As one of the original accredited Third Part Assessment Organizations (3PAO), Lunarline has been involved with the Federal Risk and Authorization Management Program (FedRAMP) since its inception. Lunarline’s team of cyber security professionals are responsible for providing critical guidance and consulting to cloud service providers (CSP) that are just starting to determine their FedRAMP objectives to CSPs that are being formally assessed for compliance.
In January 2016, Meritalk, released its “Fix FedRAMP – A Six-Point Plan to improve FedRAMP” report. The objective of the paper was to convince readers that FedRAMP “…is in need of a major facelift,” and provide recommendations for program improvements. In addition to the Fix FedRAMP report, at the March 2016 Cloud Computing Caucus Advisory Group event in Washington D.C., the Meritalk representatives insinuated that the FedRAMP program lacked the necessary leadership at the FedRAMP Program Management Office (PMO) for the program to be successful.
Lunarline respects the opinions of the Meritalk and appreciates its ability to bring the government and private sector together for meaningful conversations related to FedRAMP. At the same time, because Meritalk is not a cyber security company, 3PAO or information technology (IT) consulting firm, it is imperative Meritalk’s papers be viewed as editorial opinions. The challenges facing CSPs are real. FedRAMP does have areas that need improvement. However, the FedRAMP PMO has made significant improvements in the FedRAMP process that were not addressed or recognized in the Fix FedRAMP report.
The following are some recommendations relating to Meritalk’s six-point plan for FedRAMP.
Meritalk Recommendation 1: Normalize JAB and Agency ATO
Due to federal laws and policy, there is currently a difference between the Joint Advisory Board (JAB) Provisional Authorization to Operate (P-ATO) and agency authorization process. The unique processes are due to the critical role played by each agency under the Federal Information Security Modernization Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130. FISMA and OMB A-130 mandates that agencies must authorize systems to process or handle government information. Reciprocity between agency Directors and Chief Information Officers (CIO) is not mandated and FedRAMP does not usurp the agency’s responsibility to accept risk. Therefore, with the various categorization of information processed by each agency, it is reasonable to expect agencies will have different risk acceptance levels.
For example, the Department of Defense (DoD) is a member of the FedRAMP JAB and is responsible for being part of the P-ATO process. At the same time, the DoD has a unique security requirements guide (SRG) that CSPs must address in addition to the baseline FedRAMP security controls. Ultimately, the FedRAMP PMO and JAB are not responsible for reciprocity rules between agencies. The laws regarding risk and compliance are established by Congress and further defined by OMB. Neither FISMA, OMB A-130, nor FedRAMP provide the JAB or FedRAMP PMO with the capability to determine which FedRAMP path is considered the highest standard.
CSPs have created an environment where the FedRAMP JAB Provisional Authorization to Operate (P-ATO) has been used as a marketing differentiator to distinguish a level of security provided between CSPs. A search on the web clearly shows a FedRAMP JAB P-ATO is marketed as the highest-level of ATO. CSPs are touting the JAB P-ATO as a “gold standard.” However, as a government risk management program, the FedRAMP SAF does not place value on a specific path towards being included in the FedRAMP repository. In addition to the SAF, the current FedRAMP PMO overview presentations and training do not place value on the FedRAMP paths. Therefore, although stated in the Fix FedRAMP report, there is no ability to “upgrade” FedRAMP authorizations.
In the past year, the PMO has published guidance to assist CSPs with successfully navigating the FedRAMP process which explicitly defines what is considered an acceptable FedRAMP package. The FedRAMP website includes standard operating procedures, checklists and computer-based training — all designed to define the minimum standards required to be considered compliant with FedRAMP. In addition to the PMO guidance, CSPs may work with accredited 3PAOs to assist with navigating the FedRAMP process. Although demanding and very detailed, the standards set forth in the FedRAMP guidance are necessary to ensure consistency across all FedRAMP packages. Whether working with the JAB, an agency or through a supplied CSP, the PMO is responsible for ensuring each submission meets the same level detail and quality to be entered into the FedRAMP repository
To successfully navigate FedRAMP, Lunarline highly recommends CSPs focus on meeting the standards defined in the FedRAMP Ready program. CSPs should develop an accurate and traceable System Security Plan (SSP), security artifacts, policies and procedures. The standards to meet FedRAMP Ready are high, and each document must comply with the SAF, FedRAMP SOP and checklists. The FedRAMP PMO will not accept packages for any path that are not in compliance with the FedRAMP requirements. Meeting FedRAMP Ready standards will help ensure the CSPs documentation and control implementation statements are sufficient to complete the 3PAO assessment and allow CSPs, 3PAOs and the FedRAMP PMO to focus on assessing risk, rather than security documentation.
CSPs should immediately contact the FedRAMP PMO directly at email@example.com if there are any questions related to the FedRAMP paths or FedRAMP package acceptance criteria.
Meritalk Recommendation 2: Increase Transparency
The cost to become FedRAMP compliant can vary based on the type of CSP being processed through FedRAMP. Since the FedRAMP PMO is not responsible for implementing FedRAMP security controls on behalf of the CSP, or selecting the 3PAO to conduct the assessment, the PMO would not have the metrics to provide information regarding costs. Although the security controls are identical, each FedRAMP engagement is unique and poses different challenges.
A small Software as a Service (SaaS) being hosted on an authorized Infrastructure as a Service (IaaS) is able to inherit a significant amount of security controls and risks from the IaaS. The SaaS’s FedRAMP package would identify the physical and environment controls as inherited, and government officials responsible for accepting risk would review the IaaS’s FedRAMP package in the FedRAMP repository. The cost for this FedRAMP initiative would be significantly different from the IaaS.
A large IaaS, with multiple regions, Availability Zones (AZ) and datacenters would incur more costs because the authorization boundary is larger and the government would require assurance that all IaaS components are protected. Additionally, the 3PAO assessment would require travel to the sites to assess the security controls.
Whether a SaaS or IaaS, the level-of-detail required in the FedRAMP package remains the same. However, the costs associate with implementing the controls will differ based on the size, scope and existing security program within the CSPs.
As stated above, one of the key cost factors for a CSP is meeting FedRAMP Ready standards. However, FedRAMP Ready does not mean implementing all the security controls. FedRAMP is a risk management program, and CSPs have the capability to provide alternate implementations of security controls or establish a plan of action and milestones (POA&M) for security controls that aren’t fully integrated into the system baseline. The determination on how to apply the security controls can have a significant impact on the cost of a CSP’s FedRAMP initiative.
Lunarline recommends CSPs contact an accredited 3PAO to assist in documenting the security controls and provide sufficient evidence for the FedRAMP package to be accepted into the FedRAMP repository. One of the benefits of FedRAMP is the flexibility for a CSP to select its own 3PAO. A list of accredited 3PAOs can be found here.
Meritalk Recommendation 3: Harmonize Standards
Until federal laws outside of FedRAMP are changed, it is virtually impossible for agency officials to accept risk from non-federal certification organizations. However, FedRAMP does not prevent CSPs with existing security attestations to re-use the information within their FedRAMP package. The underlying NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is traceable to security standards. The Cloud Security Alliance provides a control matrix that defines the cross reference between the standards. Meeting the standards of an industry certification can significantly reduce the time necessary to develop the FedRAMP package. An accredited 3PAO can assist a CSP with developing a FedRAMP package that makes the most efficient use of its existing certifications.
Regarding 3PAO testing, the FedRAMP PMO provides complete transparency for compliance in the form of a concise template for the Security Assessment Plan (SAP), and explicit expectations for compliance within the FedRAMP security assessment test cases. The test cases have been tailored from the NIST 800-53A guide for Assessing Security and Privacy Controls in Federal Information Systems and Organizations. CSPs should review the test cases and communicate any questions directly with the 3PAO prior to initiating the FedRAMP assessment.
Meritalk Recommendation 4: Reduce the Cost of Continuous Monitoring
The cost for implementing continuous monitoring is directly related to the size of the CSP and the implementation of the FedRAMP security controls. From collecting audit logs to conducting annual training to integrating a fire suppression system, CSPs must determine the extent to which the system is able to comply with baseline security requirements, establish alternate implementations or implement safeguards and countermeasures to reduce risk. These costs can be significant, but are vital to establishing trust between the government and CSPs. FedRAMP is holding CSPs accountable for the same level of continuous monitoring expected for systems hosted within government-owned facilities. An accredited 3PAO can provide guidance on how to integrate various processes and tools to potentially reduce costs associated with continuous monitoring.
The FedRAMP PMO also provides an important role in continuous monitoring. As an objective and neutral party, the PMO reviews FedRAMP continuous monitoring reports for consistency and content without the responsibility for accepting risk. Therefore, as suggested in the Fix FedRAMP paper, shifting responsibility for continuous monitoring to DHS, a member of the JAB, would not significantly improve the process. The members of the JAB should be able to focus on risk acceptance and allow the PMO to track the metrics associated with FedRAMP.
Additionally, in accordance with the FedRAMP Continuous Monitoring guidelines, specific security controls are required to be reported periodically during the system lifecycle. Each year, CSPs are required to engage a 3PAO for an annual assessment. Finally, the system must be reauthorized every three years. In the time between the assessments, the CSP is required to, as mentioned in Fix FedRAMP, “self-accredit” changes to the system under the CSP’s change and configuration management program. Major changes to the system that impact the overall risk must be reported to the FedRAMP PMO and/or Agency representative. CSPs with questions related to change management should contact the FedRAMP PMO or an accredited 3PAO for assistance.
Meritalk Recommendation 5: Empower Infrastructure Upgrades
Under the current SAF, FedRAMP provides CSPs with the capability to execute “infrastructure upgrades.” The CSP’s upgrade program should be included as part of the CSP’s change and configuration management policies and procedures. The NIST 800-37 and NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems, can provide additional guidance. CSPs should contact the FedRAMP PMO, Agency representative, or an accredited 3PAO if there are any questions related to infrastructure upgrades.
Additionally, FedRAMP provides exceptional capabilities for IaaS, Platform as a Service (PaaS) and SaaS to inherit and explicitly define risk. A SaaS can easily “ride on” an IaaS by correctly defining the authorization boundary, documenting control responsibility and explaining the responsibility of the SaaS, IaaS and customer within the control implementation statement within the SSP. CSPs should contact an accredited 3PAO if there are any questions related to the proper method to describe inheritance and documenting control responsibilities.
Meritalk Recommendation 6: Establish a Defense Department Crosswalk
The Fix FedRAMP report’s recommendation to provide a defense to FedRAMP crosswalk can be completed by reviewing the Committee on National Security Systems (CNSSI No. 1253), Security Categorization and Control Selection for National Security Systems. The CNSSI 1253 is the primary security controls source for DoD information systems and is related to the NIST 800-53.
For DoD entities still using the security controls within the DoD 8500.2, organizations can find information related to cross reference on the DoD Knowledge Service.
Lunarline respects and appreciates Meritalk’s FedRAMP initiatives and objectives to improve the overall program. And the Fix FedRAMP report does point out some fundamental flaws within FedRAMP. However, as a 3PAO, Lunarline’s goal is to support the FedRAMP PMO and ensure current and future CSPs working towards FedRAMP compliance are provided with the necessary information to be included in the FedRAMP repository. The Fix FedRAMP report lacks specific details that can improve a CSP’s FedRAMP success. The FedRAMP program has improved significantly in the past year and many of the points within the report can be addressed under the current SAF.
By no means is the implementation of baseline FedRAMP security controls easy. CSPs are being asked to provide information that may or may not have been included in the planning stages of their offerings, and there are definite overhead costs associated with continuous monitoring. CSPs may need to hire additional staff members to monitor systems, and purchase security information and event management (SIEM) products for alerting and log reviews. Each control family within FedRAMP adds additional costs. However, these are the same costs that were traditionally incurred by the government when information was hosted internally. The same standards are now being applied to CSPs.
The process of FedRAMP is not designed to be difficult. Ultimately, FedRAMP requires a CSP to consider specific security controls during development, implement controls during production, validate the implementation of those controls, have an official accept risk for the system and maintain the security while handling government information. FedRAMP is based on NIST special publications that are publicly accessible.