 181 Division 1 – General duties Australian Securities & Investments Commission v Rich [2009] NSWSC 1229 was concerned with the alleged failure of two executive directors to disclose to the board of directors the company’s true financial position, which allegedly they should have known. ASIC lost the case because it failed to prove its contentions about the true financial position of the company. The decision highlights a common forensic problem...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.