The Federal government’s cloud first policy is in full swing. It has been 6 months since the Federal Risk and Authorization and Management Program (FedRAMP) was granted initial operating capability to streamline cloud security management and vendor approvals in an effort to strengthen our national IT infrastructure. In short, FedRAMP requires a few things. One, that government agencies identify 3 low- and moderate-impact federal systems that must be moved to commercial cloud environments by 2015 (reduced cost, operating efficiency is the MO here). Two, accredit independent third party assessment organizations (3PAO) to assess cloud environments to a known set of standards. And three, begin authorizing cloud service providers (CSP) - and ensure there is a continuous monitoring program in place to maintain the authorization - as eligible entities to move the federal systems to.
As an accredited FedRAMP 3PAO, Coalfire has some unique insight to the progress of CSPs seeking FedRAMP authorizations. Having gone through a lengthy and in-depth review process ourselves (largely to demonstrate independence and technical competency), to receive the FedRAMP 3PAO accreditation, we can say that each step in the process is not taken lightly.
Expect the First P-ATOs by End of 2012
According to the FedRAMP PMO in a recent webinar, as of Oct 25 they had received 60 initiation request applications from CSPs to go through the FedRAMP authorization process. At this point, none of the 60 has received a Provisional ATO as they all continue to work through their assessments. In addition, it is the FedRAMP PMO guidance that they expect to grant the first Provisional ATOs by the end of 2012 to cloud providers, so that federal systems can begin migration in 2013.
The Unique Experience of an Assessment for a Federal Agency
Through this process, we find that incumbent service providers in the federal government space understand the procurement process, but don’t quite grasp the unique nature of auditing and assessing cloud environments. In many cases, organizations are adopting cloud technology that vastly differs from their traditional IT environment. As a result, service provider professionals with the necessary technical aptitude to audit and assess cloud environments are extremely rare and in high demand. On the flip side, commercial providers tend to understand the unique nature of audit and assessment and are working hard to become more proficient in audit and assessment of cloud environments. Auditing cloud environments, though, is not the only skill-set necessary to successfully navigate the FedRAMP process. Commercial service providers continue to struggle with the federal approval process and find the overall FedRAMP process cumbersome, requiring a higher, unanticipated level of commitment and investment by the organization.
If you’re familiar with a federal assessment process, you’ll find that FedRAMP meets FISMA legislation and leverages the requirements and standards outlined as the basis for FISMA assessments (FIPS 199, FIPS 200, NIST SP 800-53 rev 3, etc.) with the addition of more controls and enhancements for low- and moderate- impact systems. What is unique to the FedRAMP assessment is the built in checkpoints throughout the assessment process. At various points during the assessment, the CSP and 3PAO are required to ‘check-in’ with a selected FedRAMP PMO and ISSO to review milestones and deliverables to date. Some of these deliverables include but are not limited to the System Security Plan (SSP), architecture and system review, the Security Assessment Plan (SAP) and the Security Assessment Report (SAR). Preparing commercial cloud service providers (CSP) to undergo a highly gated process is a unique challenge, but warranted. The nature of the Provisional Authority to Operate (P-ATO) requires this high level of scrutiny for all organizations pursuing FedRAMP.
FedRAMP is Designed to Bring Efficiencies
Unlike the FISMA process, where ATOs are granted by each government agency for a successful FISMA assessment of their unique system, FedRAMP leverages a “do once, use many” framework. Under this framework, FedRAMP’s Joint Authorization Board (JAB) grants a Provisional ATO that any agency can leverage likely reducing costs to the cloud service providers and the purchasing agencies while building efficiencies into the assessment process. FedRAMP is also raising the bar in terms of assessing cloud environments on an ongoing basis. Not only does the 3PAO perform an annual control assessment of the CSP, they play an integral part of the continuous monitoring efforts by performing penetration testing and vulnerability scanning of the web applications, operating systems and databases on an ongoing basis. This program is required for the CSP to maintain their Provisional ATO.
Top 10 Common Issues Found During Cloud Assessments
While FedRAMP is still new, 3PAOs and CSPs are learning new lessons along the way. Provided is a summary of some of the lessons learned so far by Coalfire. We have compiled a list of “Top 10” common issues that we continue to come across in cloud assessments. In many cases, CSPs haven’t addressed many of the items below, identified and mapped to the NIST control, but will need to in order to make it through the program efficiently.
Coalfire believes that the success of the FedRAMP program is critical for a variety of reasons, but primarily to address the growing challenge of managing security in cloud environments and for our national infrastructure.