Back in 2011, if you had asked me what cloud computing was, I would have looked at you with a blank look on my face. At the time, I was supporting a Federal client when my boss asked me to assist in applying to become a 3PAO. I had no clue what 3PAO even stood for (it stands for Third-Party Assessment Organization), but I volunteered to support the cause.
The application process consisted of developing a mock System Security Plan (SSP) for a system we made up, preparing a Security Assessment Plan (SAP) that covered our assessment methodology, and then putting together a Security Assessment Report (SAR) that documented all identified weaknesses. Everything was hypothetical. In addition, we had to develop a formal organizational chart, quality manual, and prepare various statements of confidentiality and independence. It was quite a robust application process and unlike anything we had ever proposed previously.
Shortly after submitting our application, the Office of Management and Budget (OMB) released its Federal Risk and Authorization Management Program (FedRAMP) Policy Memo and FedRAMP was born. At the time, I did not comprehend the magnitude of this memo and how much it would affect the Federal marketplace. This was a collaboration among a significant number of government agencies who were striving for a common goal – to bring cloud service offerings to the Federal community in a consistent, repeatable, and secure manner. After eight years and more than 100 unique assessments, I am still amazed by the amount of work it took to set this program in motion.
In May 2012, Coalfire received an announcement that we were one of the first nine accredited 3PAOs (there are currently 36 3PAOs). As a small, relatively unknown security firm, it was an amazing win for us. As soon as we found out, we asked ourselves, “What do we do now?” We figured there would be some time to figure it out, but instead we received our first assessment inquiry 30 minutes after we were notified of our win—30 minutes! That opportunity came fast and to be honest, we’ve never really slowed down since.
Back then, our goal and approach was simple – become the most proficient assessor and focus on first landing the large Infrastructure as a Service (IaaS) providers. In 2012, IaaS providers led the way, as FedRAMP wanted to support their path to authorization so the Platform as a Service (PaaS) and Software as a Service (SaaS) providers could leverage them and take advantage of the inheritance model. By landing as many IaaS provider assessments as possible and delivering high quality work, we could segue into being recommended to perform the PaaS/SaaS assessments.
The very first Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) was awarded to one of Coalfire’s customers – Autonomic Resources. I served as the Project Lead for that effort and vividly remember that JAB briefing. Nowadays, the 3PAO submits a documentation package to OMB Max (the FedRAMP document repository) and it goes through various review cycles in accordance with the JAB review schedule. This review only occurs after the Cloud Service Provider (CSP) is officially accepted into the FedRAMP Connect Program. Back then, these formalities were not in place. Instead, we had a three-hour, in-person briefing in a large GSA conference room. My senior tester and I sat at the apex of the table with 10+ different JAB reviewers on both sides of us (our client was remote). We projected the SAP, SAR, and SSP onto the wall and walked through each document, one by one. Changes were made directly in the documents and questions were answered on the spot. No back-and-forth review was needed. Before the meeting was adjourned, the documents were encrypted and sent back to the head Information System Security Officer (ISSO) (note, OMB Max did not exist back then) and the first P-ATO was issued before the end of 2012. Times were quite different back then!
Autonomic Resources was assessment #1. Now, according to the FedRAMP Marketplace, Coalfire is at #100. Since that time, FedRAMP has significantly strengthened the program as it continues to grow. Some highlights include:
- Modifying the baseline set of security controls to port everyone from NIST SP 800-53 Rev 3 to Rev 4
- Establishing the High security baseline, with IL4 reciprocity, and IL4/5 overlays
- Authorization of OMB Max to serve as the centralized document repository
- Introduction of the FedRAMP Readiness process
- Development of numerous policies, procedures, and guidelines, including the Penetration Testing Guidelines
- Establishing the Low-Impact, Tailored baseline
- Creation of the FedRAMP Connect program to establish JAB prioritization criteria
- Establishing baseline training requirements for CSPs and 3PAOs
- Working with DoD for automatic reciprocity for FedRAMP Moderate and IL2
Moreover, the FedRAMP PMO rolled out the FedRAMP Marketplace as a means for agencies to identify how far along CSPs are in the process. It is also used by CSPs/3PAOs in support of the program to gather requirements information. All these modifications have further strengthened the success of the FedRAMP program and defines what it is today, eight years later.
Matt Goodrich served as the FedRAMP Director from just prior to the OMB Memo being published to the Fall of 2018. He described FedRAMP and Coalfire’s involvement as “…a labor of love by a group of early actors who saw the promise and potential of the program. The Coalfire team has been instrumental in the success of FedRAMP from inception, getting to understand not only Cloud Service Provider technologies, but translating this into the Government’s security language so that Federal agencies could understand and use cloud technologies securely. Coalfire reaching 100 assessments is a reflection of their commitment to cybersecurity and the quality of the independent assessments they complete, with almost every Federal Agency leveraging their work.”
This program has introduced 180 unique cloud service offerings into the Federal Marketplace. These range from large, complex environments to niche offerings. Prior to FedRAMP, there were no means for these offerings to be consistently evaluated for an agency authorization determination. As an example, Amazon Web Services (AWS) GovCloud has 220 unique agency authorizations as of the writing of this blog. Before FedRAMP, that would have meant 220 separate assessments, one for each agency looking to grant an authorization. This is the same for every provider that has a FedRAMP authorization. The ability to leverage one comprehensive security package from an accredited 3PAO or as FedRAMP says, “Do once, use many times” has been the driving force behind the program’s success. This model will continue as the program further matures.
Coalfire will continue to support the FedRAMP PMO and its ongoing efforts to further strengthen the program. Whether we provide feedback on new requirements, template updates, guidance clarifications, or suggest additional ways to automate the authorization process, Coalfire will be there to lend a helping hand as we have in years’ past. We look forward to the future of FedRAMP and the hopeful passing of legislation placing the program into law. Cheers to hitting the next threshold – 200+ FedRAMP authorized providers.
About the Author
Michael Carter is the Vice President for the FedRAMP Assurance Services (FAS) team at Coalfire. Michael is responsible for managing and running daily operations for Coalfire’s FedRAMP Third Party Assessment Organization (3PAO) assessment practice. He is the primary liaison to the FedRAMP Project Management Office (PMO) and has been involved in the FedRAMP program since its initialization in 2012. He successfully led the first Joint Authorization Board (JAB) 3PAO assessment and the first agency sponsored 3PAO assessment. He also led the first authorization granted via the FedRAMP Accelerated program.