A Hitchhiker’s Guide to the Government Cloud
I’ve participated in many webinars about FedRAMP. The attendees often have many questions, as well as, significant concerns about what the federal program means for the future of their organization. From these I’ve learned that there are a lot of people in the industry that want to know more. So, I thought it would be best to put the FAQs in writing.
In this post, I’ll explain why FedRAMP has changed the way the public and private sectors look at security. You’ll learn what FedRAMP is and how it affects your agency, steps to prepare for FedRAMP, ways to identify a FedRAMP-authorized CSP, and how FedRAMP compliance can benefit your organization.
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 as part of the Cloud First policy, a government initiative to encourage agencies to utilize cloud-based alternatives for system infrastructure in consideration of cost, resiliency, resources, and specifically security. FedRAMP is basically an augmentation of the Federal Information Security Management Act (FISMA) of 2002, which established an emphasis by the federal government on information security.
However, the controls inside FISMA are geared towards physical space and servers – not virtualization. FedRAMP picks up that slack by being geared towards mode dependencies and cloud resources while ensuring security and compliance frameworks established by FISMA are met.
Why FedRAMP is Important
FedRAMP is a standardized approach for assessment, authorization, and monitoring of cloud products and services for the government. It has a significant impact on government agencies, cloud service providers (CSPs), contractors, and any service providers offering cloud services to the federal government. These organizations would either need their own FedRAMP Authority to Operate (ATO), or work with a FedRAMP-authorized provider.
From the Government’s Position
FedRAMP is important to the government for several reasons. The government must consider cost efficiencies and models laid out in the Cloud First Policy, the elasticity benefits associated with virtualized services, the automation of secure systems (which removes slow procurement processes), and the benefits of shifting security and compliance responsibilities to the CSP.
Government representatives read the same headlines we do; instances of information security breaches have shed light on an issue that is garnering more and more attention from those in federal positions. They recognize it is imperative to keep ahead of the problem instead of remaining reactive. Believe it or not, the government is moving quickly on the issue of security and has increased spending to approximately $12B annually to mitigate cyber-attacks.
From the CSP’s Position
The federal government is the largest single producer and disseminator of information in the United States. As a result of the Cloud First Policy, FedRAMP was created to govern and ensure sufficient information security in cloud-based offerings for federal agencies.
Being FedRAMP-authorized is a must if you do any business with the government; it adds credibility to your organization, allows you to leverage cloud offerings, and ensures you can bid on government work. When bidding on such work, one of the first questions you’ll be asked is, “Are you FedRAMP-authorized?” … That’s how important FedRAMP is for CSPs.
The FedRAMP Process
Once your organization achieves FedRAMP ATO from an agency, you can reuse a preexisting FedRAMP framework provided by that agency, subsequently either adding or mitigating certain controls. Finding a sponsoring agency to help you through the process may shorten the amount of time it takes you to achieve this ATO. If you do work with a sponsoring agency, it may request that you add more controls to the system at this point.
When putting together your informational package to submit to the FedRAMP Third Party Assessment Organization (3PAO), there are several items you must assess to make sure your offering is not deficient.
- System Inventory
- Information Categorization
- Security Controls
- System Security Plan
- Risk Assessment
- Independent Assessment
- Continuous Monitoring
This package also includes putting together specific system inventory data and documentation on the following:
- Hardware (i.e., servers, network devices)
- Network Diagrams
- Data Flow
Once these elements are assessed, you may engage the 3PAO auditors. There are seven main pieces involved in getting your system up to the FedRAMP level:
- Information Categorization– Only low and moderate impact systems can go through the FedRAMP process. These systems have to be FIPS 199 based (meaning all the data is encrypted). Also, high-impact systems are not yet formalized for FedRAMP.
- Security Controls– For a low impact system there are roughly 120 controls, which are based on NIST 800-53 standards. For a moderate impact system there are roughly 300 controls, also based on NIST 800-53 standards.
- System Security Plan (SSP)– The FedRAMP SSP template is approximately 350 pages. In this document, you’ll describe your cloud service offering, responding to each of the 120/300 controls and include supporting documentation.
- SSP Supporting Documentation– This entails system policies and procedures, a user guide, an e-Authentication worksheet, and a privacy threshold analysis/privacy impact assessment.
- Risk Assessment– This is similar to a FISMA assessment and examines the threats to and vulnerabilities of your system.
- Independent Assessment– This requires the use of roughly 30 3PAO to test the applicable controls in your SSP (e.g., penetration testing of the infrastructure).
- Certification & Authorization– Authorized by a JAB, provisional authority (PA), or sponsoring agency, this is similar to a FISMA certification or accreditation. Once you get an ATO from a sponsoring agency, you can leverage your approved system to service government requests.
At this point in the process, you’ll have to deal with the ever-changing landscape of cloud IT. That means you’ll go through continuous monitoring cycles for your system (this is all documented in your SSP). You will have to perform a full assessment of your control sets in your first round of monitoring. This entails showing evidence for every single device you have in your system. For example, if you have 100 hypervisors and 50 storage nodes behind them, you’ll be generating 150 pieces of evidence for that once control piece. Automation is key, and being able to clearly define how you gather information is crucial to saving your time and sanity.
A good place to start is to follow these steps:
Benefits of Selecting a FedRAMP-Authorized CSP
The benefits of leveraging a FedRAMP-authorized CSP depends on what you need, whether it’s Infrastructure as a Service (IaaS), Software as a Service (SaaS), or Platform as a Service (PaaS), every solutions provider will give you a different FedRAMP-approved offering. The key to success is to look at multiple vendor options to find the dedicated solution you’re looking for.
A FedRAMP-authorized CSP will no doubt, have managed integration and advanced security assessments, but another aspect to consider is whether they provide managed support on the entire hosting environment and on-demand support. If so, that can be a huge benefit of leveraging a FedRAMP-authorized CSP.
A good FedRAMP-authorized provider will also offer high performance technologies – such as OpenStack, OpenShift, or Docker – in a manner that meets the strict government cloud service requirements.
FedRAMP is about security and compliance. It is an unwieldy process and extensive investment of time, money, and resources. The average time to get through the entire process is over one year. The last time I checked, there were at least 200 packages awaiting review/approval, so the process may begin taking longer.
At Contegix, we know what it takes to be FedRAMP-authorized. We’ve been through it and understand that the hard work doesn’t end when you achieve approval. Working with a FedRAMP CSP, your agency can focus on content delivery rather than system administration, cyber-security, and the ever-changing realm of compliance standards. Contegix helps make this in-depth security assessment process as quick and easy as possible.
If you want to do business with the federal government, you have to be FedRAMP authorized. Despite being an onerous process, you have to start somewhere. My hope is that the information I’ve provided here can be that starting point, and get you on the right path to compliance and success.
Contegix can help with the rest of the steps. Contact us today.