Many Salesforce Independent Software Vendors (ISVs) are interested in pursuing FedRAMP to serve federal customers, but have many questions about the process. The four questions below are the most common questions that Coalfire receives from these ISV partners; we have provided some basic responses to help provide a better understanding of the Salesforce FedRAMP process.
1. What is ‘control inheritance,’ and how does Salesforce’s FedRAMP ATO help us?
Control inheritance defines controls that the ISV will not be responsible for and which will inherit the security provided to them by Salesforce. Because the ISV sits on Salesforce, the ISV will inherit the management of the Salesforce environment from the Salesforce FedRAMP and IL4 accreditations. Applications native to the Salesforce Government Cloud will be responsible for implementing fewer controls than a composite application. Many native applications sitting on the Salesforce Government Cloud inherit about 60% of the 325 FedRAMP Moderate controls, while composite applications often inherit only about 50% of the FedRAMP Moderate controls. Many Salesforce Government Cloud ISVs use the Salesforce Government Cloud to only host their code base. Between 40%-50% of FedRAMP Moderate controls applicable to an ISV’s environment are focused primarily on personnel that manage the proprietary code (i.e., proper background checks), configuration of the code, and management of the code before entering Salesforce. A well-defined boundary is extremely important as it is a stringent requirement for Cloud Service Providers (CSPs) pursuing a FedRAMP ATO. For ISVs sitting on the Salesforce Government Cloud, Salesforce provides the Infrastructure as a Service (IaaS) and management layers (operating systems, databases, networking, etc.), and the ISV is responsible for the proprietary code and (if a composite app) for their own infrastructure.
2. What is the new FedRAMP Tailored program, and why should an ISV consider FedRAMP Tailored?
FedRAMP Tailored is the newest path for CSPs that can answer ‘yes’ to all of the questions below:
- Does the service operate in a cloud environment?
- Is the cloud service fully operational?
- Is the cloud service a Software as a Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
- Does the cloud service contain no personally identifiable information (PII), except as needed to provide a login capability (username, password, and email address)?
- Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
- Is the cloud service hosted within a FedRAMP-authorized Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), or is the CSP providing the underlying cloud infrastructure?
3. What is Coalfire’s experience in the Salesforce ecosystem?
Coalfire has performed the Salesforce Government Cloud’s FedRAMP assessments since their initial assessment in 2014. We also performed their DISA IL4 accreditation assessment and briefing activities, as well as assisted them in documenting policies and procedures and their System Security Plan (SSP) for the Government Cloud.
4. What services can Coalfire provide to ISVs seeking a FedRAMP authorization?
Coalfire offers advisory and assessment services for the FedRAMP authorization process. Our advisory team helps ISVs properly engineer and document their system to meet FedRAMP standards. Our assessment team works with the ISVs to perform the FedRAMP required testing and package that addresses source code review, operating system scanning, database scanning, web application scanning, penetration testing, and manual controls testing. Our assessment team will then create a final package that incorporates all results into one report that is then used for the authorization briefing. It is important to note that FedRAMP will not allow Coalfire or any other Third-Party Assessment Organization (3PAO) to perform both advisory and assessment activities, as the assessment will then test their own company’s deliverables.
For more information please contact me at David.Clevenger@coalfire.com.