With the final release of the FedRAMP Readiness Assessment Report (RAR) template earlier this month, there is a new assessment process that will greatly impact cloud service providers (CSPs). As part of the FedRAMP Accelerated initiative, CSPs working towards a FedRAMP JAB P-ATO must achieve a FedRAMP-Ready status based on the Readiness Capabilities Assessment performed by an accredited Third-Party Assessment Organization (3PAO).
You read that right. The FedRAMP PMO will no longer engage a CSP to initiate the JAB P-ATO process unless the CSP is considered FedRAMP-Ready.
FedRAMP-Ready is not a gap analysis. The 3PAO only submits the report to FedRAMP if it determines the system is likely to achieve a JAB P-ATO. If the system does not obtain a readiness status on the first attempt, a CSP may have to pay additional assessment expenses if it still wants to continue pursuing a FedRAMP JAB P-ATO. Even then, submission of this report by the 3PAO does not guarantee a FedRAMP-Ready designation nor does it guarantee a FedRAMP Authorization.
The readiness assessment is a big deal!
During a readiness assessment, a CSP will be evaluated on its system’s security capabilities and organization processes defined in the RAR. A majority of the questions require yes or no responses for implementation status of security controls, making it difficult for impartial answers.
What can CSPs do to ensure that their system is ready prior to an assessment? Implementation of required security controls and properly documentation of them are crucial. These activities cannot simply be completed within a week either – the process can take months. There must be a live system running in order for the 3PAO to assess readiness. The system must be available for a discovery scan in order to compare against the boundary and data flow diagrams. Documentation, including the SSP, policies, and procedures must reflect how the security controls that are actually implemented, not just their ideal status. This does not mean all the controls do not have to be fully implemented. Instead, the controls must be honestly and accurately described. It is the 3PAO’s responsibility to identify discrepancies during assessment interviews.
Below are the top 10 items that CSPs need to be able to address.
10. Provide security awareness training.
Information system users must be trained on security awareness and role-based security responsibilities in order to protect information data and avoid system compromises. Security awareness training must be offered regularly and tracked.
9. Provide data center security.
Protecting the data center against unauthorized access and monitoring personnel accessing the data facility can help prevent data from being compromised. A CSP can accomplish this by implementing physical, technical and administrative safeguards for the data center.
8. Develop a Contingency and Disaster Recovery Plan.
Due to natural and man-made disasters, a CSP needs to ensure the availability of the system by having a contingency and recovery plan that has been tested at least annually. These documents should include alternative storage, processing facilities and service level agreements (SLAs) with appropriate providers.
7. Establish system identification, authentication, authorization, and access control.
Information systems contain sensitive data and should only authorized users who have the proper credentials and can validate them. Protecting that data requires the use of access control, limiting users to only the amount of access needed for their job. Because privilege accounts have elevated access, additional authentication is mandatory. Multi-factor authentication is required for admin accounts.
6. Implement auditing, alerting, malware detection and incident response capabilities.
The CSP and its system must be able to detect, audit and respond to attacks, disasters and human errors to prevent further damage or future security incidents from occurring. This can be achieved in numerous ways. A CSP is required to employ detection mechanisms to detect and alert of unauthorized or malicious use of the system. Audit data has to be backed up and protected against tampering and unapproved access. There must also be an incident response plan for handling incidents, and the plan is tested at least annually.
5. Maintain configuration baselines and have a change management process.
Having baselines of system configuration and inventory of software, hardware and network components ensures that system configurations can be reverted at any time to mitigate negative system impacts. Automated mechanisms are required to detect any inventory and configuration changes. A configuration management plan that details the configuration process is also mandatory. Additionally, there has to be a change control process that includes a change control board that reviews and assesses risks associated with change requests.
4. Establish a continuous monitoring program.
Continuous monitoring is a vital throughout the entire Risk Management Framework (RMF) process. System, technology, requirements, threats and vulnerabilities are constantly changing. Detection and remediation of any findings that can potentially jeopardize system security is crucial. All hosts, applications, operating systems and databases must be scanned for vulnerabilities and tracked in a plan of actions and milestones (POA&M). New vulnerabilities have to be added and remediated ones have to be closed in the POA&M.
3. Clearly define system boundaries and where federal data is located.
A concise system description that explicitly describes the cloud service, along with a detailed system authorization boundary with all components inside/outside the assessment scope, will enable FedRAMP to better evaluate the system. Be sure to include where federal data resides and any shared resources in the diagram(s).
2. Develop and document all policies and procedures.
Policies and procedures reflect a CSP’s security posture on how the organization plans to protect the confidentiality, integrity and availability of its information assets. These documents provide employees, contractors and other entities accessing the system with information on how to implement the security controls that the organization selected. Policies and procedures must in a centralized location and readily accessible by all information system users.
1. Have a detailed system security plan (SSP).
If a CSP has addressed items two through 10, creating a SSP will still require a lot of work, but it will be less difficult because all the necessary information should be documented. The SSP does not need to be extremely technical. It needs to contain a detailed summary of the system and all required security controls that the CSP has implemented. Information in the SSP must be in agreement with the information provided during the assessment. Inconsistent documentation can hinder and delay the assessment process.
Although the preparation process might be daunting at first for a CSP, the groundwork done prior to the FedRAMP Capabilities Readiness Assessment will pay off later. It will help prevent delays and facilitate in the assessment process by eliminating surprises. The FedRAMP website provides the necessary documents and templates to guide CSPs. It is imperative that CSPs review the information provided to ensure they are able to demonstrate these requirements before requesting an assessment.
Need additional assistance getting FedRAMP Ready? Lunarline has extensive experience helping CSPs prepare for FedRAMP assessments. Contact us at FedRAMP@Lunarline.com.