Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Mon, 08 Jul 2019 18:58:21 +0000
- Thread-topic: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Appreciate your willingness to share your thoughts on this, it is helpful.
Again, I want people to understand that I am trying to get to the bottom of the
real requirements, rather than all of us guessing or performing our own
interpretation — that can be very dangerous.
I see your point, but since up until now I seem to be the only one who even
bothered to attempt to answer, I’ll continue.
The Notarized Applications are verified and allowed to run on macOS because it
can be attested that they do no contain identifiable malicious components.
I’m sure the Federal Government would appreciate if all the 3rd-party apps,
like MS Office, Firefox, and such, would be “Apple-Notarized”. I’m equally sure
that the Federal Government would not appreciate if Apple wanted to forcefully
“notarize” apps developed internally – either in-house, or as a part of
Enterprise development/distribution.
I leave alone how certain one can be about the “can be attested” part.
This is an extension of what has been taking place with gatekeeper data within
macOS now for some time.
A “developer" of software signed using a Developer ID and distributed to its
users is temporarily sent to Apple servers and checked for malicious
components.
How can you
disclose something “temporarily”??? ^^^
Do I read this correctly that Apple expects developers to send their apps to
Apple? Do you see where/why the Feds may have a problem with this, assuming the
developer in question is on a Federal payroll, as opposed to just being a
vendor who sells what he already developed…?
What is provided back to the “developer” is the Notarization for that App.
Notarization is not App Review. The Application is then distributed by the
developer through whatever means necessary to all of its users.
I don’t care what it’s named. All I care for is that some code may leave my
machine and travel to a non-approved place.
Going back to my previous reference of:
"...a CSP needs to be FedRAMP authorized once federal data is placed in the
system."
What is the perceived 'federal data’ in this case ?
How about: everything (code, data, documentation, etc.) not explicitly cleared
for Public Release?
P.S. I wonder why others on this list don’t comment on what in their experience
is allowed for upload to a 3rd-party service (Cloud, Google Docs, Dropbox,
Adobe Creative Cloud, etc. etc.). I expect the answer to be “nothing”, but
would love for the participants to explicitly confirm (or deny ;) this.
On Jul 3, 2019, at 1:14 PM, Blumenthal, Uri - 0553 - MITLL <email@hidden>
wrote:
I confess my ignorance, but it seems to me that to upload to an external (to
DoD) party (such as Apple) anything from a Federal computer (data, source code,
binary code, logs, whatever) not explicitly approved for being sent there, it
would require authorization. The external party would need to prove to the
appropriate authorities that the data it would receive would be properly
isolated, properly secured, and properly used. Again, I’ve no clue what
“properly” means in this context.
I don’t know if it’s FedRAMP authorization that’s required in this case, but it
seems obvious that one would not be allowed to just send his binaries to Apple
(or MS, or Google, or whoever).
I can imagine corporations and government agencies telling the “big vendors”:
“What’s in my enterprise-distributed app is none of your business, you are not
authorized to peek inside”.
As an example – Enhanced Dictation has no cost and is a service built-in to the
OS, and we are not allowed to use it. So it’s nicely blocked on all of our Macs.
What goes to the Apple-run App Store is a different case, of course – but we
aren’t talking about that when we say “Distribution”, are we?
From: Fed-talk <fed-talk-bounces+uri=email@hidden> on behalf of
"Shawn A. Geddis via Fed-talk" <email@hidden>
Reply-To: Shawn Geddis <email@hidden>
Date: Wednesday, July 3, 2019 at 3:08 PM
To: Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Any takers or redirects ?
- Shawn
_____________________________
Shawn Geddis
Security and Certifications Engineer
Platform Security / SEAR
On Jun 29, 2019, at 2:56 AM, Shawn A. Geddis via Fed-talk
<email@hidden> wrote:
On Jun 14, 2019, at 1:20 PM, Neely, Lee via Fed-talk <email@hidden>
wrote:
This would need to be an approved cloud service, irrespective of your
determination to issue an ATO or not, particularly as the process involves
uploading your code to Apple for analysis/notarization.
As you will be uploading code to Apple, a need to understand information
protection and disposition is key, irrespective of label.
Lee
Lee et. al.,
Notarizing Your App Before Distribution
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
Give users even more confidence in your software by submitting it to Apple for
notarization.
Overview
Notarization gives users more confidence that the Developer ID-signed software
you distribute has been checked by Apple for malicious components. Notarization
is not App Review.The Apple notary service is an automated system that scans
your software for malicious content, checks for code-signing issues, and
returns the results to you quickly. If there are no issues, the notary service
generates a ticket for you to staple to your software; the notary service also
publishes that ticket online where Gatekeeper can find it.
When the user first installs or runs your software, the presence of a ticket
(either online or attached to the executable) tells Gatekeeper that Apple
notarized the software. Gatekeeper then places descriptive information in the
initial launch dialog to help the user make an informed choice about whether to
launch the app.
Why would this suddenly be interpreted as a "Cloud Service”,especially given
the definition noted at FedRAMP.gov/about/:
“...any cloud services that hold federal data must be FedRAMP authorized."
____
FedRAMP Tips and Cues
https://www.fedramp.gov/assets/resources/documents/FedRAMP_Tips_and_Cues.pdf
Q: Can a Federal Agency require CSPs to be FedRAMP authorized in a request for
proposal (RFP)?
A: Federal Agencies cannot require CSPs to be FedRAMP authorized as part of
their RFP but can state that a CSP needs to be FedRAMP authorized once federal
data is placed in the system. For more information on contract clauses, please
review the FedRAMP Standard Contractual Clauses.
What Federal Data or User Data would be perceived to be placed in the system ?
____
Memorandum: Security Authorization of Information Systems in Cloud Computing
Environments
https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf
"FedRAMP will provide a cost-effective, risk-based approach for the adoption
and use of cloud services by making available to Executive departments and
agencies"
Notarization also has no cost and is a service built-in to the OS.
____
Can you point to the specific statement or clarification that clearly states
this capability for verifying an executable in an OS is defined as a "Cloud
Service” and would be required to be FedRAMP authorized?
- Shawn
_____________________________
Shawn Geddis
Security and Certifications Engineer
Platform Security / SEAR
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden