FedRAMP authorization and the quest for a better process

The FedRAMP authorization challenge

CSPs may pursue two kinds of FedRAMP authorization: a Provisional ATO from the Joint Authorization Board (JAB) -- FedRAMP's main governing body -- and an Agency ATO. The JAB authorization is best for multi-tenant cloud services of broad applicability, while the agency authorization, which is specific to a particular agency, is geared toward niche cloud services, according to FedRAMP.

To obtain FedRAMP authorization, CSPs must commit to using required FedRAMP templates for all of their system security packages. In addition, CSPs' cloud offerings must be subjected to an independent security assessment conducted by a third-party assessment organization before their security assessment package is posted to the FedRAMP secure repository.

Another burden is making sure CSPs' platforms comply with NIST Special Publication 800-53, Revision 4, which underpins the required security and privacy needs of U.S. federal government information and information systems. NIST 800-53 promotes standards federal agencies use to implement the Federal Information Security Management Act (FISMA) and manage other programs designed to protect information.

Brad Schulteis

NIST 800-53 addresses the layers of defense in depth that any public or private organization should ideally be practicing, said Brad Schulteis, director of government solutions at Rackspace, a managed cloud services company based in San Antonio. But NIST 800-53 becomes a vast compliance undertaking when it's applied to commercial offerings.

"The problem is FedRAMP and FISMA are part of large government programs with, in some cases, literal armies of security professionals to throw at the problem," he said. "The requirements are written very prescriptively and government-specific. If you have 325 security controls that you have to implement just for FedRAMP Moderate, then that becomes extremely challenging for smaller commercial organizations with maybe a full-time security professional on staff."

FedRAMP Moderate is one of three FedRAMP standards that reflect the criticality of a given information system.

By comparison, companies that performed a HIPAA review had 18 security controls to implement and took six months to do so in an all-hands-on-deck effort, Schulteis added. He said a CSP will have a much harder time working through 325 different security controls under the FedRAMP program.

"That's just not tenable for a lot of these smaller companies that are building in this cloud economy where they had a great idea, they rapidly deployed a solution in the cloud and gained adoption quickly," Schulteis said. "Their innovative cloud solutions were not thought of from a security mindset from the beginning, and now they are left to try to refactor this into this FedRAMP construct and add 325 controls after the fact. It's very difficult for them to do that."

There are some executives at CSPs that have decided it's just not worth it.

The commitments necessary to work through these requirements are easier for some companies than others, executives have noted. The FedRAMP compliance process is affecting cloud vendors' decisions on pursuing the federal sector.

"There are some executives at CSPs that have decided it's just not worth it," Schulteis said. "They say, 'This is not my target market. I don't have the expertise. I don't have 24/7 security teams on staff to be able to meet these requirements, so I'm just not going to target the federal market.'''

Easing the journey

A number of companies have launched initiatives to help cloud providers with their FedRAMP authorization journeys.

Earlier this year, Rackspace teamed with Telos Corp., a security solutions provider based in Ashburn, Va., to assist ISVs selling SaaS to the federal government. The arrangement combines Rackspace Inheritable Security Controls with Telos' Xacta cyber-risk management tool. The latter offers compliance automation and continuous security monitoring. Companies selling SaaS to federal agencies can use the combined offering to shorten the time required to achieve ATO status, according to Rackspace.

Reducing the time and expense of FedRAMP authorization is also a key component of Quzara LLC's proprietary FedRAMP Readiness Assessment Tool (FRAT). The Reston, Va., consulting firm recently launched the tool, which aims to help SaaS, ISV and technology providers gauge their FedRAMP readiness. FRAT is a web application used to help cloud providers understand their current security capabilities and core FedRAMP requirements.

The top cloud providers are also looking to ease the FedRAMP compliance burden. Micorsoft recently introduced an Azure Blueprint to help cloud providers comply with FedRAMP's Moderate level security controls. And AWS recently launched its Authority to Operate on AWS program to help cloud partners that need assistance with FedRAMP authorization.

Andrew Williams

Another way to assist CSPs is to automate their security posture, noted Andrew Williams, director of program development at Coalfire. CSPs should start automating some of the security processes, configurations and technical aspects of security that they need to manage as part of FedRAMP.

"Automation puts them in a place where there is no human in the loop to potentially cause human error," Williams said. "They also don't have to necessarily add head count every time the standard changes, and it helps their environment be more automatically dynamic. If a cyberattack occurs and systems crash, automatically switching workloads to a standby computer server can be a powerful response that's more efficient than having a big security team of people work on the security problem."

FedRAMP evolution

In the meantime, FedRAMP has evolved and adjustments to the program have streamlined the way CSPs approach the authorization process. FedRAMP Accelerated, launched in 2016, offers CSPs a low-cost way to evaluate whether they are ready, or not, so they can appropriately prioritize investment internally. FedRAMP Connect, introduced in 2017, has streamlined the process further. This effort tasks the FedRAMP Project Management Office, federal CIOs and the Office of Management and Budget with reviewing business cases and selecting CSPs to pursue JAB certifications based on governmentwide demand, applicability for cross-agency use and the security of the offering.

For CSPs that want to pursue government contracts to manage nonmission-critical data in the cloud, the introduction in 2017 of FedRAMP Tailored gives them a chance to win contracts for low-risk cloud offerings that do not handle personally identifiable information (PII).

The Trump administration's Cloud Smart program also seeks to address "the relatively slow pace" of FedRAMP assessment, according to the federal CIO Council. The council cited "a lack of reciprocity across agencies when adopting FedRAMP authorizations," which has led to a duplication of effort. Initiatives to promote common ATO agreements are underway, however.

A bid to boost FedRAMP's focus on PII could also be in the works. Next year, Williams expects FedRAMP to issue a substantial update that incorporates privacy requirements and privacy expectations around personally identifiable data, which was not a critical focus when the FedRAMP program began.

"I expect to see more privacy requirements around personally identifiable information incorporated into FedRAMP in 2020," he said. "Adding application specifications that address personal privacy and [putting] guardrails on how companies implement machine learning algorithms, for example, will add more security than we see today," Williams said.