When the United States government adopted a “cloud-first” initiative to ease agency data burdens, it established the Federal Risk and Authorization Management Program (FedRAMP). Although many organizations assume that FedRAMP authorization applies only to those companies seeking to work with federal agencies, FedRAMP compliance benefits private sector businesses as well.
FedRAMP Requirements Checklist
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that standardizes the security assessment, authorization, and continuous monitoring processes for cloud products and services used by federal agencies. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Below is a high-level checklist of the main requirements for a cloud service provider (CSP) to become FedRAMP compliant:
- System Security Plan (SSP):
- Detailed documentation describing all the security controls you’ve implemented in your environment.
- System overview, system boundaries, system environment, and system data flow diagrams.
- Security Assessment Plan (SAP):
- Document detailing the planned assessment efforts.
- Identification of security controls to be tested, assessment procedures, and expected outcomes.
- Security Assessment Report (SAR):
- A report that details the results of the security assessment.
- Identification of vulnerabilities, risks, and recommendations.
- Plan of Action and Milestones (POA&M):
- Document identifying risks and plans for mitigation.
- Explanation of how and when vulnerabilities identified in the SAR will be addressed.
- Continuous Monitoring Strategy & Plan:
- A strategy for ongoing monitoring of security controls.
- Includes the frequency and methods of testing, roles and responsibilities, and reporting requirements.
- Training: Ensure all personnel have adequate security training.
- Implement NIST Security Controls: Implement the security controls specified in NIST Special Publication 800-53, based on the system’s impact level (Low, Moderate, or High).
- Third-Party Assessment Organization (3PAO):
- Engage a 3PAO to perform an independent assessment of your security controls and provide an objective SAR.
- Authorization Package: Submit the package to the appropriate governing body (Joint Authorization Board (JAB) or an agency) for a Provisional Authorization to Operate (P-ATO) or an Authorization to Operate (ATO).
- Incident Reporting: Establish a process for reporting security incidents to FedRAMP and other relevant agencies within specified timeframes.
- Continuous Monitoring: Commit to ongoing monitoring and regular reporting of security control effectiveness.
- FedRAMP Package Repository: Utilize the secure repository to submit documentation and updates.
- Periodic Assessments: Undergo periodic reassessment (typically every three years) to ensure ongoing compliance.
- Engage with FedRAMP PMO (Program Management Office): Ensure open communication with the PMO and adhere to guidance and feedback.
- Policies and Procedures: Establish and maintain comprehensive security and privacy policies and procedures in line with NIST and FedRAMP requirements.
- Role-based Training: Ensure training is provided to staff based on their role within the organization and relevant to the cloud service offering.
It’s worth noting that FedRAMP compliance can be complex and requires significant commitment. This checklist is a high-level overview, and each item involves numerous sub-tasks and detailed requirements. Depending on the cloud offering and its impact level, certain controls or requirements might differ.
Always refer to official FedRAMP documentation and resources or consult with experts when working towards compliance.
Who should be FedRAMP compliant?
Currently, any cloud service provider (CSP) working with the federal government needs to meet the security assessment, authorization, and continuous monitoring requirements to obtain a Joint Authorization Board Provisional Authority to Operate (JABP-ATO). In July 2018, a bipartisan bill known as the FedRAMP Reform Act of 2018 seeks to increase efficiency for CSPs adopting FedRAMP assessment processes.
However, whether your CSP works with government agencies or not, you may want to adopt the security controls as part of a business plan that helps provide insight and transparency to your customers.
Why do non-CSPs care about FedRAMP?
Cloud computing is the wave of the future. As evidenced by IBM’s purchase of Red Hat for $34 billion, hybrid cloud services are the current long game for managing, analyzing, and leveraging data. These services remain a primary target for hackers. Supply chain attacks increased by 200% in 2017 and will likely continue to grow. Your CSP may be the weakest link in your supply chain. FedRAMP compliance can enable you to control your business information system solutions better.
Why FedRAMP is more secure than FISMA
The Federal Information Security Management Act (FISMA) guidelines can be used to review cloud services’ security controls. The Federal Information Procession Standard (FIPS) 199 ranks information based on the impact a vulnerability or breach has on your information system infrastructure. The FIPS 200 used by FISMA outlines minimum security control requirements. Finally, FISMA applies baseline security controls described in that National Institute of Standards and Technology (NIST) publication 800-53.
These controls sound great but come with a few problems FedRAMP solves.
- FedRAMP focuses specifically on security elements unique to CSPs.
- FedRAMP security controls go beyond the NIST baseline requirements.
- FedRAMP requires a third-party assessment organization (3PAO) to certify the security controls.
If you’re a cloud services provider or someone seeking to engage a CSP in enabling business operations, these additional information security protections focus on threats specific to Infrastructure-as-a-Service (IaaS) providers.
How to Manage FedRAMP Requirements
Since FedRAMP was initially intended to govern CSPs working with federal information, much of which may be classified, the requirements may feel burdensome. However, with CSPs increasingly targeted by hackers, these requirements protect anyone using a FedRAMP certified CSP. Although FedRAMP released a “Tips and Cues Compilation,” below is an easy to review the summary of the most critical steps to compliance.
- Address every vulnerability found in your continuous monitoring program
Remediate the vulnerability. Establish a Deviation Request Process. Justify findings as “Vendor Dependency” and establish 30-day vendor contact timetable.
- Align monthly monitoring scans and Plan of Action & Milestones (POA&M) to sync with your patch management program to report only real vulnerabilities not ones already scheduled for remediation.
- Review for commonly overlooked or insufficiently answered controls.
When reviewing the “Implementing Configuration Settings (CM-6)” make sure to identify all system components requiring configuration management, individuals responsible for configuration, how responsible part configures, any additional FedRAMP requirements included, and where you saved the documentation.
- Review for common missed or neglected FedRAMP or NIST requirements
Not identifying portals, lacking multi-factor authentication, non-segregation of customers, high vulnerabilities detected during testing, unclear authorization boundaries, incomplete or poorly defined policies and procedures are all examples of common documentation problems.
- Communicate with your FedRAMP Information System Security Officer (ISSO) or government liaison.
- A Cloud Service Offering (CSO) must be approved and granted FedRAMP Provisional Authorization to Operate (P-ATO) or Agency ATO before leveraging security controls.
- Use NIST SP 800-53 Revision 1 Contingency Planning Guide for Federal Information System Appendix B to create a Business Impact Analysis
- If you are a moderate impact CSP and want to want to move into Law Enforcement, Emergency Services, Financial Systems, Health Systems, or any other high impact category, you should review the Categorization Change Form Template first.
Readiness Assessment Report (RAR)
- Always send an email notification to email@example.com when submitting a RAR or RAR update or authorization package to ensure review.
Security Assessment Plan (SAP) & Security Assessment Report (SAR)
- If 3PAO validates/determines a finding a “False Positive” ensure that the JAB also approves those findings otherwise, they must be added to the Continuous Monitoring (ConMon) POA&M.
- 3PAO vulnerability scanning includes reviewing tools for configurations, ensuring scans meeting FedRAMP requirements, overseeing and monitoring scans, describing and executing procedures.
- Penetration testing tools must be in the SAP and match the Penetration Test Plan document.
- Document False Positives or corrected findings with specific items of evidence such as screenshots or scan files, list by file name, and include with the SAR.
- Assign unique Vulnerability Identifiers and ensure previously documented vulnerabilities are not assigned new identifiers.
System Security Plan (SSP)
- Security requirements for each control include a description of the solution, how it meets security control requirement, responsible parties, how often reviewed, who reviews, what triggers reviews, documentation of reviews, proof of review, any policies referenced as implementation reasons.
- Review “Security Procedures” to include all steps for users, system operations personnel, or others. FedRAMP notes the following examples of procedures:
How ZenGRC Enables FedRAMP Documentation
FedRAMP compliance requires more than a single security policy. The detailed control narratives and the wide array of 3PAO documentation necessary for establishing certification often hinder the process. Organization can streamline your process. Moreover, communication within your organization can help develop efficient reporting lines when multiple parties are responsible for different contingencies and controls.
Our compliance dashboards act as a “single source of truth” showing data and metrics that allow you to determine whether your controls align with regulatory requirements or whether you have compliance gaps.
With task prioritization, you can assign, audit, and track issues to stay on top of vulnerability management.
Using the SaaS platform, you can gather evidence more rapidly to streamline the audit process.
For more information about ZenGRC’s ability to ease your compliance stress, contact us for a demo today.