So your company has decided to do FedRAMP - What does that mean?

The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) providers. The 2011 release of the Cloud First Initiative in the Federal government launched the Federal Risk and Authorization Management Program (FedRAMP). To sell cloud services to the Federal government, FedRAMP requires Cloud Service Providers (CSPs) to have their multi-tenant Cloud Service Offering (CSO) assessed and authorized, and then they must maintain compliance via continuous monitoring and annual assessments.

In many companies, the decision to pursue FedRAMP authorization is made to open up significant revenue streams within the public sector. However, few organizations understand the rigor, effort, and expense involved in attaining and maintaining an authorization. Preparing for FedRAMP assessment and authorization can be extremely challenging if you do not have the right people, processes, and technology in place to meet the rigorous requirements.

People first

It is often said that people are the most valuable resource in a company, and this is certainly true when it comes to FedRAMP. Human resources are among the most challenging aspects to achieving FedRAMP compliance because most organizations are not armed with resources who both understand NIST SP 800-53 controls, and have the experience to interpret the associated FedRAMP parameters to ensure successful implementation. An experienced FedRAMP Third Party Assessment Organization (3PAO) advising throughout the FedRAMP process can often alleviate the burden of interpreting the controls and potentially investing in technology that may not meet the requirements. Some organizations are simply transitioning their offering from an on-premise or single tenant deployment to a multi-tenant cloud service. In this case, there may be a lack of in-house cloud engineering expertise or resources may have competing priorities. This results in an inability to to focus on implementing the tools and technologies necessary to meet FedRAMP requirements. It is at this point that Coalfire is often hired to assist in building out and documenting FedRAMP compliant environments with the necessary automation built in to ease ATO maintenance down the road.

Another challenge often facing global organizations is having non-domestic personnel managing their production environment. While some federal agencies may accept this, many do not allow it. This means a company may have to hire additional domestic personnel to manage its FedRAMP environment.

Lastly, once FedRAMP authorization is initially achieved, the fun of ongoing reauthorization never stops. To ensure requirements are being met on an ongoing basis, FedRAMP requires both continuous monitoring and an annual assessment conducted by a 3PAO. When in-house resources are not available, some organizations outsource to a third party, such as Coalfire, to support the continuous monitoring that must be demonstrated on a monthly basis (vulnerability scanning, Plan of Action and Milestones (POA&M) management, etc.)

Technology

The design and build process of cloud environments is challenging technical work, especially in the worlds of DevOps and Continuous Integration/Continuous Deployment (CI/CD) architectural models. Add in the constant introduction of new technologies like containerization, along with the security requirements of FedRAMP, and the architectural and engineering of cloud environments becomes even more complex and challenging. Most CSPs traditionally sell their service commercially before pursuing business with the federal government and they rely on corporate/enterprise security tools and technologies. In the pursuit of FedRAMP compliance, this approach does not usually work well because it broadens the FedRAMP boundary beyond what Coalfire traditionally recommends. To avoid having to implement FedRAMP requirements across their entire enterprise, organizations frequently have to develop an entirely new management plan dedicated to their federal or regulated customer base. Prior to investing in any technology, it is essential to understand the impacts of certain tools, whether they are FedRAMP compliant if cloud-based, and whether they provide the necessary capabilities required for FedRAMP.

Processes

While having a secure architecture is critical, it is just as important to have consistent, documented processes in place to manage the FedRAMP environment. FedRAMP requires that all CSPs accurately document the people, processes, and technology that make up the CSO being offered to the federal government. This information is captured in the System Security Plan (SSP), the most robust of the required FedRAMP documentation. Next, the company must create policies and procedures for each of the 17 control families, Contingency Plan, Incident Response Plan, Configuration Management Plan and various other required attachments. Beyond just documenting, CSPs must demonstrate that all responsible parties understand and are consistently executing these processes. The CSP will be asked to produce evidence supporting this statement during their 3PAO assessments. While many organizations have policies and procedures implemented in compliance with traditionally commercial compliance standards (SOC, ISO, etc.) these often don’t meet the level of detail required for FedRAMP or they don’t address all the requirements. In that case, a new set of documentation must be developed for the FedRAMP deployment of the CSO. 

For more information on FedRAMP, please visit  this page or contact 3PAO@coalfire.com and a Coalfire expert will be glad to help.