Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- From: "Shawn A. Geddis via Fed-talk" <email@hidden>
- Date: Sat, 29 Jun 2019 02:56:23 -0700
> On Jun 14, 2019, at 1:20 PM, Neely, Lee via Fed-talk
> <email@hidden> wrote:
>
> This would need to be an approved cloud service, irrespective of your
> determination to issue an ATO or not, particularly as the process involves
> uploading your code to Apple for analysis/notarization.
>
> As you will be uploading code to Apple, a need to understand information
> protection and disposition is key, irrespective of label.
> Lee
Lee et. al.,
Notarizing Your App Before Distribution
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
Give users even more confidence in your software by submitting it to Apple for
notarization.
Overview
Notarization gives users more confidence that the Developer ID-signed software
you distribute has been checked by Apple for malicious components. Notarization
is not App Review. The Apple notary service is an automated system that scans
your software for malicious content, checks for code-signing issues, and
returns the results to you quickly. If there are no issues, the notary service
generates a ticket for you to staple to your software; the notary service also
publishes that ticket online where Gatekeeper can find it.
When the user first installs or runs your software, the presence of a ticket
(either online or attached to the executable) tells Gatekeeper that Apple
notarized the software. Gatekeeper then places descriptive information in the
initial launch dialog to help the user make an informed choice about whether to
launch the app.
Why would this suddenly be interpreted as a "Cloud Service”, especially given
the definition noted at FedRAMP.gov/about/ <https://www.fedramp.gov/about/>:
“...any cloud services that hold federal data must be FedRAMP authorized."
____
FedRAMP Tips and Cues
https://www.fedramp.gov/assets/resources/documents/FedRAMP_Tips_and_Cues.pdf
Q: Can a Federal Agency require CSPs to be FedRAMP authorized in a request for
proposal (RFP)?
A: Federal Agencies cannot require CSPs to be FedRAMP authorized as part of
their RFP but can state that a CSP needs to be FedRAMP authorized once federal
data is placed in the system. For more information on contract clauses, please
review the FedRAMP Standard Contractual Clauses.
What Federal Data or User Data would be perceived to be placed in the system ?
____
Memorandum: Security Authorization of Information Systems in Cloud Computing
Environments
https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf
"FedRAMP will provide a cost-effective, risk-based approach for the adoption
and use of cloud services by making available to Executive departments and
agencies"
Notarization also has no cost and is a service built-in to the OS.
____
Can you point to the specific statement or clarification that clearly states
this capability for verifying an executable in an OS is defined as a "Cloud
Service” and would be required to be FedRAMP authorized?
- Shawn
_____________________________
Shawn Geddis
Security and Certifications Engineer
Platform Security / SEAR
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden