5 tips for CSPs looking to leverage FedRAMP Accelerated
- By Patrick D. Howard
- Jun 27, 2016
Unless you're George Clooney or Denzel Washington, most actors know it's not the photo and bio that will get them the job -- it's stepping on the stage and delivering a great audition. And that takes some preparation.
It might not be much different with FedRAMP Accelerated, the government's newly recast authorization process for cloud service providers (CSPs). After participants voiced concerns, FedRAMP and the General Services Administration announced a restructured and streamlined approval process that will be less protracted, though no less robust.
Previously, the FedRAMP review process was taking nine to 18 months, and much of the effort focused on reviewing iterations of documentation, not systems. FedRAMP Accelerated flips that model by having a third-party assessment organization conduct an initial capabilities assessment at the front end to determine whether the CSP is ready to proceed -- an audition, if you will. The 3PAO will issue a report in a few weeks, and if the FedRAMP Program Management Office gives a thumbs-up based on the findings, the CSP can move forward.
CSPs still need to undergo a full test and prepare a security assessment report to obtain a provisional authority to operate from the Joint Authorization Board, but all told, GSA estimates the approval process will shrink to a total of six months.
The consolidated timeline is good news, and CSPs will know far sooner where they stand. But the new approach also means CSPs need to be ready to put their best foot forward from the outset.
Although the initial pre-qualification isn't a full-blown assessment because it addresses just a subset of all applicable security controls, that doesn't mean it won't be rigorous. In fact, it will go far beyond a document review to identify potential gaps, making it an onramp or a stop sign to moving forward.
Understandably, CSPs already have questions about the new process and how best to prepare. Kratos SecureInfo has been a FedRAMP 3PAO since the program's inception, and from that vantage point, we have observed several areas CSPs typically struggle with or overlook.
1. Vulnerability insight. Scanning tools can only find what they have access to and what they are configured to see. Such tools require credentialed or "authenticated" access to perform the deep and thorough scans necessary for detecting hidden and persistent vulnerabilities in applications, systems and networks or behind firewalls.
Unlike the quick but cursory assessments provided by noncredentialed scans or less robust manual testing, CSPs should be experienced with using automated and authenticated tools to effect near 100 percent "find and fix" remediation so that they are not carrying threats forward.
2. CSP and FedRAMP patch cycles. CSPs concerned about customer experience and the risk of breaking functionality might be accustomed to issuing major updates and patches every six months or so. That schedule, however, does not align with the FedRAMP cycle, which requires that high vulnerabilities be fixed within 30 days and moderate ones within 90 days.
Although no requirement exists yet for lows vulnerabilities, FedRAMP officials expect to see measurable progress on closing them. CSPs coming into the program must demonstrate the ability to remediate and patch in alignment with FedRAMP's 30- and 90-day remediation thresholds on an ongoing basis.
3. An understanding of core controls. On the one hand, multifactor authentication is a core component that is often overlooked and lacking. On the other hand, there's the (costly) misconception that all servers must use it, when it might only be required at the edges or boundaries of the environment.
Other gaps or oversights include the use of mobile apps that do not support multifactor authentication, failure to fully deploy FIPS 140-2 encryption and security benchmarks that are not met or properly documented. CSPs should become familiar with the requirements behind the security controls needed to achieve FedRAMP compliance.
4. Complete system security plans. The SSP is the core document or centerpiece of how the CSP is implementing all its security controls. But SSPs are often documented at a high level without adequate detail. Instead, the SSP should be a stand-alone document that gives FedRAMP officials a full understanding of what the CSP has in place in terms of tools, technologies and services. For example, an SSP should define the security strategy and architecture for how the CSP secures data that is being processed or stored. Without that detail, assessments typically take longer and are more costly.
5. Third-party services. If a CSP relies on an external service for part of its solution, such as a data backup or archive, that service must be authorized under FedRAMP. Any system that handles sensitive government information, such as vulnerability or user data, must undergo the same rigorous testing. Otherwise, it represents a high risk that will be flagged.
Although the CSP is responsible for performing due diligence on its external services, the scope of those audits are often not adequate or complete. If that is the case, the CSP might want to enlist a 3PAO for the assessment.
CSPs coming from the commercial, nongovernment world might find it challenging to overlay FedRAMP's rigorous controls on top of their existing systems. In fact, a CSP might realize late in the process that it needs to replace capabilities embedded in its offering -- a potentially costly and complex re-engineering that wasn't anticipated. To avoid that, CSPs should determine early on whether it's necessary to rely on a third party or whether they can perform such services in-house. Ideally, those considerations should be addressed in the planning stages, when CSPs are designing their solution for federal customers.
The above areas merely represent the most common issues encountered in the FedRAMP checklist. CSPs need to address and document their complete security strategy as part of the initial assessment under FedRAMP Accelerated. The 3PAO will use it to review and understand the CSP's inventory of tools and processes and validate that what's represented is in place. The FedRAMP Program Management Office will then rely on the 3PAO's assessment to determine whether the CSP has the capabilities to warrant going forward.
For CSPs looking to get to prime time, this is the ideal time to plan and prepare so they can nail that audition and move forward under FedRAMP.
Patrick D. Howard served as chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. He is now program manager for CDM at Kratos SecureInfo.