5 tips for CSPs looking to leverage FedRAMP Accelerated

Paying attention to these often overlooked capabilities can help cloud service providers speed through GSA's new review process.

Shutterstock image: the data cloud connecting a number of global services.

 

 

Unless you're George Clooney or Denzel Washington, most actors know it's not the photo and bio that will get them the job -- it's stepping on the stage and delivering a great audition. And that takes some preparation.

It might not be much different with FedRAMP Accelerated, the government's newly recast authorization process for cloud service providers (CSPs). After participants voiced concerns, FedRAMP and the General Services Administration announced a restructured and streamlined approval process that will be less protracted, though no less robust.

Previously, the FedRAMP review process was taking nine to 18 months, and much of the effort focused on reviewing iterations of documentation, not systems. FedRAMP Accelerated flips that model by having a third-party assessment organization conduct an initial capabilities assessment at the front end to determine whether the CSP is ready to proceed -- an audition, if you will. The 3PAO will issue a report in a few weeks, and if the FedRAMP Program Management Office gives a thumbs-up based on the findings, the CSP can move forward.

CSPs still need to undergo a full test and prepare a security assessment report to obtain a provisional authority to operate from the Joint Authorization Board, but all told, GSA estimates the approval process will shrink to a total of six months.

The consolidated timeline is good news, and CSPs will know far sooner where they stand. But the new approach also means CSPs need to be ready to put their best foot forward from the outset.

Although the initial pre-qualification isn't a full-blown assessment because it addresses just a subset of all applicable security controls, that doesn't mean it won't be rigorous. In fact, it will go far beyond a document review to identify potential gaps, making it an onramp or a stop sign to moving forward.

Understandably, CSPs already have questions about the new process and how best to prepare. Kratos SecureInfo has been a FedRAMP 3PAO since the program's inception, and from that vantage point, we have observed several areas CSPs typically struggle with or overlook.

1. Vulnerability insight. Scanning tools can only find what they have access to and what they are configured to see. Such tools require credentialed or "authenticated" access to perform the deep and thorough scans necessary for detecting hidden and persistent vulnerabilities in applications, systems and networks or behind firewalls.

Unlike the quick but cursory assessments provided by noncredentialed scans or less robust manual testing, CSPs should be experienced with using automated and authenticated tools to effect near 100 percent "find and fix" remediation so that they are not carrying threats forward.

2. CSP and FedRAMP patch cycles. CSPs concerned about customer experience and the risk of breaking functionality might be accustomed to issuing major updates and patches every six months or so. That schedule, however, does not align with the FedRAMP cycle, which requires that high vulnerabilities be fixed within 30 days and moderate ones within 90 days.

Although no requirement exists yet for lows vulnerabilities, FedRAMP officials expect to see measurable progress on closing them. CSPs coming into the program must demonstrate the ability to remediate and patch in alignment with FedRAMP's 30- and 90-day remediation thresholds on an ongoing basis.

3. An understanding of core controls. On the one hand, multifactor authentication is a core component that is often overlooked and lacking. On the other hand, there's the (costly) misconception that all servers must use it, when it might only be required at the edges or boundaries of the environment.

Other gaps or oversights include the use of mobile apps that do not support multifactor authentication, failure to fully deploy FIPS 140-2 encryption and security benchmarks that are not met or properly documented. CSPs should become familiar with the requirements behind the security controls needed to achieve FedRAMP compliance.

4. Complete system security plans. The SSP is the core document or centerpiece of how the CSP is implementing all its security controls. But SSPs are often documented at a high level without adequate detail. Instead, the SSP should be a stand-alone document that gives FedRAMP officials a full understanding of what the CSP has in place in terms of tools, technologies and services. For example, an SSP should define the security strategy and architecture for how the CSP secures data that is being processed or stored. Without that detail, assessments typically take longer and are more costly.

5. Third-party services. If a CSP relies on an external service for part of its solution, such as a data backup or archive, that service must be authorized under FedRAMP. Any system that handles sensitive government information, such as vulnerability or user data, must undergo the same rigorous testing. Otherwise, it represents a high risk that will be flagged.

Although the CSP is responsible for performing due diligence on its external services, the scope of those audits are often not adequate or complete. If that is the case, the CSP might want to enlist a 3PAO for the assessment.

CSPs coming from the commercial, nongovernment world might find it challenging to overlay FedRAMP's rigorous controls on top of their existing systems. In fact, a CSP might realize late in the process that it needs to replace capabilities embedded in its offering -- a potentially costly and complex re-engineering that wasn't anticipated. To avoid that, CSPs should determine early on whether it's necessary to rely on a third party or whether they can perform such services in-house. Ideally, those considerations should be addressed in the planning stages, when CSPs are designing their solution for federal customers.

The above areas merely represent the most common issues encountered in the FedRAMP checklist. CSPs need to address and document their complete security strategy as part of the initial assessment under FedRAMP Accelerated. The 3PAO will use it to review and understand the CSP's inventory of tools and processes and validate that what's represented is in place. The FedRAMP Program Management Office will then rely on the 3PAO's assessment to determine whether the CSP has the capabilities to warrant going forward.

For CSPs looking to get to prime time, this is the ideal time to plan and prepare so they can nail that audition and move forward under FedRAMP.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.