Assume that you are the Chief Compliance Officer for Claudius-Cloud, Inc., a cloud service provider. You are currently working on your FedRAMP policies and procedures. The board of directors has asked you to explain the policies and procedures set forth in theFedRAMP System Security Plan (SSP) High Baseline Template.

Actions

In particular, the board has asked you to:

• Explain the purpose of the following four general types of policies and procedures set forth in the FedRAMP System Security Template:
  • Access Control
  • Identification and Authentication
  • Physical Environment and Protection, and
  • Risk Assessment (including in particular Vulnerability Scanning.
• Describe 2 specific policies and procedures from EACH of those four categories listed above (Access Control, Identification and Authentication, Physical Environment and Protection, and Risk Assessment). In describing these8total policies and procedures, you the board has asked you to:
  • Explain how they work
  • Explain why you believe these specific policies and procedures have been included in the FedRAMP required policies and procedures
  • Describe why these policies and procedures are of particular relevance to cloud computing, and
  • Explain why you believe particular policies and procedures have been labeled as they have--i.e., with an "H" (High Baseline Security), "M" (Medium Baseline Security), and "L" (Low Baseline Security). In particular, choose:
    • At least one policy and procedure that is labeled solely with an "(H)" and explain what added level of security is required by this policy/procedure.
    • At least one policy and procedure that is labeled "(L) (M) (H)" and explain why that policy and procedure is so basic that it is required for all 3 types of cloud service security levels.