FedRAMP 3PAO Program – Have we Heard of this Idea Before – (ISC)² Blog bingodumps registration, buy cc checker

In a packed auditorium in 2006, I recall sitting in the “Red Auditorium” at NIST to participate in a workshop hosted by the Computer Security Division.  The goal of the workshop was to discuss the implementation of Phase II of the FISMA Implementation Project.  At the time, the Phase read like this:
“The second phase of the FISMA Implementation Project focuses on the development of a program for credentialing public and private sector organizations to provide security assessment services. Security assessment services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessments may be part of an information system certification and accreditation effort, in support of continuous monitoring of security controls, or for other types of information system security assessments.
Organizations that participate in the credentialing program need to demonstrate competence in the application of the NIST security standards and guidelines and the information security practices consistent with FISMA and OMB requirements. Developing a network of credentialed organizations with demonstrated competence in the provision of security assessment services will give federal agencies and other customers of security assessment services greater confidence in the acquisition and use of such services.”Although the focus and characteristics of the program may be different, the idea has many similarities.  Following the “NIST FISMA Phase II: Workshop of Credentialing Program for Security Assessment Providers”, NIST published, NISTIR 7328, “Security Assessment Provider Requirements and Customer Responsibilities, a document that was intended to supplement the workshop focused, in part, on establishing criteria for the Security Assessment Team capabilities.  One of the most important criteria for measurement of a Security Assessment Provider was the composition of the Assessment Team in regards to the Knowledge, Skills, and Abilities (KSAs).  The references referred to the Federal Information Systems Controls Audit Manual (FISCAM), the 1999 version which has been superseded in 2009.  FISCAM defined KSAs as follows:
In the above list, the 3PAO program focused an effort on ensuring the Third Party Assessment Provider Organization (3PAO):
Of the requirements detailed in the 3PAO Application (above), one in particular, the selection of the assessment team personnel, was left for the Cloud Service Provider and/or the 3PAO to ensure was addressed as part of their hiring practices for the Assessment Team. This requirement focused on ensuring the security assessors had the relevant knowledge, skills, and abilities for conducting the given security assessment of the cloud service.Placing a focus on knowledge, as we recall from earlier in this article, is the “foundation upon which skills and abilities are built”.  This specific attribute of an assessor requires more than pure security knowledge, but also a supplemental knowledge of cloud computing.  Previously, I have written two articles on the Cloud Security Alliance, Certification of Cloud Knowledge (CCSK). 
In March 2011, I sent an email to David McClure (Associate Administrator GSA’s Office of Citizen Services and Innovative Technologies) noting a similar need for a program focused on the qualifications of third party assessors.
“In reading an article published in the Government Computer News today ( http://gcn.com/Articles/2011/03/23/FedRAMP-myths-GSA-McClure.aspx?p=1 ), a series of 7 specific areas where noted as being focus areas for government improvement of FedRAMP. Specifically #2 (“More guidance on third-party assessors’ independence”), something I believe should be expanded to address additionally is the qualifications of the independent assessors. Unlike the PCI Council (PCI DSS) Qualified Security Assessor (QSA) designation for approved companies and providers ( https://www.pcisecuritystandards.org/approved_companies_providers/index.php ) that can validate a companies adherence to PCI DSS, a qualification is needed for a Cloud Security Assessor that understands cloud-specific security risks (e.g., Cloud Security Alliance’s Certificate of Cloud Security Knowledge ( https://cloudsecurityalliance.org/certifyme.html ) and adherence to the FedRAMP requirements such the application of the NIST 800 series – the RMF and NIST SP 800-53 security controls (e.g., the (ISC)2 Certified Authorization Professional ( https://www.isc2.org/cap/Default.aspx )).
I have specifically highlighted the necessity for criteria to be established for independent assessors on FedRAMP.net ( http://www.fedramp.net/selecting-an-independent-third-party-assessor ) to include some additional credential that would adequately address some measure of knowledge both about security in general and secuity specific aspects of cloud computing environments which would enable reports submitted to the government to be valuable in facilitating a “credible, risk-based  decision” as necessary to properly authorize a cloud service to operate under the auspice of the FedRAMP program.”
Here, the knowledge is not necessarily focused on mastering the CCSK exam, but rather understanding the material to ensure the knowledge created provides a foundation for supporting the skills and abilities many successful auditors/assessors/inspectors already have working within traditional IT environments.  The CCSK provides the 3PAO with the knowledge to support federal agencies in the adoption of secure cloud solutions with confidence.  The CSA has developed a partner training (see sources below) that is structured and delivered through a comprehensive training program geared to ensure instructors provide a consistent and high quality training atmosphere.
1ECG provides classes in the Washington D.C. area.  Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:
bingodumps registration buy cc checker

Author: wpadmin