In a recent article published on NextGov, there was a reference to the comments submitted by the Software & Information Industry Association (SIIA) in response to the public comment release of the Proposed Draft of the FedRAMP requirements. In reviewing the posted comments, it became apparent that the SIIA and possibly other organizations may not have the necessary experience with implementing FISMA that would likely be necessary to adequately understand at minimum, the FIPS and NIST Special Publication that guide the FedRAMP process. Therefore, using the publicly submitted comments by the SIIA below, I will further examine each comment that focuses on the Proposed FedRAMP Framework to address the challenges the FedRAMP PMO has in reviewing comments and vetting comments against proposed changes to accommodate the lack of industry familiarity with specific federal government requirements as published by NIST, OMB, GSA, DHS and other agencies that support the implementation with FISMA.
SIIA noted: “FedRAMP should be risk-based, not control-based, factoring in vulnerabilities and impact of assessments to the overall security posture of systems and networks.”
The FedRAMP Draft specifically states in Section 3.4.2:
“This section defines FedRAMP assessment and authorization process for Cloud Service Providers (CSP). It also provides guidelines and procedures for applying the NIST 800-37 R1. Risk Management Framework to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and continuous monitoring. CCS Service Providers should use this process and the noted references prior to initiating/performing the Security Authorization process.”
It further should be noted that most of the implementation of the A&A process has been left to the Cloud Service Provider (CSP) to implement which is consistent with the similar requirements levied on Federal Contractor-Owned or Federal Contractor-Operated information system already being utilized by the Federal Government to store, process, or transmit federal information.
OMB Memorandum M-10-14 (“FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”) states:
36. Must Government contractors abide by FISMA requirements?
Yes. Also, each agency must ensure their contractors are abiding by FISMA requirements. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” Section 3544(b) requires each agency to provide information security for the information and “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions.
Additionally, the sponsoring government agency that is part of the JAB should be a part of the initial steps in the RMF to ensure the appropriate categorization (RMF Step 1) is appropriate for the type of information intended to be stored, processed, or transmitted in the target information system. Since the CSP has the responsibility to create and submit the authorization package which includes the System Security Plan, they would likely address the categorization and rationale for the Confidentiality, Integrity, and Availability (CIA) security objectives used to support the overall Security Categorization used in other steps of the RMF.
SIIA noted: “The proposed controls are, in many cases, overly prescriptive and not sufficiently vendor neutral, nor do they effectively differentiate between the three basic cloud functions (laaS, PaaS, SaaS).”
The FedRAMP Draft specifically identifies in Step 3 – Implement Controls and other areas throughout the document references to the “FedRAMP control tailoring workbook” which provides a column labeled “Service Provider Implemented Settings” for CSPs to provide Alternate implementations/compensating controls .
The FedRAMP Draft specifically states Fthe edRAMP Process Step in 4d and 4e “JAB (consisting of DHS, DOD and GSA) and the Requesting/Sponsoring Agency receive a CSP/FedRAMP briefing on the generic control implementation. JAB and requesting Agency review the Control Tailoring Workbook for compliance and alternate implementations/compensating controls to determine effectiveness and make a risk‐based decision.” This would be the ideal time for a CSP to describe why a control is not applicable to a specific environment based on the proposed use of NIST SP 800-37, Rev. 1 (Task 2-2 – Security Control Selection) and NIST SP 800-53, Rev. 3 (Section 3.3 Selecting Security Control – Tailoring the Baseline Security Controls) which sates “After selecting the initial set of baseline security controls from Appendix D [FedRAMP security requirements], the organization [CSP] initiates the tailoring process to appropriately modify and more closely align the controls with the specific conditions within the organization (i.e., conditions specific to the information system or its environment of operation).”
In addition, the FedRAMP System Security Plan Template states in the Section titled “Minimum Security Controls”:
“Select the appropriate minimum security control baseline (low-, moderate) from following FedRAMP Security Controls List, then provide a thorough description of how all the minimum security controls in the applicable baseline are being implemented or planned to be implemented. The description should contain: 1) the security control title; 2) how the security control is being implemented or planned to be implemented; 3) any scoping guidance that has been applied and what type of consideration; 4) indicate, if the security control is a common control, who is responsible for its implementation; and 5) include evidentiary artifacts to support control implementation as necessary.”
SIIA noted: “The proposed technical controls process includes too many approvals by the Joint Authorization Board (JAB), and there is no mechanism for reciprocity for security authorizations between Agencies.”
The FedRAMP Draft specifically states in the Stakeholder Roles and Responsibilities, the CSP should “work with the sponsoring Agency to submit their offering for FedRAMP authorization.” As already discussed previously, the “A&A process has been left to the Cloud Service Provider (CSP) to implement”, which includes working with other Agencies that will leverage the FedRAMP Authorization to implement the appropriate reciprocity agreements. The Proposed FedRAMP process also states in Section 3.6 (“Authorization Leveraging Process”), “the purpose of all of the FedRAMP authorizations is to facilitate the leveraging of these authorizations for use by multiple federal agencies (“Approve once. Use often”). Leveraging such authorizations is employed when a federal agency chooses to accept all of the information in an existing authorization package via FedRAMP.
Further NIST SP 800-37, Rev. 1 states in Chapter 1 in footnote 11 on Page 3:
“Reciprocity is the mutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. Reciprocity is best achieved by promoting the concept of transparency (i.e., making sufficient evidence regarding the security state of an information system available, so that an authorizing official from another organization can use that evidence to make credible, risk-based decisions regarding the operation and use of that system or the information it processes, stores, or transmits).”
The above footnote in general seems to be consistent with the leveraging process in which Agencies can seek to “the leveraging organization reviews the FedRAMP authorization package as the basis for determining risk to the leveraging organization”.
SIIA noted: “Continuous monitoring, as currently proposed in the Draft, could require security reviews each time that a cloud vendor upgrades its platform”
The FedRAMP Draft specifically states in Section 2.6 (“Routine System Change Control Process”), “the Change Control Process is instrumental in ensuring the integrity of the cloud computing environment. There are however, changes that are considered to be routine. These changes can be standard maintenance, addition or deletion of users, the application of standard security patches, or other routine activities. While these changes individually may not have much effect on the overall security posture of the system, in aggregate they can create a formidable security issue. To combat this possibility, these routine changes should be documented as part of the CSP’s standard change management process and accounted for via the CSP’s internal continuous monitoring plan. Accordingly, these changes must be documented, at a minimum, within the current SSP of the system within 30 days of implementation.”
As noted above, the CSP establishes an internal continuous monitoring plan, which should allow for some flexibility in how they implement verification of security controls (outside of the annual Continuous Monitoring” requirement) which would detect potential changes that would affect the broader Cloud offering that is covered under the FedRAMP authorization. Therefore, specific routing changes such as a CSP making upgrades to their Cloud offering “3 times each year” would obviously be a routine activity that should follow the CSPs formal change management process.
Although the FedRAMP Draft specifically states in Section 2.6, “Major or significant changes [“a change that is likely to affect the security state of an information system”]. Changes such as installing a new operating system, port modification, new hardware platforms, or changes to the security controls should automatically trigger a re-authorization of the system via the FedRAMP process. The FedRAMP Draft also specifically states, “CSP must perform a self-assessment annually or whenever a significant change occurs. This is necessary if there is to be a continuous awareness of the risk and security posture of the system.” However, the FedRAMP Draft did not indicate the controls the CSP will document in an internal continuous monitoring plan which should be consistent with the required artifact (“Continuous Monitoring Plan (CMP)”) that must be delivered by the CSP as part of the FedRAMP A&A process.