A Guide to FedRAMP (Federal Risk and Authorization Management Program) to minimize cloud security risks for federal agencies.
Cloud computing creates hyperconnected services. The result is improved productivity for enterprises and more flexibility for the workforce. However, these benefits come with certain new risks. Cloud enablement increases the number of attack points available for cybercriminals to exploit.
The types of cloud security threats that enterprises face span the entire spectrum of the cybercriminal armory. These threats lead to malware infections and data exposure, both impacting compliance risks around data protection. A McAfee report into cloud adoption sums up the situation for the average enterprise:
“14 misconfigured IaaS instances running at any given time, resulting in an average of 2,269 misconfiguration incidents per month.”
Cloud computing is a game-changer in government. However, there needs to be a security framework to ensure this architecture is safe. In a September 2018 survey, federal IT managers expressed concerns about security in specific cloud environments. The Federal Risk and Authorization Management Program (FedRAMP) provides the framework for multi-agency cloud security.
A brief overview of FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a federal government-wide approach to cloud security developed alongside NIST, DoD, GSA, and DHS. The program, established in 2011, sets out a standardized process covering security assessment, authorization, and continuous monitoring of cloud products and services. If a cloud service provider (CSP) wishes to sell a commercial cloud service offering (CSO) to a federal agency, it must demonstrate that its cloud offering meets FedRAMP compliance requirements. These requirements cover the confidentiality, availability, and integrity of data.
Two baseline groups that govern FedRAMP:
- Joint Authorization Board (JAB)
- Program Management Office (PMO)
The JAB includes the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security (DHS), and General Services Administration (GSA). It is the primary governance and decision-making body for FedRAMP.
FedRAMP guidance takes an organization through a process to demonstrate and deliver secure cloud services at a level expected by the federal government.
Types of associated entities
FedRAMP is a process that encompasses several stakeholders to achieve compliance. These stakeholders are known as “associated entities.” Each is part of a connected tripartite to deliver secure cloud services to the federal government.
The three type of stakeholders:
- The federal agency using FedRAMP: Any U.S. federal government agency that wishes to use a commercial cloud service.
- The cloud service provider (CSP) – FedRAMP Security Authorized: The CSP must be authorized through FedRAMP to sell a service to a federal agency.
- Third-Party Assessment Organization (3PAO): A specialist third party with authority to check a CSPs cloud offering for FedRAMP compliance. FedRAMP requires that a 3PAO is accredited through the FedRAMP 3PAO Program.
The CSO must be assessed by a FedRAMP Third Party Assessment Organization known as a 3PAO. The CSO must also obtain the Joint Authorization Board (JAB) Provisional Authority to Operate (ATO).
Achieving FedRAMP compliance
The FedRAMP program employs a subset of the controls in the National Institute for Standards and Technology (NIST) Special Publication 800-53 that are applicable to cloud environments. NIST SP 800-53 cloud computing controls are several years old, well-tested in production environments, and accepted by the industry. The controls are based on the sister publication from NIST, SP 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach” (RMF).
To allow a federal department to use a cloud service offering, the cloud service provider must have authorization through the FedRAMP Authority to Operate (ATO). To achieve this authorization, a cloud service offering must go through a process that involves several criteria, including the implementation of controls and documentation to prove the authority to operate.
FedRAMP has four main areas that must be adhered to during the process of compliance:
- Document: Covers steps 1-3 of the Risk Management Framework (RMF) and generates the supporting documentation to define the security controls and implementation needs for FedRAMP. This documentation becomes the CSPs System Security Plan (SSP).
- Assess: 3PAO performs this step using the documentation developed in step 1 above. Typically, a Security Assessment Plan (SAP) is created by the 3PAO.
- Authorize: A 3PAO tests any security controls and creates a Security Assessment Report (SAR) based on a FedRAMP template. The SAR provides details on vulnerabilities, threats, and risks discovered during testing.
- Monitor: A CSP MUST implement continuous monitoring to maintain the security posture of the FedRAMP authorized cloud system. A 3PAO often carries out this monitoring.
Types of data covered and levels of authorization in FedRAMP
The process of FedRAMP compliance’s ultimate goal is to provide robust security controls over data. The types of data covered under FedRAMP are Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), sensitive patient medical records, financial data, law enforcement data, export-controlled data, and other forms of CUI.
FedRAMP authorization has a set of baselines that authorize a CSO at low, moderate, or high impact levels:
- Low: Where the loss of data confidentiality, integrity, and availability results in limited adverse effects.
- Moderate: This applies to around 80% of CSPs. Loss of data confidentiality, integrity, and availability would result in serious adverse effects, such that significant operational damage or individual harm would occur.
- High: This level is typically associated with law enforcement and emergency service systems, as well as financial systems and health systems, where a severe or catastrophic adverse effect would take place.
Five benefits of achieving FedRAMP compliance
- FedRAMP offers CSPs an opportunity to sell cloud services to federal agencies as an authorized vendor.
- FedRAMP authorization demonstrates that a CSO offers robust security to a given risk level, to prevent data exposure, leaks, or theft
- FedRAMP is a standardized approach to security authorization following NIST security requirements. This standardization demonstrates best practices not just for the federal government but across all industries.
- FedRAMP facilitates collaboration across federal government agencies. FedRAMP governance provides a rich source of advice and help in attaining FedRAMP levels of security.
- FedRAMP authorized services have been checked by accredited third parties (3PAO) and undergo ongoing assessment and continuous monitoring
When choosing a cloud service provider, check out their FedRAMP status. This status is an excellent indicator of the level of security their cloud services follow. FedRAMP sets high and demonstrable standards for cloud computing security. By using a FedRAMP authorized cloud service, you significantly mitigate the risk of a data breach.