FedRAMP 203: Turning a Successful Foundation into a Successful Future
Before reading: This article assumes you are already familiar with the basic FedRAMP process described at FedRAMP.gov. This article also assumes a small to medium business audience, although large enterprises will also benefit. This is a sequel to my previous FedRAMP article, FedRAMP 202: The Five most Critical Questions to ask Before you get Started. All opinions are as-is with no guarantees.
In my last article, I outlined the five most critical questions to ask before starting a FedRAMP project. I finished by saying that this was a good start but not enough to take you over the finish line. Once you can sufficiently answer each of the 5 previous questions, you have the foundation necessary to start successful project execution. The next 5 questions establish what your strategy is so that you implement FedRAMP in a way that makes your multi-million dollar investment worth it.
Question 6: What agencies are you targeting and what is their risk posture?
The agencies you are targeting are like a customer with specialized needs. In fact, they are exactly a customer with specialized needs.
You need to know these needs and how to address them.
If you are chasing the DOD, DHS, or DoE, the way you handle FedRAMP is going to be very different than if your target customer is the Department of Agriculture. Build your relationship from the beginning. Learn what their needs are and incorporate those needs into the documentation and architecture of the system. This is sounds like common sense, but too many companies forget it because they think of FedRAMP as simple compliance, not a strategic partnership with their new customer, the sponsoring agency. If you don’t have an agency willing to sponsor at first, get one in mind, learn about their needs, and design your system accordingly.
Question 7: What is your security culture?
My sincere apologies to all those who are tired of hearing about company culture in business articles. I can’t help it. Culture is the silent killer of an otherwise successful project. If you are already doing business with high security military groups, you might be okay. Otherwise, you need to take stock of your employees’ current attitude toward compliance and security. A starting indicator is measuring compliance with your current security programs. You should also measure the knowledge of people who will be involved in implementation and continuous monitoring. Do they understand the requirements and the underlying need? Part of FedRAMP will be leading a cultural change on the purpose of security and if you are really doing it right, it should have a culture change management plan and a budget attached to it.
Question 8: Can you articulate and document your company’s Concept of Operations?
CONOPS. Concept of Operations. This is a new term to most companies with no past dealings with the federal government. A CONOPS is an understanding of how your system works, including any relevant points an agency should know. Think of it as the central vision of what your system (including people and documents) does. While there is no formally required CONOPS document for authorization, to the FedRAMP PMO and agencies, this is what the entire documentation package represents. Your job is to make sure everyone involved with FedRAMP has the same vision of what the system looks like, how people will interact with it, and what the rules governing its use are. Throughout the project, you will continually update your CONOPS. Getting your team all on one page to understand the big picture is critical to every single phase of FedRAMP as you document the system, tell a cohesive story to auditors, and present your materials to agencies and FedRAMP officials.
Question 9: How capable is your 360 team?
Remember from question 6 that FedRAMP is much more than compliance. You are making a strategic partnership with an agency and you will need a lot of internal and external players to make this happen.
Do an exercise for me. Write out the names of your headcount that are specifically budgeted to your FedRAMP project. Then list which teams own controls or will be helping to implement controls. Then list who those controls will affect. This includes both implementation and continuous monitoring phases (you read question 5 from my previous article, right?) so include any user listed in section 9.3 of the SSP. Now list the responsible roles you included in your System Security Plan. Include your C-Level sponsor (remember Question 4). Next list who your consultants are (good consultants will provide you with a list of their entire team during project kick-off), your assessors, the agencies, their contacts, and their decision-makers (and their direct superior for each if you can), and any FedRAMP officials you are in communication with. Ashley Mahan, the FedRAMP Evangelist, needs to be on this list. Finally, list any suppliers providing parts or services to anything within the system boundary.
This is your 360 degree team. Understand the strengths, weaknesses, responsibilities, and action items for each group on your team.
Question 10: What is your tracking and visualization capability throughout the process?
For FedRAMP Moderate, your auditor will be checking 1200-1500 data points and each of these will have project statuses and acceptance criteria at different milestones during the project. My tracking system had around 15,000 possible status combinations before drilling down to the individual requirement level. To complicate matters, your requirements cover the full spectrum of security operations, and likely you have entire sub-projects for new systems and features you are now required to have.
You need a way to visually show your team and your superiors the real status of the project. You also need to show your sponsoring agency during the Documentation phase that you can deliver on your commitments, and show your 3PAO during the Assessment phase that you have delivered. Assess your tools for requirements tracking, visualization, and communication. We used multiple technical and non-technical resources, including a giant 8x20 ft. Kanban board, a war room with story maps, and several wall charts to show various project success data. A member on my team built a particularly innovative software application that combined our requirements traceability document, the SSP requirements, and other internal data sources into a single unified interface. We then released the app throughout the organization, which allowed anyone with the correct permissions, from the CEO down to the front desk assistant, to see important information on any of their given controls.
Tracking and visualization is not just about hitting your cost and schedule targets. Your answer to this question determines the effectiveness of the rest of your efforts. By having the right transparency, you are demonstrating that you have taken the time to define your boundary, gaps, and CONOPS, thought through the process and issues, and tied it to the actual work of your 360 degree team. You will be to tell a single true story to all stakeholders from project kick-off to your first Authorization.
I started this article series by saying that there is no magic bullet to FedRAMP but there are ways to prepare so that you are ready to mitigate the risks and take advantage of the rewards. By answering these questions, you have the strategic and executive foundation necessary to take your project to success.