, , , ,

Selecting a 3PAO with assessors that have the Certificate of Cloud Security Knowledge (CCSK)

The CCSK is NOT meant to be a substitute for other certifications in information security, audit and governance. The CCSK augments other credentialing programs like the CISSP, CAP, CSSLP, etc. However, the CCSK does provide a valuable selector for organizations such as federal agencies, cloud service providers (CSPs), and even cloud customers seeking to evaluate the qualifications of potential assessors such as those included in the U.S. Government’s Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) program when conducting their own due diligence.

Per FedRAMP Program Management Office (PMO) – FedRAMP.gov FAQ:

  1. What is a 3PAO? A 3PAO is an organization that performs initial and periodic assessment of security and privacy controls deployed in cloud information systems.
  2. When is a 3PAO required? CSPs that go through FedRAMP must use a 3PAO to provide an independent verification and validation of the security implementations required by FedRAMP. FedRAMP provisional authorizations must include an assessment by a FedRAMP accredited 3PAO to ensure a consistent assessment process.

The CCSK is not a guarantee but does offer one source to ensure that the assessor has the essential knowledge of cloud computing and security/risk management “best practices” as be applied within a cloud environment (across all of the different deployment and service models, and derivatives).

The FedRAMP PMO 3PAO limits the application of measurement to a response of six (6) key areas as applied to a SaaS environment within a private, public, hybrid, or community deployment model categorized as Moderate-Impact to determine the technical competence and capability of the 3PAO. The six areas include:

  1. methodology
  2. documentation of 9 controls: (i) account management, (ii) remote access, (iii) auditable events, (iv) configuration settings, (v) information system backup, (vi) incident handling, (vii) vulnerability scanning, (viii) transmission confidentiality, and (viiii) flaw remediation in a sample security plan
  3. development of a security assessment plan (SAP)
  4. documented evidence of a simulated execution of the assessment procedures in the SAP,
  5. a report documenting the output of the execution of the SAP
  6. critical success factors

Although a broad coverage of the application of the NIST standards and guidance, it does not specifically highlight the qualification of the individuals that will be hired by the 3PAO to conduct the assessment on the CSP. This is where the CCSK provides a useful tool for a CSP when selecting a 3PAO for their assessment RFP. By establishing minimum personnel requirements such as the CCSK with other credentials like the CISSP, CAP, CSSLP, etc., the CSP could have some level of assurance that the assessor conducting the assessment has evidence of cloud security knowledge.

As I wrote in my section of FedRAMP.net on selecting an independent third party assessor,

“The criteria of an independent assessor(s) or assessment team within the Cloud should include a mix of skills and proficiencies…”

“…a key criteria that should be included as part of the selection criterion when identifying qualified and “capable” independent assessors or members of an assessment team is certifications that establish a baseline of cloud security knowledge.”[1]

However, the CCSK is not only valuable to CSP, but also the 3PAO. As an important hiring criterion for 3PAOs seeking to find qualified candidates, the CCSK can be used as part of the candidate evaluation/selection criteria in jobs announcements. It is important to note that not all candidates will score the same or achieve the same level of cloud security knowledge when taking the CCSK, but at minimum, the CCSK does establish that a candidate has at least a core understanding of a broad range of topics covering the security of cloud computing environments.

As quoted by Stuart Lisk, Senior Manager, Product Management and Marketing at Hubspan in 2010 when the exam was still in the early stages:

“You might think this is just one more pay-for-play certificate to add to your wall. However, when you further examine what it takes to pass this certification, you quickly realize the CSA has ensured this is no cakewalk.”[2]

[1] http://www.fedramp.net/selecting-an-independent-third-party-assessor
[2] http://www.hubspan.com/cloud-security/cloud-security-test-makes-hubspan-techies-certifiable/

1ECG will be holding classes in the Washington D.C. area starting April 1, 2012. Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

Leave a Comment

Leave a comment

Leave a Reply