Dispelling Myths About FedRAMP
Delivering cloud solutions to the U.S. government continues to get faster, easier and cheaper
BY ABEL SUSSMAN, CISSP, CCSP, PMP, CRISC
Cloud computing is having a substantial and growing impact on U.S. government agencies’ work to bring efficiency, agility and innovation to citizen services. This trend shows few signs of slowing; the Federal Cloud Computing Strategy, published in 2011 by then U.S. Chief Information Officer Vivek Kundra, estimated the federal cloud computing market to be valued at $20 billion, offering significant opportunity to cloud service providers (CSPs). But to be able to tap into this market, they first must meet specific cybersecurity requirements.
While misconceptions regarding the costs, time and effort needed to meet these requirements have caused many CSPs to shy away from this vast market opportunity, times have changed. In this article, we will review these requirements, how the process has become significantly more efficient and how barriers to entry are less onerous than they once were – providing more opportunity to CSPs than ever before.
The Federal Risk and Authorization Program (FedRAMP) drives the convergence of cloud computing, cybersecurity and government technology needs by providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This eliminates the need for agencies to individually conduct security assessments of specific cloud solutions, saving significant time, costs and resources. A successful FedRAMP assessment is required for any cloud service solution before it can operate within the federal space.
FedRAMP is a result of the “cloud first” policy issued in February 2011 by the Office of Management and Budget as part of the Federal Cloud Computing Strategy. The strategy provides guidance for all agencies to adopt cloud technologies across the federal government. You can learn more at www.fedramp.gov.
With FedRAMP in its sixth year, cyber risk management provider Coalfire recently compiled research gained from hundreds of its own FedRAMP assessment and advisory engagements, an industry survey and GSA data, all to understand how participants successfully navigate the process.
Federal cloud market
The rapid growth of the Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) markets led by Amazon Web Services, Microsoft, IBM, Google, Salesforce and others illustrates the ready availability of cloud development and deployment environments. These industry and commercial leaders have all actively participated in the FedRAMP process. Software-as-a-Service (SaaS) solutions continue to gain traction in federal agencies by providing services supporting mission-critical areas.
Many mistakenly believe that FedRAMP compliance is costly and that only large system integrators can afford to go through the process. To the contrary, Coalfire discovered that FedRAMP has a variety of participating CSPs, from the largest cloud companies to many smaller specialist firms. In 2016, more than 40 percent of firms had revenues less than $100 million, and 14 percent had less than $10 million. Regardless of size, if an organization delivers a valuable cloud solution, FedRAMP authorization can be successfully achieved.
One of FedRAMP’s principles is “do once, use many,” and the program allows government agencies to successfully leverage and reciprocate authority to operate (ATO) to eliminate duplicative efforts, inconsistencies and cost inefficiencies in assessing and authorizing cloud solutions. As of April, FedRAMP’s website showed that each of the 15 federal cabinet-level departments and many independent agencies and government-owned corporations now use a wide array of cloud services for mission-critical functions. CSPs across the full spectrum of the technology stack (IaaS, PaaS and SaaS) participate in FedRAMP. Infrastructure providers were early adopters in creating secure environments for value-added services.
The FedRAMP Program Management Office (PMO) is responsible for driving adoption for the cabinet-level departments and nine key independent agencies, including GSA and the Environmental Protection Agency. All organizations under the PMO’s purview have issued ATOs, but adoption in small and medium-sized agencies has lagged. Since agencies do not regularly report their level of participation centrally, it is difficult to identify conclusive findings.
Cybersecurity advice for CSPs
Moving through FedRAMP requires more than just a focus on technology. Many CSPs bringing commercial solutions to the FedRAMP process have needed to make system or organizational modifications to meet the requirements. It’s important to rigorously test systems ahead of the required third-party assessment engagement, but the overall assessment is more broadly based.
The ideal FedRAMP preparation also addresses governance, allowing an organization to ensure that all areas (including risk management, reporting, testing, training and accountability) receive proper attention. Figure 1 highlights the specific security controls from the National Institute of Standards and Technology Special Publication 800-53 Revision 4 (NIST SP 800-53 R4), “Security and Privacy Controls for Federal Information Systems and Organizations,” that Coalfire has found to cause the most difficulty; the percentage of CSPs that needed to make changes to be compliant; and common approaches to mitigate those issues.
Several FedRAMP requirements have proven to cover areas where CSPs regularly improve as their compliance programs mature. By leveraging these strong practices, CSPs can be confident that processes align with expectations:
- System Security Plan (PL-2): The assembly of a system security plan (SSP) providing an overview of the cloud solution’s security requirements, a description of its controls and the responsibilities of all individuals with access. Documentation efforts will be substantial as the FedRAMP SSP template is more than 300 pages and can exceed 800 pages once completed.
- Access Restrictions for Change (CM-5): Physical and logical access restrictions must be defined, documented and enforced for all changes. Typically this is achieved through a combination of procedures and technology.
- System Development Lifecycle (SA-3): A strong development strategy incorporates information security at every step of a solution’s lifecycle. Tools used for planning, creating, testing and deploying an information system are mature and protect against unauthorized changes, including any development, programming, configuration or operational changes and modifications.
- Information System Monitoring (SI-4): Security information and event management (SIEM) products and services provide real-time analysis of security alerts generated by network hardware and applications. Tools offering packet inspection, firewall, antivirus, integrity monitoring and logging inspection greatly assist with operations assurance.
- Security Awareness (AT-2): Basic security awareness training is required for all users. Content should include specific actions to maintain security and respond to suspected security incidents.
- Incident Reporting (IR-6): Organizations are required to have procedures and processes to identify, manage and report information security incidents. Using the NIST Computer Security Incident Handling Guide as the base policy for incident response helps to meet the criteria for reporting and acting on security incidents on an ongoing basis.
Secure cloud computing is essential for the government to move from its costly legacy infrastructure, computing operations and applications. FedRAMP has provided the needed cybersecurity structure for government; however, it presents an interesting challenge for CSPs to prepare.
As FedRAMP continues to mature, you can expect:
- Further reduction of barriers to entry bringing new cloud services
- Growth in authorized Cloud-as-a-Service offerings for the Department of Defense
- Further migrations of agency applications and shared services to cloud solutions, and growing appreciation for new cloud services
- Convergence with federal Internet of Things (IoT) and mobility initiatives
For more insight into the data presented within the article, please see the Coalfire research report Securing Your Cloud Solutions. www.coalfire.com/Landing/FedRAMP-Market-Report
Abel Sussman, CISSP, CCSP, PMP, CRISC, is an (ISC)² member and the director of cyber risk advisory at Coalfire. He can be reached at Abel.Sussman@Coalfire.com