Success with Compliance – FedRAMP, GovCloud, and Staying Sane

Marija: Good morning everybody, good day and thank you for coming, welcome. Today we would like to talk about compliance and how to be successful with compliance, specifically FedRAMP and GovCloud. They are very complex, very big subjects and we want to address them from the point of view of why would you even do this, why would you go FedRAMP, what does that even mean from a overall business perspective. We want to go into a little bit into some of the complications and what to watch out for when it comes to the compliance itself, and then from there leading on into some of the infrastructure – what is important with respect to the infrastructure, what to be aware of and what to just kind of start keeping an eye out for.

Speakers:

• Marija – Webinar Host
• Ajay Chandhok – CEO of Stratus Cyber
• Reed Rising – Security Guru and Practitioner from Stratus Cyber
• Josh Grant – Senior Solutions Architect from SMS

So we are well represented with business, compliance and tech today.

What is FedRAMP?

Marija: Ajay, I would love to go ahead and kind of kick things off with you to get started and my very first question is can you please define for us what is FedRAMP?

Ajay: FedRAMP is the Federal Risk and Authorization Management Program. It’s a government-wide program that provides a standard approach to security assessment, authorization and continuous monitoring (also referred to as ConMon) for cloud products and services. It’s basically there to ensure that cloud service providers (CSPs) meet the necessary security requirements to protect Federal data and information systems, and it really is an enabler for sales to the federal government.

Key Strategic Considerations for FedRAMP

Marija: Thank you, so that’s the definition of it. What are some key strategic considerations people should take into account when thinking about FedRAMP or going FedRAMP?

Ajay: The US government is probably the largest customer of products, cloud likely as well. Federal sales can be extremely lucrative for vendors. Some key strategic considerations to think about when you want to go through FedRAMP and also sell to the federal government:

Existing Federal Clients

Does your company or your product have existing Federal clients? We’ve seen a lot of successful companies already have self-hosted versions that are being run by agencies, meaning they have Federal paying customers for their products. That market need is there which tells you that FedRAMP will likely be successful for you. Instead of a vendor using their on-prem product they can use their SaaS hosted solution.

Agency Relationships

Do you have existing relationships with agencies that would be willing to sponsor your authorization? That’s often a big blocker for CSPs – getting an agency to sponsor you. Having those established relationships and willingness to sponsor is definitely very necessary.

There are a lot of changes with how authorization happens upcoming with the JAB going away (the Joint Authorization Board) and moving to program authorization, but there’s no official guidance out yet on that.

Starting from the Beginning

If you’re really just starting out on federal sales on your roadmap, it might really be beneficial to even start with FedRAMP from the get-go. Build to those requirements, built to that architecture. You don’t necessarily have to go through the entire process but that way you’re maintaining a single environment and are really starting with a good security foundation, not designing or architecting yourself out of it.

Business Challenges of Implementing FedRAMP

Marija: With that said, you know especially the risks of architecting yourself out from the future there, what are some challenges when it comes to implementing FedRAMP, particularly from a business perspective?

The Expertise Problem

Ajay: Some of the key challenges are companies trying to tackle FedRAMP themselves – unless you have personnel that are intimately familiar with FedRAMP, the controls, the guidance, the kind of changing landscape, it’s really difficult to be equipped and stay equipped to tackle FedRAMP. That results in delays, overspending.

Real Example: The $300M Company

Ajay: We worked with a $300 million plus company that tried to go about this alone. They had the in-house technical expertise, they have the business acumen, but they still went way over budget and way over time – way more than a million dollars over budget and delayed by over a year. Because of those delays they got caught in the transition from R4 to R5 as well. We were able to come in and rebuild their environment from scratch within 6 months.

What Success Requires

Ajay: This highlights the need to stay on top of FedRAMP guidance but also be experts – technical experts in FedRAMP and also business experts ensuring that you’re able to help organizations align strategically with executives, managers, technical engineers. Having realistic expectations about the process and being able to communicate that to stakeholders so that there is alignment across all parties.

Really understanding the end-to-end process, being able to plan your resources effectively – budget, timelines – and understand that audits are never perfect. There’s always going to be fixes that need to happen and there’s a human that’s an auditor so lots of stuff is open to interpretation and really navigating all of that as well as ongoing resource planning for annual audits, continuous monitoring, staying on top of all the FedRAMP updates.

Best Approach

Ajay: Working with a solution provider with proven FedRAMP experience is probably the best way to go about it. Even extremely large companies need support. Businesses are focused on their solutions and verticals and FedRAMP in itself, FedRAMP consulting is an industry and vertical in itself so it’s really best to leave that expertise up to those industry experts.

Critical Compliance Requirements

Marija: Thank you AJ. I would like to pivot now a little bit more to the specifics of FedRAMP when it comes to the compliance and Reed I would love to ask you what are some of the critical things that you have to get right for FedRAMP?

The Scope Challenge

Reed: That’s a great question. The scope of FedRAMP is just so large. Depending on whether you’re opting for a FedRAMP moderate authorization or FedRAMP High authorization, you’re looking at over 300, over 400 FedRAMP controls that you need to comply with. Even outside of those hundreds of controls that are defined within the FedRAMP baseline, you also have to consider the number of documentation that they have out there – guidances, white papers.

Federal Mandates and Showstoppers

Reed: In one document there are six Federal mandates described that you have to comply with or else it’s a showstopper and your authorization is done for.

FIPS Encryption: One of those showstoppers is FIPS encryption – encryption being a very high encryption standard that you must comply with if you are offering a SaaS application to the government.

PIV/CAC Cards: You have to ensure that your application users can use PIV or CAC cards (those government ID cards that federal employees have) to authenticate to your application.

Service Dependencies: What services are you using in your environment? For example if you’re using a cloud ticketing platform for change management for tickets, that SaaS service also needs to be FedRAMP authorized or that’s a showstopper. It cascades all the way down.

White Papers and Requirements

Reed: It cascades all the way down to things like white papers which aren’t exactly explicitly defined. For example a couple years ago FedRAMP released a white paper about subnetting and network segmentation. It wasn’t exactly the most clearly defined document, a bit ambiguous, and it was only recently understood that bastion hosts are a requirement to access your environment. We’ve seen a situation where a company in the middle of an audit came to that realization and then had to really backtrack and rearchitect.

Vulnerability Management

Reed: FedRAMP requires you to remediate vulnerabilities that are present in your environment within certain time frames. For high vulnerabilities you have to fix them within 30 days, for moderate 90 days etc. If you are consistently overdue with those vulnerabilities, that’s also a showstopper.

What is Continuous Monitoring (ConMon)?

Reed: ConMon stands for continuous monitoring. What exactly are you monitoring continuously? It’s your environment. The scope that falls under that includes your infrastructure – that would be your virtual machines, your databases, your containers if you are using containerized applications. It also includes your web application.

Components of ConMon

Vulnerability Scanning and Management: Reed: You’re monitoring those systems for vulnerabilities, tracking those vulnerabilities across their life cycle. In the case of false positives or risk acceptances that your CSP would need to make, there is a FedRAMP process as well for that called deviation requests.

System Hardening: Reed: The infrastructure, your servers, your containers, your databases need to be hardened according to specific benchmarks such as DISA STIG or CIS level two. You also have to monitor those systems to ensure that they remain compliant against those benchmarks.

Inventory: Reed: Keeping track basically a live updated report of what exists in your environment. In cases where your environment is more dynamic and modern – say you’re using containerized applications, you have autoscaling groups – your environment, the systems that exist in your environment are going to be changing on a day-to-day basis. Staying on top of your inventory and making sure it’s accurate is another piece of it.

The Monthly Process

Reed: Really, ConMon – you’re taking all of these pieces (the vulnerability scanning, the inventory tracking, the compliance hardening) and you’re taking those artifacts, putting them into a single ConMon package which you deliver to your sponsoring agency once a month. It’s with your sponsoring agency that you also meet with once a month to discuss that ConMon package. There’s a lot going on there, it’s an ongoing operation and a decent amount of operational overhead.

Technical and Operational Challenges

ConMon Operations

Reed: We do see that CSPs, companies who try to take on ConMon on their own without prior experience or really familiarity with those processes, that can be a real pain point for them.

General Operational Requirements

Reed: There are also general operational requirements for FedRAMP – things like regular user access reviews, your review of your ports protocols and services that you control network access control within your environment. Things of that nature really kind of just add up to increase that operational overhead. If you don’t already have solutions in place to tackle these operational requirements in a really streamlined way (because there are ways you can automate this but if you’re not familiar with it) then it just becomes very tedious and eats up a lot of time.

System Hardening Challenges

Reed: STIG stands for the Security Technical and Implementation Guide. It’s a benchmark that’s essentially provided by the DoD DISA. This benchmark is pretty secure. Another challenge we find is when companies are trying to “STIGify” or harden their systems to that STIG benchmark, they find that they harden it too much and it breaks their application.

Infrastructure Design Considerations

Shared Responsibility Model

Josh: There’s a lot of additional factors when you’re architecting infrastructure in a high compliant environment. One is the idea of offloading your compliance requirements. Every cloud service provider or CSP has some version of a shared responsibility model. Here’s a really basic example: your cloud service provider is responsible for making sure the physical access to the machines that are storing your data and running your applications is secure. They make sure that no one that shouldn’t have access to those machines have access to them, the physical hardware.

That extends well beyond the physical security layer, that extends in some cases to the operating system running on a virtual machine. When you are architecting infrastructure for a high compliant environment you may make a different choice than if was in a high compliance environment. You may choose a platform as a service offering solely so you don’t have to worry about the operating system, you don’t have to worry about the STIG hardening of it or the updates of it. There are teams of teams at these cloud service providers that that’s their entire job.

Operating System Considerations

Reed: Say your company does have an operational requirement to self-host their infrastructure, their virtual machines – you do have to also be careful of the operating systems that you use. Not all operating systems support FIPS validated encryption modules, cryptographic modules. There’s a very specific encryption module that is required. For example Windows Server 2022 very recently in the past two months only became FIPS validated, but prior to two months ago that was not an approved operating system to use with your environment as far as FedRAMP goes.

Alignment with Best Practices

Reed: There’s still a decent amount of alignment for best practices that would apply to commercial building secure enterprise commercial environments and ones that are FedRAMP compliant. Things like if we’re talking an AWS Cloud architecture, having a multi-account structure that implements the principle of least privilege, division of duties, the higher level concept of hardening your systems – those all exist within FedRAMP. You just have to tweak it just so it complies with FedRAMP.

You certainly can still have a CI/CD pipeline into your environment so you have good DevSecOps, DevOps practice that is optimized, it’s just tweaking it so that it fits within that FedRAMP compliance.

Enterprise Cloud Environment Challenges

Scale Challenges

Josh: When I start putting on my enterprise architect hat I really think about scale, and in this case not horizontal or vertical scaling of your workloads but the scale of your teams. How many teams of developers do you have? How many teams of infrastructure engineers do you have? You’re likely to have those teams solving the same problems and those solutions are likely to be a little bit different from each other. When you are at that type of scale you’re always going to have some inefficiency.

When you’re at that scale and you are operating in a high compliant environment that inefficiency is multiplied. Now not only did you have teams of engineers solving the same problems but the fact that they came up with different answers to those problems and those answers all need to be compliant and now another team needs to modify or validate the compliance of those solutions – you greatly increase the inefficiency.

Strategy: Parallel Solutions

Josh: If you have an existing solution, if you have a commercial offering and you’re looking at getting FedRAMP authorization, it’s extremely unlikely that you accidentally developed an architecture and application that are compliant out of the gate. The question comes up of do I modify my existing solution to be compliant or do I develop a parallel solution that’s compliant?

With the developer hat on your immediate thought is probably DRY – don’t repeat yourself. Why operate two environments? Why have two different architectures? Why run these things in parallel? That’s very inefficient. The problem is the additional requirements of operating in a high compliant environment can really hamstring the commercial operations. When you want to adapt to market changes, when you want to introduce new features, new third-party integrations, new dependencies in the commercial environment but you can’t because you operate one environment, you have all these compliance requirements, you have these hoops to jump through, you’re really hamstringing yourself.

What I would say is if you have an existing solution I would expect and anticipate to run a parallel compliance solution alongside of that and likely take your original architecture and modify it and make it compliant and run it in parallel. That’s not to say that there are two completely different code bases with no overlap, with no shared libraries, no shared anything – that’s not entirely true – but I would caution against the idea that you’re going to just do everything in one environment.

Containerization Considerations

Josh: Containerization is really about packaging your application with the operating system, libraries and dependencies internal dependencies that it needs to run. When you do that you get a lot of benefits:

Scalability: I can run multiple copies of my application quickly. I’m not spinning up a whole virtual machine, I’m just launching a new application somewhere.

Portability: It’s not entirely true in all cases but for the most part you can run the same container image anywhere. You could run on-prem, you could run in the cloud, you could run across two different hyperscalers.

Efficiency: If we compare containers to virtual machines, every virtual machine that you spin up has this overhead of the operating system kernel and a lot of libraries and a lot of things that aren’t actually needed by your application. When you containerize your application you remove a lot of that. That container image ideally only has the dependencies that your application needs to run.

Security: We’re reducing our surface area by only having the dependencies that our application actually needs versus a lot of tooling for operations or for development.

Rich Ecosystem: There’s a very rich ecosystem around containerization – scanning tools, other security tools, immutability tools, signing tools, supply chain protection tools. It’s very robust, there are lots of options and there’s a lot of material out there to learn how to operate a nice DevSecOps environment kind of based around containerization.

DevSecOps Practices

Josh: DevSecOps is really about shifting security left. What that is opposed to kind of the older ways – you have a development team, they create these applications, they throw them over the wall as you probably heard before and then a security team tacks on security. It’s almost the perimeter model where they say okay now let’s secure this application that was built without security in mind. We can shift security to the left and start doing scanning, doing monitoring all of that as early as possible.

How do you develop a mature practice of that? I would start by looking at the OWASP which is the Open Worldwide Application Security Project DevSecOps maturity model. You can find that just through Google. It’s kind of complex but they have a nice little tool to help you navigate it. Really assess where you’re at, see where you’re at, see what some of the next steps are. Don’t try to go from zero to 100 quickly. Zero to 100 is probably zero to failure. Look through there, find what is that next step, what is that next bit of incremental improvement you can make, follow through with that, then do a retrospective. Say what worked, what didn’t work. Start with low-risk changes. Just like if you’ve looked into zero trust implementation guidance out there, start with some testing services, start with something that’s not mission critical and make those changes, learn your lessons and then build up from there.

Solution Options

Range of Solutions

Ajay: The solutions kind of range from “hey build it yourself, start from scratch, architect everything” to taking solutions that are “here’s a bunch of building blocks and assemble those building blocks” all the way up to fully managed service. There’s various providers and solutions along the way that do things a little bit differently.

You have the option to go into someone else’s authorization boundary which means you’re tied to them but that’s the least amount of overhead – you just put your application into their authorization boundary. That limits the amount of control you have over things as well.

You have having a landing zone where someone deploys you a full architecture right along with some of the tooling and configuration already there. Really the level of effort decreases as you go from the build it yourself from scratch up to the fully managed offering. There’s various flavors along there too when you go to fully managed – like do you want someone to just handle continuous monitoring for you which is a huge overhead? Manage the audits for you? And even manage the entire infrastructure and change management process? You can kind of pick and choose what you want out of those offerings.

Build It Yourself Considerations

Josh: On that continuum, all the way to the left – you own everything, you design everything, you build everything, you have the maximum flexibility to tailor everything to your needs. The one thing that I’ll say is this is very complex. Earlier I mentioned teams of teams at cloud service providers who do this stuff – this is not a one-man show, this is definitely a team of experienced engineers to build this out to meet your needs.

You should really ask yourself is this differentiating? If you choose that you build this yourself, do you actually need it? Do you need the flexibility that is offered by owning the entire stack basically? If you don’t need it, is it differentiating? Does this help you improve and deliver more value to your customers? Because it is not an insignificant undertaking.

Recommended Approach

Reed: If you’re considering which option to go with, whether it be tackling it by yourself or going with a fully managed service where they do your landing zone and they manage the ongoing operations of that, in my experience I’ve seen success with the latter – deferring all of that to the experts, the building of the compliant architecture, having the experts perform the ongoing operations whether it be ConMon, documentation etc. That’s where I’ve seen companies get successful FedRAMP authorizations.

How SMS and Stratus Cyber Address These Challenges

Ajay: We’re experienced in building and managing FedRAMP environments. We’ve really seen what works when it comes to architecture design choices, running continuous monitoring, and also when it comes to security and compliance but also keeping production applications up and running in an enterprise environment. As a result of all of our experience and battle tested audits, sitting in audits and things like that, we’ve went back and invested a lot of time and resources into developing a highly streamlined solution.

Our solution really is a multi-cloud architectural landing zone that is owned by the customer. We come in essentially using infrastructure as code, build out all of the architecture, networking, identity, security capabilities and also provide that white gloved manage service. You do have the option to use that or not but we come build your architecture and we completely run it for you as well so you always have that human touch on what’s going on.

Another thing that we’ve seen not necessarily related to FedRAMP is also FinOps. Large enterprises they are like “hey let’s deploy this architecture and have oversized EC2 instances and just resources running wild here and there.” As you get more and more mature in building and running enterprise environments, cost actually starts becoming very important. That’s something we tackle in parallel with the security and compliance. The more we can be efficient with your architectures and cheaper, the happier everyone is.

What the Landing Zone Includes

Reed: The landing zone would include the networking of that architecture. It’s a multi-cloud architecture between platforms like AWS and Azure. Deploying your networking, your servers, your virtual machines or EC2s that are hardened, pre-hardened images against the DISA CIS benchmarks I mentioned previously. It’s deploying identity IAM solutions, identity access management solutions with automated processes. It’s deploying your SIM, your security stack, your vulnerability scanners, ensuring that you have appropriate logging and auditing in place. It’s everything – EDR, FIPS encryption – it’s really the whole stack and an end-to-end process.

Josh: Another critical piece of the landing zone is a deployment pipeline. The same way that as developers we have for a long time now used pipelines to test and build and deploy our code, well now we do the same thing with infrastructure. That enables us to do a lot of things – that enables us to scan the proposed changes to our infrastructure for compliance, that allows us to scan them for cost optimization. There is a pipeline in this landing zone that’s extensible where you could add on various tools and security gates. Who’s authorized to make infrastructure changes? You can shift that left to the source control layer and control who can commit, who can merge these changes into a specific branch where ultimately they will be deployed.

Reed: At a high level, what we’re offering really is an end-to-end process. A company really can just come to us with just their application and that’s all they really need. We basically handle the rest as far as the infrastructure, the security requirements, the compliance and the documentation.

Benefits to Developers

Reed: The developers can really just focus on what they need to do. We would work very closely with them to ensure that they’re developing their application, engineering their application architecture in a way that complies with FedRAMP. Implementing DevSecOps practices that align with FedRAMP, shifting left as mentioned previously. Because of this landing zone that we’ve developed is so streamlined it really allows the company’s team, their application developing team, to really get up and running in a compliant environment a lot quicker.

Josh: As a former developer, once a developer always a developer, there are a lot of decisions to be made every day as a developer, especially a senior developer, and there are a lot of technologies to learn and to understand and to quickly learn and understand. By providing this landing zone, this platform to your developers you’re really allowing them to focus on what’s important – developing those applications. You are making the good decisions for them so they can focus on bringing you business value.

Business Benefits

Ajay: What all those technical things really boil down to is making sure your project is on time and on budget and you’re able to drive that federal revenue. That’s really what the goal here is – to be able to do that efficiently and effectively. Also going after FedRAMP, outside of enabling federal sales, it also showcases your company’s reputation and dedication to being secure. It is a good way to boost your reputation in the community as well.

Closing Thoughts

Ajay’s Final Remarks

Ajay: FedRAMP is a huge and complex undertaking even for large businesses, hundreds of millions of dollars, and it’s definitely wise to go about it with support and not do it alone. It’s complex not only technically but also strategically and logistically so it’s important to work with those experts that know how to plan, budget and execute for FedRAMP. Not just “here’s a technical landing zone” but being able to plan, budget and execute for FedRAMP that is really backed by a highly optimized landing zone and manage services to ensure we help you make sure that process is as painless as possible.

Reed’s Final Remarks

Reed: If there’s really just one thing I want to emphasize it would be that if you are considering FedRAMP authorization you 100% need someone who’s or a team who are experts with FedRAMP. There’s just the scope of the requirements is so vast, there’s so many nuances and interpretations and gray areas of FedRAMP you really do need someone who’s familiar intimately with that framework of FedRAMP that can work closely with your company, your team to build your environment so you get it right from the beginning. The last thing you want is to invest a bunch of time and money into your effort in pursuing FedRAMP authorization only to find yourself in the middle of an audit failing to meet a critical control that is a showstopper and causes you to fail the authorization.

Josh’s Final Remarks

Josh: I wouldn’t take a team of developers who’ve never built and deployed a production application and have them do that all on their own without any support or guidance and with something as complex as FedRAMP, don’t do that either. Bring in some sort of expertise, have some sort of guidance to ensure that you’ll reach success.