[Owasp-leaders] Call for comments: US FedRAMP process

Rex Booth rex.booth at owasp.org
Mon Dec 27 13:46:02 EST 2010


We've had some good comments onthis standard thus far, but could use the 
insight of the more technical among us.  Here's a sample of some of the 
issues we'd like to address in our comments to the government:

1) /_CP-9 Information System Backup_/: This is going to be a big change 
for the government as they aren't in control of their backups anymore.  
Does OWASP have any expertise?

/2) _RA-5 Vulnerability Scanning_/: Most commercial apps are scanning 
much more frequently than quarterly.Do we have best practices we can 
point to?

/3) _SC-4 Information in Shared Resources_: /We could use some expertise 
here and how this relates to "multi-tenant" applications?  Does OWASP 
have any advice on a) multi-tenant databases b) run-time execution on 
the same instance of code or c) different customers housed on the same 
hardware (virtual or physical)?

On the non-technical side, we also have some good questions:

1)What happens if a cloud provider goes bankrupt? Bankruptcy laws will 
make certain things "discoverable"

2)What happens in a discovery situation where the provider receives a 
court order to look at a server? How is private data of others protected?

Please consider joining our review team and help OWASP build its brand 
in the US Federal sector!


On 12/15/2010 4:26 PM, Rex Booth wrote:
> All,
> As you may know, the US Federal government is initiating a new 
> certification and accreditation process called FedRAMP.  FedRAMP is a 
> program that will allow cloud-oriented services and applications to 
> undergo the certification and accreditation process (now called 
> Assessment and Authorization) once for the entire Federal government 
> instead of once per agency.  There's a lot of buzz about this among 
> private sector companies and within the agencies.
> OWASP can contribute by reviewing the draft plan which includes 
> details of the process as well as descriptions of the additional 
> controls expected for cloud services.  Comments are due January 17, so 
> this is a relatively tight turn-around.
> I'll be coordinating OWASP's reply to the request for comments.  
> Please let me know if you're interested in participating and I'll 
> include you in the kick-off next week.
> In the meantime, more information on FedRAMP can be found at the 
> following link:
> http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP 
> Thanks,
> Rex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101227/25625480/attachment-0001.html 

More information about the OWASP-Leaders mailing list