A CISO's Perspective - FedRAMP

Federal cybersecurity is a challenge for every CISO.

CISOs are uniquely positioned in an organization to tackle multifaceted security challenges. They are primarily responsible for maintaining and improving the overall security posture of an organization. In this journey, they need to get accustomed to different laws, policies, tools, and initiatives and apply various risk management principles to successfully implement cybersecurity programs for their organizations. However, risk management is a continuous endeavor. As the cybersecurity landscape is constantly changing, government-wide security standards change, requiring CISOs to map existing policies to identify gaps and update policies where needed.

One of the significant factors that resulted in the change in the cyber industry is cloud computing. The cloud solutions provide tremendous benefits in terms of security, compliance, cost, resource pooling, broad network access, and elasticity. As a result, there has been a dramatic increase in companies offering various cloud computing services in the form of SaaS, PaaS, and IaaS. Many of these companies do business with the Federal government. However, the federal government has unique and legally mandated security requirements.

As cloud adoption comes with unique risks including but not limited to multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust, there was a need for different cloud standards. In 2011, the U.S. Federal Government developed a standardized set of security controls to ensure cloud service providers and products could adequately protect federal data. The standard is widely known as the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP is a government-wide program that provides a single, standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP was created by the Joint Authorization Board (JAB), which is composed of the Chief Information Officers (CIOs) of the Department of Homeland Security (DHS), General Services Administration (GSA), and Department of Defense (DoD). The day-to-day functions of JAB are administered by the FedRAMP Project Management Office (PMO).

The purpose of FedRAMP is to:

·   Ensure that cloud offering used by federal government agencies have sufficient security controls

·   Enable cost-effective procurement of information systems/services

·   Expand the use of secure cloud solutions in use by federal government

·   Standardize authorization of cloud of technologies.

·   Build and nurture strong alliances with FedRAMP stakeholders.

To achieve the objective, the FedRAMP requires Cloud Service Providers (CSPs) to assess and authorize their Cloud Service Offering (CSO), and demonstrate FedRAMP compliance by obtaining a FedRAMP authorization, or FedRAMP Authority to Operate (ATO).

Paths to Authorization

There are two ways to authorize a CSO pursuing FedRAMP; via an Agency Sponsorship or the Joint Authorization Board (JAB). Both authorization paths require a security assessment based on the same NIST 800-53 baseline used for FISMA, but with more controls and parameters related to cloud.

·   FedRAMP PMO/JAB – The JAB works closely with the FedRAMP PMO to ensure that FedRAMP baseline security controls are incorporated into consistent and repeatable processes for security assessments and authorizations of CSOs. When a cloud service provider makes a business decision to pursue JAB authorization, they submit a business case to the FedRAMP PMO. There is a scoring and selection process and the FedRAMP PMO selects only twelve CSO per year for the JAB authorization path. In addition, a CSO must also contract and go through a FedRAMP Readiness Assessment prior to submitting a business case. . Once selected for the JAB authorization path they must go through a full initial FedRAMP assessment. If security controls meet the baseline, a Provisional Authorization to Operate (P-ATO) is issued. For CSOs that achieve a P-ATO, the JAB also ensures those systems maintain an acceptable risk posture through continuous monitoring. The JAB authorization process is the most stringent on security controls and is the hardest to get through.

·   Agency – On the Agency Sponsorship path, a CSP with an agency, who sponsors the CSO to pursue an Authority to Operate (ATO). On this path, the CSP prepares their environment and their full documentation package, contract a 3PAO to assess the offering, and submit their package to an agency and the FedRAMP PMO. The completed package is reviewed by both the agency and the PMO. In the process, Agencies define their specific policies and procedures, in addition to FedRAMP requirements, and are responsible for reviewing CSP-developed security packages. Ultimately, an Agency’s Authorizing Official (AO) must accept the risk associated with the use of a cloud system through the issuance of an ATO for their Agency. Agencies also conduct continuous monitoring of each authorized system, reviewing monthly and annual deliverables provided by CSPs.

FedRAMP Requirements

At a high-level, for the CSPs to achieve FedRAMP compliance, the followings requirements should be met:

Documentation

CSPs should complete FedRAMP documentation, including the FedRAMP System Security Plan (SSP). SSP describes the security authorization boundary, how the implementation meets requirements, roles and responsibilities, and the expected behavior of individuals with system access.

Implement Security Controls

CSPs must implement and document security controls/control enhancements (C/CEs) according to the NIST 800-53 controls and FedRAMP defined parameters. In each C/CE, the CSP should tell what has been implemented and how it has been implemented to meet the compliance requirements. In general, the FedRAMP requirements and controls span the following domains:

CSPs should implement and document security controls in accordance with FIPS 199 categorization. In general, the FedRAMP requirements and controls span across the following domains: 

·   Access Control

·   Awareness and Training

·   Audit and Accountability

·   Security Assessment and Authorization

·   Configuration Management

·   Contingency Planning

·   Identification and Authentication

·   Incident Response

·   Maintenance

·   Media Protection

·   Physical and Environmental Protection

·   System Security Planning

·   Personnel Security

·   Risk Assessment

·   System and Services Acquisition

·   System and Communications Protection

·   System and Information Integrity

Security Assessment

CSPs must have CSO assessed by a FedRAMP Third Party Assessment Organization (3PAO).

Once the documentation is complete, CSPs should hire an independent third-party auditor to test and audit the information system to verify the effectiveness of security controls. In the case of P-ATO from the JAB, 3PAO performs the test. In the case of ATO from a federal agency, a non-accredited independent assessor (IA) can be employed.

Risk remediation

The next step is to remediate the findings. After the security assessment, 3PAO provide a detailed security assessment report (SAR) containing the information about a threat, risks, and vulnerabilities. In addition, they will also offer solutions/mitigation measures to the discovered vulnerabilities. CSPs need to remediate all identified vulnerabilities.

Develop a Plan of Action and Milestones (POA&M)

Then, CSPs should develop a POA&M to track and manage system security risks identified in the SAR.

Authorization

The next target for CSPs is to obtain Agency ATO or Joint Authorization Board (JAB) Provisional ATO (P-ATO). For this, the entire security package (SSP, security assessment plan (SAP), SAR, and POA&M) must be completed using FedRAMP-provided templates and submitted together to the authorizing official (AO) at the Federal Agency or the JAB. After the review, the AO or the JAB will either approve or request additional information. When all requirements are met, ATO or P-ATO is provided.

Continuous monitoring

Finally, CSPs need to implement a Continuous Monitoring (ConMon) program to include monthly vulnerability, web application, and database scans..

The CSPs are required to maintain a security posture that aligns with FedRAMP and the JAB’s requirements, pursuant to the initial assessment and authorization process. This is achieved through continuous monitoring of the CSP’s system at varying frequencies such as continuous and ongoing, daily, weekly, quarterly, and annually. The goal of continuous monitoring is to provide:

1.  operational visibility,

2.  managed change control, and

3.  attendance to incident response duties, over the life or use of a system.

For leveraging Agencies, the final approval authority for the use of a system is informed by the JAB’s continuous monitoring artifacts and rests with each Agency’s designated AO. However, for systems with JAB P-ATOs, the FedRAMP JAB acts as a centralized PMO for continuous monitoring activities. In this capacity, the JAB:

·   Reviews and approves continuous monitoring and security artifacts on a regular basis

·   Monitors, suspends, and revokes a system’s P-ATO as appropriate

·   Authorizes or denies significant change and deviation requests,

·   Reviews incident information to ensure proper handling and closure, and

·   Ensures the FedRAMP PMO is providing artifacts to leveraging Agencies in a timely manner. Finally, the FedRAMP compliance is a time-consuming and rigorous process. It could take from 6 to 18 months on average to achieve an ATO. Even after the authorization, FedRAMP requires continuous commitment. However, the entire process is worth it as, after authorization, there are windows of opportunity for the CSPs to expand their offering throughout the federal government.