1. Federal Risk and Authorization
Management Program
(FedRAMP)
3PAO Training
May 31, 2012
2. Training Schedule
9 am: Welcome, Katie Lewin
9:15 am: 3PAO Maintaining Accreditation, NIST
9:40 am: Overview of 3PAO Role, Matt Goodrich
10:10 am: Q&A on Process and 3PAO Program
10:25 am: 15 Minute Break (Hand Out SAP)
10:40 am: Developing the SAP, Kevin Dulany
11:40 am: Q&A on Developing the SAP
12:00 noon: Lunch (Hand out SAR)
12:45 pm: Developing the SAR, Laura Taylor
1:45 pm: On-Going Assessments, Matt Goodrich
2:00 pm: Final Q&A
2
3. What is FedRAMP?
FedRAMP is a government-wide program that provides
a standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services.
This approach uses a “do once, use
many times” framework that will save
cost, time, and staff required to
conduct redundant agency security
assessments.
3
4. Policy on Security Authorization of Information
Systems in Cloud Computing Environments
December 8, 2011 OMB Policy Memo
The Office of Citizen Services and Innovative
Technology (OCSIT), within the General Services
Administration (GSA), is responsible for managing
FedRAMP, to provide a unified and government-
wide risk management framework that addresses
these problems.
4
5. FedRAMP’s Purpose
Problem:
• A duplicative, inconsistent, time
consuming, costly, and inefficient
cloud security risk management
approach with little incentive to
leverage existing Authorizations to
Operate (ATOs) among agencies.
Solution: FedRAMP
• Uniform risk management approach
• Standard set of approved, minimum
security controls (FISMA Low and
Moderate Impact)
• Consistent assessment process
• Provisional Authorization
7. FedRAMP Goals
The goals of FedRAMP are to:
1. Accelerate the adoption of cloud solutions through reuse of
assessments and authorizations
2. Increase confidence in security of cloud solutions
3. Achieve consistent security authorizations using a baseline
set of agreed upon standards and accredited independent
third party assessment organizations
4. Ensure consistent application of existing security practices
Increase confidence in security assessments
5. Increase confidence in security assessments
6. Increase automation and near real-time data for continuous
monitoring
7
8. FedRAMP Phases and Timeline
A phased evolution towards sustainable operations allows for the management of risks,
capture of lessons learned, and incremental rollout of capabilities
FY12 FY12 FY13 Q2 FY14
Pre-Launch Activities Initial Operational Full Operations Sustaining
FY12 Capabilities (IOC) Operations
FedRAMP Finalizes Launch IOC with Limited Execute Full Operational Move to Full
Requirements and Scope and Cloud Service Capabilities with Manual Implementation with
Documentation in Provider (CSP)s Processes On-Demand Scalability
Preparation of Launch
Key Activities • Publish FedRAMP • Authorize CSPs • Conduct Assessments & • Implement Electronic
Requirements (Security • Update CONOPS, Authorizations Authorization
Controls, Templates, Continuous Monitoring • Identify Scale Operations Repository
Guidance) Requirements and CSP to Authorize More CSPs • Scale to Steady State
• Publish FedRAMP Guidance Operations
Compliance Guidance for
Agencies
• Accredit 3PAOs Gather Feedback and Incorporate Lessons Learned
• Establish Priority Queue
Outcomes • Initial List of Accredited • Initial CSP Authorizations • Multiple CSP • Authorizations Scale
3PAOs • Established Performance Authorizations by Demand
• Launch FedRAMP in to Benchmark • Define Business Model • Implement Business
Initial Operating Capabilities • Measure Benchmarks Model
• Self-Sustaining
Funding Model
IOC Launch: Covering Operations
June 6, 2012 • Privatized
Accreditation Board
8
9. FedRAMP and the Security Assessment and
Authorization Process
• Maintains Security Baseline including Controls &
Continuous Monitoring Requirements
• Maintains Assessment Criteria
• Maintains Active Inventory of Approved Systems
Consistency and Quality Trustworthy & Re-useable Near Real -Time Assurance
2 3 Ongoing A&A
1 Assessment Provisional Authorization
(Continuous Monitoring)
Independent Assessment Grant Provisional Authorization Continuous Review of Risk
• Before granting a provisional • Joint Authorization Board • Oversight of the Cloud Service
authorizations, Cloud Service reviews assessment packages Provider’s ongoing assessment
Provider systems must be and grants provisional and authorization activities with
assessed by an approved, authorizations a focus on automation and near
Independent Third Party • Agencies issue ATOs using a risk- real time data feeds.
Assessment Organization based framework
Independent Assessors to be Authorizations: Ongoing A&A Activities Will Be
retained from FedRAMP approved 1. Provisional ATO - Joint Coordinated Through:
list of 3PAOs Authorization Board 1. DHS – CyberScope Data Feeds
2. ATO – Individual Agencies 2. DHS – US CERT Incident Response
and Threat Notifications
3. FedRAMP PMO – POA&Ms
9
11. FedRAMP Third Party Assessment Organization
(3PAO) Conformity Assessment Process
FedRAMP requires CSPs to use Third Party Assessment Organizations (3PAOs) to
independently validate and verify that they meet FedRAMP security requirements.
FedRAMP worked with NIST to develop a conformity assessment process to qualify 3PAOs.
This conformity assessment process will qualify 3PAOs according to two requirements:
(1) Independence and quality management in accordance with ISO standards; and
(2) Technical competence through FISMA knowledge testing.
Creates consistency in performing
security assessments among 3PAOs in
Benefits of accordance with FISMA and NIST
standards
leveraging a formal • Ensures 3PAO independence from Cloud
Service Providers in accordance with
3PAO approval international standards
• Establishes an approved list of 3PAOs for
process: CSPs and agencies to choose when
satisfying FedRAMP requirements.
11
12. Quality System & ISO/IEC 17020:1998
• The Quality System is a living system
• Use your Quality System going forward
• Specific ISO/IEC 17020:1998 Topics
– Independence
– Training
– SMEs and Sub-contractors
– Relationship of your Quality System and FedRAMP processes
– Internal audit and management reviews
12
16. Relationship of 3PAOs and CSPs
• FedRAMP does not make introductions
• CSPs might interview multiple 3PAOs
• 3PAOs must manage their own relationship with CSPs
• 3PAO has not assisted CSP in implementing controls
• Both parties should allow for contract modifications
• Anticipate questions similar to the following:
– Can you provide past performance information?
– How many FTEs will be required?
– Do you have the right scanner licenses?
– How long will the process take?
– What is the pricing and what does it include?
16
17. FedRAMP CONOPS: Security Assessment Process
1.1
Initiate Request
1.0 Security Assessment
2.0 Leverage ATO 1.2 Document Security Controls
3.0 Ongoing A&A
1.3 Perform Security Testing
1.4 Finalize Security Assessment
Security Assessment Process aligns with NIST 800-37, R1
17
18. FedRAMP CONOPS: Security Assessment Process
Initiate Request
1.0 Security Assessment 1.1 Initiate Request Document Services
1.1.1
Boundary and Assets
2.0 Leverage ATO 1.2 Document Security Controls
3.0 Ongoing A&A 1.3 Perform Security Testing
1.1.2 Identify Impact Level
1.4 Finalize Security Assessment
1.1.3 Tailor Controls
First step in the security assessment
process
• Introduction and management of 1.1.4
Define Control
Implementations
assessment process/timeframes
• Begin defining control responsibility
• Identify any alternate
implementations of controls
18
19. CSP Designates a 3PAO
Initiate Request (Step 1.1)
• Formal notification to FedRAMP of 3PAO selection
• FedRAMP Director assigns an ISSO to the CSP
• 3PAO will need to communicate with the CSP’s ISSO
• CSPs must allow 3PAOs to communicate with ISSO
• Any questions or gotchas should go through the ISSO
19
20. FedRAMP CONOPS: Security Assessment Process
Document Security Controls
1.0 Security Assessment 1.1 Initiate Request Document System
1.2.1
Security Plan (SSP)
2.0 Leverage ATO 1.2 Document Security Controls
3.0 Ongoing A&A 1.3 Perform Security Testing
1.4 Finalize Security Assessment
Document the System Security Plan (SSP)
• Address how the CSP implements each FedRAMP security
control
• Control responsibility
• What solution is being used for the control?
• How does the solution meets the control requirement?
20
21. CSP’s Preparation Before Testing
Document Security Controls (Step 1.2)
• Submits the following documents to ISSO:
– System Security Plan
– IT Contingency Plan
– Configuration Management Plan
– Incident Response Plan
– eAuthentication Template
– PTA / PIA Template
– Rules of Behavior
• All documents approved by JAB prior to testing
21
22. FedRAMP CONOPS: Security Assessment Process
Perform Security Testing
1.0 Security Assessment 1.1 Initiate Request
1.3.1 Develop Testing Plan
2.0 Leverage ATO 1.2 Document Security Controls
3.0 Ongoing A&A 1.3 Perform Security Testing Audit Control
1.3.2
Implementations
1.4 Finalize Security Assessment
1.3.3 Perform Vulnerability
/ Penetration Testing
Test SSP– Begin work with 3PAO
• Assess against the SSP with NIST SP 1.3.4
Develop Plan of Action
& Milestones (POAM)
800-53a test cases
• 3PAO audits assessment and results
• 3PAO generates security assessment
report
22
23. Test Planning Process and Kick-off Meeting
Perform Security Testing (Step 1.3)
• CSP designates 3PAO
• ISSO schedules kick-off meeting with 3PAO & CSP
• Don’t start testing until SAP has been approved
• 3PAO provides CSP Draft copy of SAP with scope
• Discussion of scope & testing process in kick-off mtg.
• Inform CSP what IP address the scans will come from
• Provide timeframe for delivery of results
• Post meeting: revise & update SAP and send to CSP
for review, then ISSO sends to JAB for approval
23
24. FedRAMP CONOPS: Security Assessment Process
Finalize Security Assessment
1.1 Initiate Request
Compile all Updated
1.0 Security Assessment
1.4.1 and Final
1.2 Document Security Controls
Documentation
2.0 Leverage ATO
3.0 Ongoing A&A 1.3 Perform Security Testing Answer Questions
1.4.2
Risk Assessment
1.4 Finalize Security Assessment
Accept Document
1.4.3 Findings & Make
Updates to POAM
Compile Completed Authorization
Accept Provisional
Package 1.4.4
Authorization
• Review all documentation
• Review risk posture of CSP system
• Grant / deny provisional authorization
24
25. FedRAMP Concept of Operations – Overview
Cloud Service Provider FedRAMP Govt. Agency
Initiation Logs and Queues Sponsor CSP for Agencies may
1.1 Initiate Request Request Form FedRAMP sponsor a CSP
Request
1.2 Document Security Agency may request to
Notifies Start of Process Tailor Controls add controls or specific
1.0 Security Assessment
Controls Sys
Security Plan (SSP) implementation criteria
Approves or Provides
Feedback on SSP
1.3 Perform Security
Security Assessment
Testing
3PAO Results (SAR)
Approves or Provides
Audit / Testing Feedback on SAR
1.4 Finalize Security Security Grants Governmentwide
Assessment Package Provisional Authorization
Reviews Security Package
2.0 Leverage
2.1 Review of Provisional FedRAMP Data Assesses Impact and
Authorization and Security Package
ATO
Repository Negotiates Contract with CSP
2.2 Grant Agency-Level ATO Grants Agency Specific ATO
3.1 Operational Visibility Updates Artifacts Decision on Ongoing Ensure POAM / Updates meet
(Continuous Monitoring)
Self Attestation
Authorization / Update Repository Agency ATO requirements
Authorization
3.0 On Going
3.2 Change Control Notifications Reviews Change Notifications Receives Info on Changes
3.3 Incident Response Tracks Incident Coordinate w/US-CERT
Report Incidents
25
28. How to Scope the System for Testing
• Review all CSP documents thoroughly
• Determine what databases need to be tested
• Determine the web applications that need testing
• Determine the manual tests that you will perform
• Where will you need to travel to? Datacenters?
• Determine what automated tools you will use
• Determine how many IP addresses slated for testing
– For large implementations, you need to be able to justify the
subset of IP addresses that you selected for testing.
28
29. Justify the Scope
• If you have 100 or fewer IP addresses test them all
• Larger implementations: justify the IP addresses that are
slated for testing
– Why did you pick these IP addresses?
– Are they a representative subset of all addresses?
– Are they listed in inventory
• Web Applications, must test all of them
• Database, must test all of them
• Role testing: did you test all roles for unauthorized
privilege escalation? If you do not plan on testing all,
include justification statement on what roles you will test
29
30. Scanning Considerations
• Scans must be fully authenticated
• Do you have the right scanner licenses?
• Discuss with CSP how your scanners will access their
system
– Do scanner appliances need to be installed?
– Do scanners need to be installed on specific VLANs?
– Can you use virtual scanners?
– Do ports on firewalls need to be opened?
– Do you have fully privileged accounts?
– How many IP addresses need to be scanned?
30
31. SSP Review: Check Control Origination Information
• In the SSP, each security control includes a table
called Security Control Summary Information.
Security control enhancements also require
security control summary information.
• Defines whose responsibility each control is and
notes if there is a shared responsibility. Check
to see if these make sense.
• Responsible Role: In the field described as
Responsible Role, the CSP should indicate what
staff role within their organization is
responsible for maintaining and implementing
that particular security control. Examples of the
types of role names may differ from CSP to CSP
but could include role names such as:
System Administrator
Database Administrator
Network Operations Analyst
Network Engineer
IT Director
Firewall Engineer
31
32. Data Center Inspections
• Verify address/location of data centers
• Plan to verify that data center is using the same
controls described in the System Security Plan
• Review PE controls in SSP before going on site
• Do you have a copy of ASHRAE Thermal Guidelines
for Data Processing Environments?
• Avoid multiple visits to the same data center -- get it
right the first time
• Email data center manager with any follow-up
questions
32
33. Assumptions & Methodology
• Assumptions listed are samples - 3PAO should edit
list of assumptions to indicate the actual
assumptions
• Methodology is written and prescribed, however,
you can add items to the methodology is you feel
it is necessary
33
34. Types of Security Testing
• Review documentation
– Does it make sense?
– Is anything missing?
– Are all components named?
– Is the network diagram accurate?
– Is the data flow diagram accurate?
– Double-check description of boundaries and read the section
on boundaries in Guide to Understanding FedRAMP
• Security Test Cases
• Tests performed using automated tools
• Tests performed using manual methods
34
35. Schedule
P. 18 in SAP
• Review draft schedule with CSP before submitting the
SAP to the ISSO
• Leave enough time for documentation review – need
to make sure everything is accurate
• Include data center inspections in the Perform Testing
timeframe
• Make sure there is a common understanding of when
scans will run
• Issue Resolution Meeting: Review Draft SAR with CSP
prior to submitting to ISSO
35
36. Rules of Engagement
• Modify Rules of Engagement as necessary
• Review rules with CSP
• Negotiate rules with CSP
• Both parties must agree to the rules and sign them
• Make sure general counsel of both parties has an
opportunity to review rules
• Update Limitation of Liability as necessary
36
37. Testing Issues
• If anything in the System Security Plan (or any other
document) is found to be incorrect, communicate
this to the ISSO and advise the CSP on what
corrections to make
• CSP will need to submit updated document to ISSO
• Suspend testing until ISSO confirms back to 3PAO
and CSP that revised document has been accepted
• If you become aware of the fact that the CSP
boundary is not accurate, suspend testing,
communicate to ISSO, and advise CSP on what
corrections to make
37
41. Testing Integrity & Completeness
• FedRAMP ISSOs will be reviewing all test results
• It is in your interest (and the interest of the CSP) to
avoid having to do multiple revisions of documents
• ISSOs will open all scan reports and see if reports
match what was approved in the SAP and inventory
• IP address and URLs of tests results will be checked
against SSP Inventory and information in SAP
• All high and medium scan findings should be
discussed in the SAR and ISSOs will check for that
41
42. Security Assessment Report (SAR)
• Serves as the primary document that the JAB will review
to make risk-based decision on whether or not to issue
Provisional Authorization
• Review a Draft SAR with the CSP before creating the Final
• ISSO / JAB reviews SAR and POA&M
– Approval of JAB required
– Will provide feedback and ask for revisions if not approved
– Feedback may require reassessing some controls
42
43. Scope and System Overview
• If you used any other documents (or files) than those
listed on p.13, attach these documents to Appendix H.
Possibilities include:
– Configuration Guides
– Procedures
– Files reviewed for secure configurations (e.g. /etc/.rhosts )
– Technical or design specifications
• Make sure the System Description and Purpose match
the description and purpose listed in the System
Security Plan
43
44. Assessment Methodology
• Perform Tests
• Identify Vulnerabilities
• Identify Threats That Exploit the Vulnerabilities
• Analyze Risks & Determine Risk Exposure
• Advise and Offer Guidance on Corrective Actions
• Document Your Results
Likelihood x Impact = Risk Exposure
44
45. Interconnection Risks
• Review the interconnection table in the SSP
• Discuss this table with the CSP when reviewing it
• Make sure there is a common understanding of what
these connections are used for
• Is there any risk that third-party connections could be
hostile? Describe these risks in the SAR
• Are more ports and services than necessary being used?
• Did you find any other interconnections that are not
listed in this table? Where are they going to?
45
46. Appending the Test Results
• Append test cases results to Appendix B
• Append infrastructure scans to Appendix C
• Append database scans to Appendix D
• Append web application scans to Appendix E
• Append other test results using any other automated
tools to Appendix F
• Append manual test results to Appendix G
• Anticipate that all tests results will be reviewed by ISSO
46
47. Provisional Authorization Recommendation
• Tabulate the number of system risks
• Make sure each listed risk has an accompanying
guidance on how to mitigate the risk
• Render a professional opinion on the security of the
system
– What are the most important things to know regarding the
security of the system?
– What areas had particularly strong security controls and why?
– What areas had particularly weak security controls and why?
– Are the security weaknesses fixable?
• CSP will leverage SAR to create POA&M
47
48. Finalize Security Assessment
• CSP Submits Supplier’s Declaration of Conformity (SDOC);
verification and attestation to the truth and accuracy of
the implemented security controls as detailed in the
security assessment package
• CSP provides complete package of all updated security
assessment artifacts
• JAB response may require reassessment of some controls
• If JAB accepts risk, the CSP is granted a Provisional
Authorization
• Provisional Authorizations are leveraged by agencies to
issue their own ATO
48
50. Ongoing Authorization (Continuous Monitoring)
Cloud Service FedRAMP Govt. Agency
Provider (CSP)
Analyze. Make Risk
3.1 Operational Visibility Based Decision to Ensure CSP Risk
Annual
Self-Attestation Maintain Provisional Posture Meets Agency
Authorization / Notify ATO Requirements
3.0 Ongoing Assessment and Authorization
Agency
(Continuous Monitoring)
3.2 Change Control Obtains Change Review Changes and
Ensure POA&M /
Reports / POA&M POA&M. Decision to
System Changes meet
Updates Maintain Provisional
ATO requirements
Authorization. Notify
Agency
3.2 Incident Response Tracks Incident
Notifications Response
Handling Responds to
Incidents &
Coordinate with
US-CERT
51. 3PAO Role in Operational Visibility
• CSPs maintain Provisional Authorization by providing
evidence on an ongoing basis that the controls they
have implemented remain effective
• 3PAOs perform quarterly scans (evidence)
• 3PAOs test subset of security controls annually (or
when there is a significant change to the system)
• 3PAOs provide guidance to CSPs on mitigating
vulnerabilities
• 3PAO results used as evidence to support CSP
Self-Attestation indicating controls implemented as
required
51
52. CSP & JAB Role in Operational Visibility
• CSP submits updated artifacts to FedRAMP and
updates POA&M
• Artifacts are listed in Self-Attestation template
• JAB reviews evidence and makes a risk-based
decision for continuing Provisional Authorization
• Leveraging agencies use the evidence to make
agency ATO decision
52
53. Change Control
• See Section 3.12 in Guide to Understanding FedRAMP
• CSPs will have to notify ISSO if a major change occurs
• 3PAO will have to test controls that have changed
– Change in authentication or access control implementation
– Change in storage implementation
– Change in COTS product implemented to another product
– Adding more IP addresses to inventory
– Implementing a new code release
– Change in backup mechanisms and process
– Change of IaaS provider (if you are a PaaS or SaaS provider)
– Adding new interconnections to outside service providers
– Change of alternate (or compensating) control
53
54. Incident Response
• CSPs do not typically play a prescribed role in
incident response
• However, if CSP requests 3PAO assistance in
performing incident handling on an active incident,
3PAO may assist CSP in eradicating intruder from the
system
• All 3PAO assistance to CSP during an incident must
be logged on Incident Response Form
• Incident Response Form should include names, times,
and dates of all incident handling
54
57. Data Center PE-1 (Policies & Procedures)
Before you start inspection, record contact information
for manager/person giving you the tour. Record the
names of every person you interview.
• Ask data center manager if he/she knows what the
data center security policies and procedures say
• Ask him/her to show you a copy
• Find out if staff in data center are aware of these
policies and procedures
57
58. Data Center PE-2 (Access Authorizations)
• Can CSP provide a list of who has access?
• Who authorizes access to data center?
• Are there different authorization levels? (e.g. chillers,
electrical substation room, UPS/battery room,
generators)
• Who issues and gives out access credentials (e.g.
keycards) to employees?
• Is the data center authorization process
documented?
58
59. Data Center PE-3 (Access Control)
• Is there a two-factor access control device to get into
data center?
• Examples are card reader with a PIN pad or a card
reader with a biometric capability (many data
centers use hand scanners for access control)
• Record make/model of access devices
• If PINs or passwords are used, do they meet the
password change requirement frequency?
• Are cages/racks locked?
• Access control on electrical substation room, battery
room, chillers, generators?
59
60. Data Center PE-4 (Access for Transmission Medium)
• Ask to see wiring closets and patch panels
– Do they have locks?
– Who has access?
• Are there exposed telecomm jacks that are not locked?
• Where does telecomm circuit/Internet connectivity
enter the data center?
• Check cables and wires
– Are they below the floor?
– Are they in inaccessible (locked) ceiling trays?
60
61. Data Center PE-5 (Access Control for Output Devices)
• Who can access monitors, printers, fax machines and
any other output devices (audio) in the datacenter
• Ask what systems can print to data center printers?
• Are printers/monitors password protected? (There
might be good reasons why such controls are not
required, check SSP)
• Look for surveillance cameras. Are surveillance
camera pointing at the printers and monitors?
• Ask what kind of cameras they are using and how
long recorded media is kept for
61
62. Data Center PE-6 (Monitoring Physical Access)
• Are there cameras pointed at data center entrances?
• Are there guards? Are they armed?
• Are balusters near data center building entrance?
• Ask what kind of cameras they are using and how
long recorded media is kept for
• Ask who has access to recorded media and find out
where it is stored
• Ask who maintains camera system
62
63. Data Center PE-7 ( Visitor Control)
• Receptionist or guard at front desk needs to check
IDs of all visitors and record this information into a
visitor log book or an online log file
• Do guards grant visitor passes for all visitors?
• Do visitors have to sign anything? (e.g. book or
electronic pad)
• Do they take a photo of visitors?
• Do they ask for government issued identification of
visitors?
• Are all visitors, including vendors performing
maintenance escorted?
63
64. Data Center PE-8 (Access Records)
• Ask to see visitor log books. If visitor logs are
recorded online, ask to see electronic records
• Does cardkey pin/pad, hand geometry scanner, or
whatever device is used at entrances record log files?
Ask to see a sample log for a failed access attempt
into datacenter
• Ask to see log file that shows record of authorized
employee access
64
65. Data Center PE-9 (Power Equipment)
• Electrical substation should be in a locked room
• Are there circuit breakers in place to protect against
voltage overload?
• Are circuit breakers in a locked substation room?
• Is access to generators and UPS controlled?
• Are there at least two different circuits that provide
electricity to the data center for redundancy?
• How is access to battery room/UPS controlled? How
is access to generators controlled?
65
66. Data Center PE-10 (Emergency Shutoff)
• There needs to be an emergency power off (EPO)
button in the data center
• It should be located near the exit and should be
behind a clear plastic safety cover to prevent
unintended pushes
• Is there one at each exit?
66
67. Data Center PE-11 (Emergency Power)
• Ask to see UPS/battery room and generators. Ask who
services UPS/battery room and how often.
• Ask how often generators are tested. (Newest generators
usually programmed to perform automated testing. Ask
what kind of fuel generators hold (usually diesel or
natural gas). If not using natural gas, ask how many
gallons of fuel does generators hold. Ask what
companies service the generators. If there are fuel
deliveries, find out how often they occur.
• How many seconds/minutes can data center run off of
UPS before generators kick in?
67
68. Data Center PE-12 (Emergency Lighting)
• Data center should have emergency lighting that
automatically activates in the event of a power
outage
• Look for the lights and ask who maintains them and
how often they are tested
• Emergency lighting should also be in operations
center, stairwells and at all emergency exits and
evacuation routes
68
69. Data Center PE-13 (Fire Protection)
• Is fire suppression (and detection) in place?
• Is a sprinkler system used or inert gas (e.g. Inergen) used?
If gas is used, ask to see gas tanks, who services tanks?
• If a sprinkler system is used ask if it is wet pipe, dry pipe,
pre-action, or deluge
• Ask who services sprinklers or gas system Is it monitored
24 x 7 x 365 by an outside service and does alert local fire
authority if activated?
• Is fire inspection performed by local fire marshal annually
or whenever local building codes require it? Ask to see
the inspection certificate
• Ask if chillers are controlled by fire suppression system
69
70. Data Center PE-14 (Temp & Humidity Controls)
• Note make/vendor of AC system (usually Liebert) --
ask how many tons it is
• How is access to air conditioners/HVAC controlled?
Do AC systems have PIN pad or key?
• Ask what temperature and humidity controls are set
for and compare these numbers to what is noted in
the System Security Plan. ASHRAE recommends 65-
77 F (dry bulb) for temp and 40-55% for relative
humidity
• Ask about humidity control alarms - are there send
alerts if relative humidity goes either under 40% or
over 55%? Who receives alerts?
70
71. Data Center PE-15 (Water Damage Protection)
• Ensure that water sensors are put in strategic locations
(usually under floor tiles, often near chillers)
• Ask to have a floor tile removed so you can see a water
sensor
• Ask where water sensor alarms are sent to
• Are there master water shut-off valves? Where?
71
72. Data Center PE-16 (Delivery and Removal)
• Is there a way to monitor entering and exiting of facility,
data center, and NOC (e.g. surveillance cameras).
• Where the video is archived (either on site or by a
managed service provider)
• How long is video archived for?
• Who has access to camera video?
• Is a property removal pass
required?
72
73. Data Center PE-17 (Alternate Work Site)
• Need to have designated alternate work sites –
where are they? (e.g. government facilities, homes)
• Need to have controls, policies, procedures, and
Rules of Behavior in place for alternate work sites –
what are they?
• Examples of controls for alternate work sites:
– VPNs
– Two-factor authentication
– Home User Procedures Guide
– Laptops configured with full disk encryption
73
74. Data Center PE-18 (Location of System Components)
• Is data center on a fault line?
• Is data center in a location prone to hurricanes?
• Is data center in a near a river, in a flood zone?
• Is data center along a coastline? (recall Japanese Tsunami)
• Are there exterior windows on the data center?
• Is there an exterior sign to the building that is visible
from the roads?
• Is data center in an area prone to electrical outages?
• Take a picture of the outside of the facility (if you can)
74