ContinuousMonitoringStrategy&Guidev2.0June6,2014ContinuousMonitoringStrategy&GuideVersion2.0June6,2014ContinuousMonitoringStrategy&Guidev2.0June6,2014Page2ExecutiveSummaryTheOMBmemorandumM-10-15,issuedonApril21,2010,changedfromstaticpointintimesecurityauthorizationprocessestoOngoingAssessmentandAuthorizationthroughoutthesystemdevelopmentlifecycle.ConsistentwiththisnewdirectionfavoredbyOMBandsupportedinNISTguidelines,FedRAMPdevelopedanongoingassessmentandauthorizationprogramforthepurposeofmaintainingtheauthorizationofCloudServiceProviders(CSP).2010年4月21日,美国政府管理预算局(OMB)发布了M-10-15备忘录,将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB,NIST指导方针也支持了这个新动向,FedRAMP开发了一套持续评估和授权程序用以维持云服务商(CSP)的授权。AfterasystemreceivesaFedRAMPauthorization,itisprobablethatthesecuritypostureofthesystemcouldchangeovertimeduetochangesinthehardwareorsoftwareonthecloudserviceoffering,oralsoduetothediscoveryandprovocationofnewexploits.Ongoingassessmentandauthorizationprovidesfederalagenciesusingcloudservicesamethodofdetectingchangestothesecuritypostureofasystemforthepurposeofmakingrisk-baseddecisions.系统获得FedRAMP授权后,由于云服务产品的硬件或软件变化,或是因为新漏洞,系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势变化的方法,这样机构就可以做风险导向决策。ThisguidedescribestheFedRAMPstrategyforCSPstouseoncetheyhavereceivedaFedRAMPProvisionalAuthorization.CSPsmustcontinuouslymonitorthecloudserviceofferingtodetectchangesinthesecuritypostureofthesystemtoenablewell-informedrisk-baseddecisionmaking.ThisguideinstructsCSPsontheFedRAMPstrategytocontinuouslymonitortheirsystems.一旦云服务商(CPSs)收到FedRAMP的临时授权,就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策,CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。DocumentRevisionHistoryDatePage(s)DescriptionAuthor06/06/2014MajorrevisionforSP800-53Revision4.Includesnewtemplateandformattingchanges.FedRAMPPMOContinuousMonitoringStrategy&Guidev2.0June6,2014Page3DatePage(s)DescriptionAuthorContinuousMonitoringStrategy&Guidev2.0June6,2014Page4TableofContentsAboutthisdocument.......................................................................................................................7Whoshouldusethisdocument?.................................................................................................7Howthisdocumentisorganized.................................................................................................7Howtocontactus........................................................................................................................71.Overview.................................................................................................................................81.1.PurposeofThisDocument...............................................................................................91.2.ContinuousMonitoringProcess.......................................................................................92.ContinuousMonitoringRoles&Responsibilities.................................................................112.1.AuthorizingOfficial.......................................................................................................112.2.FedRAMPPMO.............................................................................................................122.3.Departmentofhomelandsecurity(DHS).......................................................................122.4.ThirdPartyAssessmentOrganization(3PAO)..............................................................123.ContinuousMonitoringProcessArease................................................................................133.1.OperationalVisibility.....................................................................................................133.2.ChangeControl..............................................................................................................153.3.IncidentResponse..........................................................................................................16AppendixA–ControlFrequencies..............................................................................................17AppendixB–TemplateMonthlyReportingSummary................................................................38JABP-ATOContinuousMonitoringAnalysis.........................................................................38ContinuousMonitoringStrategy&Guidev2.0June6,2014Page5ListofTablesTable3-1–ControlSelectionCriteria..........................................................................................15TableA-1–SummaryofContinuousMonitoringActivities&Deliverables..............................37ContinuousMonitoringStrategy&Guidev2.0June6,2014Page6ListofFiguresFigure1–NISTSpecialPublication800-137ContinuousMonitoringProcess..........................10ContinuousMonitoringStrategy&Guidev2.0June6,2014Page7ABOUTTHISDOCUMENTThisdocumenthasbeendevelopedtoprovideguidanceoncontinuousmonitoringandongoingauthorizationinsupportofmaintainingasecurityauthorizationthatmeetstheFedRAMPrequirements.ThisdocumentisnotaFedRAMPtemplate--thereisnothingtofilloutinthisdocument.本文档为FedRAMP要求的维持安