Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- From: "Shawn A. Geddis via Fed-talk" <email@hidden>
- Date: Sun, 07 Jul 2019 17:58:04 -0700
Uri,
Appreciate your willingness to share your thoughts on this, it is helpful.
Again, I want people to understand that I am trying to get to the bottom of the
real requirements, rather than all of us guessing or performing our own
interpretation — that can be very dangerous.
I did want to comment on one of your statements as an example of a difference
that may be tripping people up.
> As an example – Enhanced Dictation has no cost and is a service built-in to
> the OS, and we are not allowed to use it. So it’s nicely blocked on all of
> our Macs.
You are speaking about a service used by an end-user and you have stated that
by policy you cannot use it and have blocked it. No problem, makes sense and
you have the tools to block as you noted.
Restating the description of Notarization...
> Overview
> Notarization gives users more confidence that the Developer ID-signed
> software you distribute has been checked by Apple for malicious components.
> Notarization is not App Review.
Users do not send, transfer or provide any data to Apple. The Notarized
Applications are verified and allowed to run on macOS because it can be
attested that they do no contain identifiable malicious components. This is an
extension of what has been taking place with gatekeeper data within macOS now
for some time.
A “developer" of software signed using a Developer ID and distributed to its
users is temporarily sent to Apple servers and checked for malicious
components. What is provided back to the “developer” is the Notarization for
that App. Notarization is not App Review. The Application is then distributed
by the developer through whatever means necessary to all of its users.
Going back to my previous reference of:
"...a CSP needs to be FedRAMP authorized once federal data is placed in the
system."
What is the perceived 'federal data’ in this case ?
Thanks again Uri.
- Shawn
_____________________________
Shawn Geddis
Security and Certifications Engineer
Platform Security / SEAR
> On Jul 3, 2019, at 1:14 PM, Blumenthal, Uri - 0553 - MITLL <email@hidden>
> wrote:
>
> I confess my ignorance, but it seems to me that to upload to an external (to
> DoD) party (such as Apple) anything from a Federal computer (data, source
> code, binary code, logs, whatever) not explicitly approved for being sent
> there, it would require authorization. The external party would need to prove
> to the appropriate authorities that the data it would receive would be
> properly isolated, properly secured, and properly used. Again, I’ve no clue
> what “properly” means in this context.
>
> I don’t know if it’s FedRAMP authorization that’s required in this case, but
> it seems obvious that one would not be allowed to just send his binaries to
> Apple (or MS, or Google, or whoever).
>
> I can imagine corporations and government agencies telling the “big vendors”:
> “What’s in my enterprise-distributed app is none of your business, you are
> not authorized to peek inside”.
>
> As an example – Enhanced Dictation has no cost and is a service built-in to
> the OS, and we are not allowed to use it. So it’s nicely blocked on all of
> our Macs.
>
> What goes to the Apple-run App Store is a different case, of course – but we
> aren’t talking about that when we say “Distribution”, are we?
>
> From: Fed-talk <fed-talk-bounces+uri=email@hidden> on behalf of
> "Shawn A. Geddis via Fed-talk" <email@hidden>
> Reply-To: Shawn Geddis <email@hidden>
> Date: Wednesday, July 3, 2019 at 3:08 PM
> To: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
>
> Any takers or redirects ?
>
> - Shawn
> _____________________________
> Shawn Geddis
> Security and Certifications Engineer
> Platform Security / SEAR
>
>
>> On Jun 29, 2019, at 2:56 AM, Shawn A. Geddis via Fed-talk
>> <email@hidden <mailto:email@hidden>> wrote:
>>
>>> On Jun 14, 2019, at 1:20 PM, Neely, Lee via Fed-talk
>>> <email@hidden <mailto:email@hidden>> wrote:
>>>
>>> This would need to be an approved cloud service, irrespective of your
>>> determination to issue an ATO or not, particularly as the process involves
>>> uploading your code to Apple for analysis/notarization.
>>>
>>> As you will be uploading code to Apple, a need to understand information
>>> protection and disposition is key, irrespective of label.
>>> Lee
>>
>> Lee et. al.,
>>
>>> Notarizing Your App Before Distribution
>>> https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
>>>
>>> <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution>
>>>
>>> Give users even more confidence in your software by submitting it to Apple
>>> for notarization.
>>>
>>> Overview
>>> Notarization gives users more confidence that the Developer ID-signed
>>> software you distribute has been checked by Apple for malicious components.
>>> Notarization is not App Review.The Apple notary service is an automated
>>> system that scans your software for malicious content, checks for
>>> code-signing issues, and returns the results to you quickly. If there are
>>> no issues, the notary service generates a ticket for you to staple to your
>>> software; the notary service also publishes that ticket online where
>>> Gatekeeper can find it.
>>>
>>> When the user first installs or runs your software, the presence of a
>>> ticket (either online or attached to the executable) tells Gatekeeper that
>>> Apple notarized the software. Gatekeeper then places descriptive
>>> information in the initial launch dialog to help the user make an informed
>>> choice about whether to launch the app.
>>
>>
>> Why would this suddenly be interpreted as a "Cloud Service”,especially given
>> the definition noted at FedRAMP.gov/about/ <https://www.fedramp.gov/about/>:
>>
>>> “...any cloud services that hold federal data must be FedRAMP authorized."
>>
>> ____
>>> FedRAMP Tips and Cues
>>> https://www.fedramp.gov/assets/resources/documents/FedRAMP_Tips_and_Cues.pdf
>>>
>>> <https://www.fedramp.gov/assets/resources/documents/FedRAMP_Tips_and_Cues.pdf>Q:
>>> Can a Federal Agency require CSPs to be FedRAMP authorized in a request
>>> for proposal (RFP)?
>>> A: Federal Agencies cannot require CSPs to be FedRAMP authorized as part of
>>> their RFP but can state that a CSP needs to be FedRAMP authorized once
>>> federal data is placed in the system. For more information on contract
>>> clauses, please review the FedRAMP Standard Contractual Clauses.
>>
>> What Federal Data or User Data would be perceived to be placed in the system
>> ?
>>
>> ____
>>
>> Memorandum: Security Authorization of Information Systems in Cloud
>> Computing Environments
>> https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf
>> <https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf>
>>
>>> "FedRAMP will provide a cost-effective, risk-based approach for the
>>> adoption and use of cloud services by making available to Executive
>>> departments and agencies"
>>
>> Notarization also has no cost and is a service built-in to the OS.
>>
>> ____
>>
>> Can you point to the specific statement or clarification that clearly states
>> this capability for verifying an executable in an OS is defined as a "Cloud
>> Service” and would be required to be FedRAMP authorized?
>>
>>
>> - Shawn
>> _____________________________
>> Shawn Geddis
>> Security and Certifications Engineer
>> Platform Security / SEAR
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden