ContinuousMonitoringStrategy&GuideVersion2.0June6,2014ExecutiveSummaryTheOMBmemorandumM-10-15,issuedonApril21,2010,changedfromstaticpointintimesecurityauthorizationprocessestoOngoingAssessmentandAuthorizationthroughoutthesystemdevelopmentlifecycle.ConsistentwiththisnewdirectionfavoredbyOMBandsupportedinNISTguidelines,FedRAMPdevelopedanongoingassessmentandauthorizationprogramforthepurposeofmaintainingtheauthorizationofCloudServiceProviders(CSP).2010年4月21日,美国政府管理预算局(OMB)发布了M-10-15备忘录,将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB,NIST指导方针也支持了这个新动向,FedRAMP开发了一套持续评估和授权程序用以维持云服务商(CSP)的授权。AfterasystemreceivesaFedRAMPauthorization,itisprobablethatthesecuritypostureofthesystemcouldchangeovertimeduetochangesinthehardwareorsoftwareonthecloudserviceoffering,oralsoduetothediscoveryandprovocationofnewexploits.Ongoingassessmentandauthorizationprovidesfederalagenciesusingcloudservicesamethodofdetectingchangestothesecuritypostureofasystemforthepurposeofmakingrisk-baseddecisions.系统获得FedRAMP授权后,由于云服务产品的硬件或软件变化,或是因为新漏洞,系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势变化的方法,这样机构就可以做风险导向决策。ThisguidedescribestheFedRAMPstrategyforCSPstouseoncetheyhavereceivedaFedRAMPProvisionalAuthorization.CSPsmustcontinuouslymonitorthecloudserviceofferingtodetectchangesinthesecuritypostureofthesystemtoenablewell-informedrisk-baseddecisionmaking.ThisguideinstructsCSPsontheFedRAMPstrategytocontinuouslymonitortheirsystems.一旦云服务商(CPSs)收到FedRAMP的临时授权,就可以参考本指南描述的FedRAMP策略。为了更清楚地制定风险导向决策,CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。DocumentRevisionHistoryDatePage(s)DescriptionAuthor06/06/2014MajorrevisionforSP800-53Revision4.Includesnewtemplateandformattingchanges.FedRAMPPMODatePage(s)DescriptionAuthorTableofContentsAboutthisdocument........................................................................................................................7Whoshouldusethisdocument?..................................................................................................7Howthisdocumentisorganized..................................................................................................7Howtocontactus........................................................................................................................71.Overview..................................................................................................................................81.1.PurposeofThisDocument................................................................................................81.2.ContinuousMonitoringProcess........................................................................................82.ContinuousMonitoringRoles&Responsibilities..................................................................102.1.AuthorizingOfficial........................................................................................................102.2.FedRAMPPMO..............................................................................................................102.3.Departmentofhomelandsecurity(DHS)................................
