SlideShare a Scribd company logo

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

Download as PPTX, PDF
Amazon Web Services
Amazon Web Services

The document provides an overview of the four phases for obtaining an Authority to Operate (ATO) for a Department of Defense (DoD) cloud system: 1. Planning - Select a cloud service provider, categorize the system, select security controls, and develop initial architecture. 2. Initial Deployment and Documentation - Document control implementation, configure security tools, build out initial system, and request network space. 3. Finalize and Accredit Architecture - Load authorization package, submit final package, remediate findings, complete builds, and assess system security. 4. Continuous Monitoring - Update system security plan, conduct monthly scans, update definitions, perform patching and annual assessments. The process follows

Technology
1 of 11
Jennifer Gray Public Sector Compliance Architect From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework Jim Caggy Senior DOD Security Architect
In today’s session we will…  Review DoD Cloud Guidance and Data Impact Levels  Four Phases of DoD System Accreditation  Questions
DoD Cloud References FEDRAMP Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. DoD Cloud Computing Security Requirements Guide (CC SRG) Outlines the security model by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions (as defined by NIST) by the DoD. NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations A catalog of security and privacy controls for federal information systems. The controls are customizable and implemented as part of an organization wide process that manages information security and privacy risk.
Cloud Services Provider DoD Cloud Security Requirements Guide – ATO Process 30+ FedRAMP Compliant CSP’s (20+ in-process) IaaS/PaaS/SaaS Providers are a mix of IaaS, PaaS, SaaS (Initial Focus is on IaaS) FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (Unclass) System- Specific ATO John Doe DoD DAA The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog DoD Cloud Security Model (Administered via DISA) 3 4 5 6 20+ Provisional Authorizations granted 3 Provisional Authorization granted 2 4 Increasing Security and Operating Requirements CSM ATO Level 6 (Secret) 100’s of Cloud Service Providers (CSP) 1 2
DoD Cloud Security Model Impact Levels Impact Level Description Level 1 Unclassified publicly releasable information e.g., recruiting websites. Level 2 Unclassified publicly releasable information e.g., recruiting websites. Unclassified publicly releasable information, with access controls e.g., library systems. Level 3 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Level 4 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Non-NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., HR systems. Level 5 NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., email systems. Level 6 Classified information up to and including SECRET – Moderate confidentiality impact, Moderate integrity impact e.g., C2 systems.
Phase 1: Planning Plan Document Assess Authorize Monitor Process Check DISA catalog of approved CSPs Select CSP Review AWS compliance documentation Review security control Inheritance and shared Responsibility Develop initial Architecture Phase I Categorize system Select SRG Impact Level Select security controls
Phase 2: Initial Deployment and Documentation Plan Document Assess Authorize Monitor Process Document security control implementation Coordinate with CNDSP Tier 2 Configure AWS CloudTrail, Config, VPC Flow Logs and CloudWatch Document PPSM Register in SNAP and coordinate CAP connection Phase I Phase II Request DOD IP space Build out base system and test implementation of security controls
Phase 3: Finalize and Accredit Architecture Plan Document Assess Authorize Monitor Process Load security authorization package into eMass Submit final ATO package to your DAA Phase I Phase III Phase II Remediate Document findings Create Plans of Action & Milestones Complete architecture build out, integrations Requirements Lock down system for testing Assess system ‒ Pentest ‒ Vulnerability scan ‒ Compliance reviews
Phase 4: Continuous Monitoring Plan Document Assess Authorize Monitor Process Update SSP Track and report significant changes to AO Phase I Phase III Phase IV Phase II Conduct monthly ACAS scans Update HBSS definitions Conduct patching (IAVM process) Perform annual assessment
NIST SP 800-37 Risk Management Framework Initiation Concept Planning Requirements Analysis Design Development Test Implemen- tation Operations & Maintenance Disposition 1 2 3 4 Architecture Review System Accreditation Security Control Assessment Annual Operational Analysis Independent Verification & Validation Assessment Implementatio n Readiness Review Validation Readiness Review Detailed Design Review Integrated Baseline Review Require- ments Review Post- Implemen- tation Review Security Authorization SLDC Project Review Project Selection Review Project Baseline Review Preliminary Design Review Operational Readiness Review CATAGORIZE THE SYSTEM SELECT CONTROLS IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE THE SYSTEM MONITOR CONTROLS NIST SP 800-37 Risk Management Framework
Questions?

Recommended

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Processtimmcguinness
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 

Recommended

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Processtimmcguinness
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Amazon Web Services
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingAmazon Web Services
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
AWS VPC
AWS VPCAWS VPC
AWS VPCKiranChinnagangannag
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
CRAFT Brochure
CRAFT BrochureCRAFT Brochure
CRAFT BrochurePhaniKishore Burre
 
Winter 2012-poster
Winter 2012-posterWinter 2012-poster
Winter 2012-posterPrince Boonlia
 

More Related Content

What's hot

Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Amazon Web Services
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingAmazon Web Services
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 

What's hot (20)

Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - Beach
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
AWS VPC
AWS VPCAWS VPC
AWS VPC
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 

Viewers also liked

20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...Tahir Abbas
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Developing Mobile Services on AWS
Developing Mobile Services on AWSDeveloping Mobile Services on AWS
Developing Mobile Services on AWSAmazon Web Services
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service ManagementIBM Danmark
 
Secure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWSSecure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWSAmazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
 
E readiness assessment framework
E readiness assessment frameworkE readiness assessment framework
E readiness assessment frameworkPrasanna Rasal
 
AWS Summit Singapore - Opening Keynote by Dr. Werner Vogels
AWS Summit Singapore - Opening Keynote by Dr. Werner VogelsAWS Summit Singapore - Opening Keynote by Dr. Werner Vogels
AWS Summit Singapore - Opening Keynote by Dr. Werner VogelsAmazon Web Services
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Hybrid IT with Amazon Web Services: Best of Both Worlds
Hybrid IT with Amazon Web Services: Best of Both WorldsHybrid IT with Amazon Web Services: Best of Both Worlds
Hybrid IT with Amazon Web Services: Best of Both WorldsAmazon Web Services
 
Isv cloud business readiness assessment
Isv cloud business readiness assessmentIsv cloud business readiness assessment
Isv cloud business readiness assessmentMIS
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Testing Mobile Services on AWS - Pop-up Loft Tel Aviv
Testing Mobile Services on AWS - Pop-up Loft Tel AvivTesting Mobile Services on AWS - Pop-up Loft Tel Aviv
Testing Mobile Services on AWS - Pop-up Loft Tel AvivAmazon Web Services
 
AWS ML and SparkML on EMR to Build Recommendation Engine
AWS ML and SparkML on EMR to Build Recommendation Engine AWS ML and SparkML on EMR to Build Recommendation Engine
AWS ML and SparkML on EMR to Build Recommendation Engine Amazon Web Services
 
Big data with amazon EMR - Pop-up Loft Tel Aviv
Big data with amazon EMR - Pop-up Loft Tel AvivBig data with amazon EMR - Pop-up Loft Tel Aviv
Big data with amazon EMR - Pop-up Loft Tel AvivAmazon Web Services
 

Viewers also liked (20)

CRAFT Brochure
CRAFT BrochureCRAFT Brochure
CRAFT Brochure
 
Winter 2012-poster
Winter 2012-posterWinter 2012-poster
Winter 2012-poster
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
Developing Mobile Services on AWS
Developing Mobile Services on AWSDeveloping Mobile Services on AWS
Developing Mobile Services on AWS
 
Keynote - Dun & Bradstreet
Keynote - Dun & BradstreetKeynote - Dun & Bradstreet
Keynote - Dun & Bradstreet
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service Management
 
Secure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWSSecure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWS
 
Amazon WorkMail
Amazon WorkMailAmazon WorkMail
Amazon WorkMail
 
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
 
E readiness assessment framework
E readiness assessment frameworkE readiness assessment framework
E readiness assessment framework
 
AWS Summit Singapore - Opening Keynote by Dr. Werner Vogels
AWS Summit Singapore - Opening Keynote by Dr. Werner VogelsAWS Summit Singapore - Opening Keynote by Dr. Werner Vogels
AWS Summit Singapore - Opening Keynote by Dr. Werner Vogels
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Hybrid IT with Amazon Web Services: Best of Both Worlds
Hybrid IT with Amazon Web Services: Best of Both WorldsHybrid IT with Amazon Web Services: Best of Both Worlds
Hybrid IT with Amazon Web Services: Best of Both Worlds
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Isv cloud business readiness assessment
Isv cloud business readiness assessmentIsv cloud business readiness assessment
Isv cloud business readiness assessment
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Testing Mobile Services on AWS - Pop-up Loft Tel Aviv
Testing Mobile Services on AWS - Pop-up Loft Tel AvivTesting Mobile Services on AWS - Pop-up Loft Tel Aviv
Testing Mobile Services on AWS - Pop-up Loft Tel Aviv
 
AWS ML and SparkML on EMR to Build Recommendation Engine
AWS ML and SparkML on EMR to Build Recommendation Engine AWS ML and SparkML on EMR to Build Recommendation Engine
AWS ML and SparkML on EMR to Build Recommendation Engine
 
Big data with amazon EMR - Pop-up Loft Tel Aviv
Big data with amazon EMR - Pop-up Loft Tel AvivBig data with amazon EMR - Pop-up Loft Tel Aviv
Big data with amazon EMR - Pop-up Loft Tel Aviv
 

Similar to From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Amazon Web Services
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105 Thomas Treml
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 

Similar to From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework (20)

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security Compliance
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
 
Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Recently uploaded (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

  • 1. Jennifer Gray Public Sector Compliance Architect From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework Jim Caggy Senior DOD Security Architect
  • 2. In today’s session we will…  Review DoD Cloud Guidance and Data Impact Levels  Four Phases of DoD System Accreditation  Questions
  • 3. DoD Cloud References FEDRAMP Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. DoD Cloud Computing Security Requirements Guide (CC SRG) Outlines the security model by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions (as defined by NIST) by the DoD. NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations A catalog of security and privacy controls for federal information systems. The controls are customizable and implemented as part of an organization wide process that manages information security and privacy risk.
  • 4. Cloud Services Provider DoD Cloud Security Requirements Guide – ATO Process 30+ FedRAMP Compliant CSP’s (20+ in-process) IaaS/PaaS/SaaS Providers are a mix of IaaS, PaaS, SaaS (Initial Focus is on IaaS) FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (Unclass) System- Specific ATO John Doe DoD DAA The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog DoD Cloud Security Model (Administered via DISA) 3 4 5 6 20+ Provisional Authorizations granted 3 Provisional Authorization granted 2 4 Increasing Security and Operating Requirements CSM ATO Level 6 (Secret) 100’s of Cloud Service Providers (CSP) 1 2
  • 5. DoD Cloud Security Model Impact Levels Impact Level Description Level 1 Unclassified publicly releasable information e.g., recruiting websites. Level 2 Unclassified publicly releasable information e.g., recruiting websites. Unclassified publicly releasable information, with access controls e.g., library systems. Level 3 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Level 4 Non-National Security System (non-NSS) Controlled Unclassified Information (CUI) – Low confidentiality impact, Moderate integrity impact e.g., training systems. Non-NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., HR systems. Level 5 NSS CUI – Moderate confidentiality impact, Moderate integrity impact e.g., email systems. Level 6 Classified information up to and including SECRET – Moderate confidentiality impact, Moderate integrity impact e.g., C2 systems.
  • 6. Phase 1: Planning Plan Document Assess Authorize Monitor Process Check DISA catalog of approved CSPs Select CSP Review AWS compliance documentation Review security control Inheritance and shared Responsibility Develop initial Architecture Phase I Categorize system Select SRG Impact Level Select security controls
  • 7. Phase 2: Initial Deployment and Documentation Plan Document Assess Authorize Monitor Process Document security control implementation Coordinate with CNDSP Tier 2 Configure AWS CloudTrail, Config, VPC Flow Logs and CloudWatch Document PPSM Register in SNAP and coordinate CAP connection Phase I Phase II Request DOD IP space Build out base system and test implementation of security controls
  • 8. Phase 3: Finalize and Accredit Architecture Plan Document Assess Authorize Monitor Process Load security authorization package into eMass Submit final ATO package to your DAA Phase I Phase III Phase II Remediate Document findings Create Plans of Action & Milestones Complete architecture build out, integrations Requirements Lock down system for testing Assess system ‒ Pentest ‒ Vulnerability scan ‒ Compliance reviews
  • 9. Phase 4: Continuous Monitoring Plan Document Assess Authorize Monitor Process Update SSP Track and report significant changes to AO Phase I Phase III Phase IV Phase II Conduct monthly ACAS scans Update HBSS definitions Conduct patching (IAVM process) Perform annual assessment
  • 10. NIST SP 800-37 Risk Management Framework Initiation Concept Planning Requirements Analysis Design Development Test Implemen- tation Operations & Maintenance Disposition 1 2 3 4 Architecture Review System Accreditation Security Control Assessment Annual Operational Analysis Independent Verification & Validation Assessment Implementatio n Readiness Review Validation Readiness Review Detailed Design Review Integrated Baseline Review Require- ments Review Post- Implemen- tation Review Security Authorization SLDC Project Review Project Selection Review Project Baseline Review Preliminary Design Review Operational Readiness Review CATAGORIZE THE SYSTEM SELECT CONTROLS IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE THE SYSTEM MONITOR CONTROLS NIST SP 800-37 Risk Management Framework