FedRAMP Compliance from a Project Manager’s Perspective
So you’ve just found out that your government agency is moving their portfolio to FedRAMP. Now what do you do? If you’re a project manager (PM), the answer can get a bit complicated; getting your organization on the right track to FedRAMP can often be a long and arduous process with lots of moving pieces. As a PM myself, I not only drive FedRAMP web and enterprise resource planning (ERP) implementations, I understand how overwhelming and impactful taking on the challenges of FedRAMP can be for an organization.
In this post, we’ll take a look at a PM’s perspective of the FedRAMP trenches. We’ll discuss what to expect throughout the process, as well as ways to increase your chances of achieving project success.
The FedRAMP Project Landscape – Expect the Unexpected
If there’s one thing you can expect from the launch of a FedRAMP project, it’s unforeseen technical constraints and challenges. It’s important for you – and your team – to recognize that there will always be issues previously unaccounted for in the initial plan that are outside of your control. Don’t fear these problems – expect them! Though you won’t know specifics until you come face-to-face with the issue, when they do arise, you’ll have an easier time navigating around the issue and pressing forward. A lot of these factors can be attributed to the depth of the bureaucratic levels involved in decision making at the government agency.
Prepare to Change and Rearrange
Technology is consistently evolving. That’s why FedRAMP – at a slow pace – will also change as time goes on. The program is likely to introduce new processes and procedures for agencies throughout the next several years. Such changes could entail:
- New workflows: change management, user account creation, configuration management
- Added security requirements: scans, remediation, POA&Ms, assessments
- New technologies: VPN and Multi-Factor, logging and IDS/IDP
- Operational changes: application patching, server hardening, building to specific configurations
Increase Your Chances of Success
A successful FedRAMP project deployment depends on your team. FedRAMP initiatives require a technical team that proactively identifies problems, develop quick solutions, and overcomes whatever technical or compliance obstacles they will undoubtedly uncover. As a PM, you’ll need to recognize the essential elements for a successful technical team.
- Architects, Networking and SAs (Technical)
- FedRAMP compliance expertise and information security (Compliance)
- Documentation, communication, and analysis (Project Management)
All of these players must work together to understand and satisfy the requirements of your clients and the overall FedRAMP initiative. Working to build a positive rapport with them is crucial. It’s important to earn your team’s trust and loyalty with open communication; this will allow for quick decision making when those unforeseen issues pop up.
In my opinion, FedRAMP projects are best served by agile management methods. You can better manage issues – and increase your overall chances of success – by establishing routines within the project. By incrementally managing design and engineering efforts, the team can remain highly-flexible, adapting to just about any technical challenge or decision an agency can offer.
It’s important to send regular updates to the team. Standard, agile practices would entail immediately communicating issues as they arise, properly documenting issues and tracking them through closure, and assembling and disseminating a weekly plan to the team, which would focus on the essential project elements for that time period. I like to keep it to a single page. I highlight the most critical open issues for their owners. I also attach the full updated plan to that communication for later, more in-depth review purposes.
Planning for FedRAMP as a PM
Use the resources at your disposal
The official FedRAMP website provides a wealth of information and resources. They have compiled templates, reports, control guides, and training courses that can help prepare you and your team for the project ahead.
Take control of controls
A great way to prepare for FedRAMP is to get your hands on the FedRAMP Security Controls Baseline. This documentation provides an outline of the security controls, enhancements, parameters, requirements, and general guidance listed throughout the FedRAMP System Security Plan (SSP). Since your organization will have to implement the controls derived from the NIST SP 800-53 Revision 4 catalog of controls, it’s beneficial to familiarize yourself with them. Along these lines, it’s crucial to know the difference between the different levels of impact – if you don’t know the difference, be sure someone on your team does.
Appreciate alphabet soup
As a government program, FedRAMP uses an abundance of abbreviations and acronyms. After a while of using phrases such as “A2LA,” “ATO,” and “3PAO,” you will definitely know what they refer to, but perhaps not what they stand for. To avoid any misunderstandings, consider putting a list of FedRAMP acronyms and corresponding meanings on your desk; a quick-reference guide will narrow any chances of miscommunication and boost your knowledge of everything FedRAMP.
Finally – Some Easy Hurdles!
There are quite a few things your organization can take care of before initiating a relationship with a FedRAMP service provider that will make the entire process significantly easier. Having certain items ready and in place, can help you avoid problems and save time down the road.
Define people and roles
Develop a list of people on your team who need accounts – e.g., developers, support, end users. You will also want to identify members of the change management board. Identifying resources early-on in the process will make setting up system accounts quicker, when you get to that point.
Pass on or purchase software licenses
Since proprietary software (e.g., Microsoft Office, Vizio, and MySQL) is often necessary for your new FedRAMP environment, your organization will need a strategy for procuring licenses for them. Whether you by new licenses or transfer existing ones, you’ll want to save time by doing so at the beginning of the project.
Provide access to data
If data needs to be migrated, you’ll want to set up a strategy beforehand. Since the FedRAMP-authorized service provider will need to get through your security barriers (particularly robust ones for government), it will need access beforehand so as not to hold up the process later. Within this strategy, you’ll also want to decipher which data actually has to be migrated and communicate that to the organization you’re working with.
Determine your impact level
Talk with your government agency and decide what impact level they need for their FedRAMP platform: Low, Moderate, or High. As the program may change architecture guidelines and standards, requirements could become stricter, requiring a specific impact level.
Are you Ready?
FedRAMP was designed to make the assessment process more efficient by offering a “do once, use many times” framework. For PMs dealing with FedRAMP, this efficiency comes with “doing many times.” In other words, the more you dive right into a FedRAMP project, the more you learn, and the easier your next project will be. You can only truly familiarize yourself with FedRAMP through such hands-on experience. By doing so, you will be better prepared to navigate the FedRAMP trenches. Contact Contegix today to find out how you can leverage FedRAMP compliant services so you can do once, and use many times.