Critical Success Factors for FedRAMP Assessments A 3PAO Perspective

Transcription

1 Creating Mre Effective and Strategic Slutins Critical Success Factrs fr FedRAMP Assessments A 3PAO Perspective David Svec Veris Grup, LLC Summary Clud Security Prviders (CSPs) fr the gvernment have a strategic and imprtant decisin t make befre entering the Federal Risk and Authrizatin Management Prgram (FedRAMP) authrizatin prcess. FedRAMP has the clear ptential t prvide CSPs with additinal business pprtunities as federal agencies adpt the Clud First initiative. The selectin f the third party assessment rganizatin (3PAO) t partner with thrughut the FedRAMP prcess is critical t the verall success f the CSP s request fr authrizatin. The strategic and technical slutins ffered by an experienced 3PAO can ensure that the CSP is assessed in accrdance with FedRAMP guidelines. FEDRAMP PURPOSE Alternatively, where CSPs require guidance prir t the security assessment, a 3PAO nt perfrming the actual assessment can help the CSP navigate thrugh the dcumentatin review prcess under FedRAMP and ultimately the issuance f a prvisinal Authrity t Operate (ATO). This can help ensure the prper preparatin f all security dcumentatin and implementatin f security cntrls within the CSP s infrastructure. Ensure that clud-based services have adequate infrmatin security Eliminate duplicatin f effrt and reduce risk management csts Enable rapid and cst-effective prcurement f infrmatin systems/services fr federal agencies By streamlining prcesses and prviding cst and time-saving initiatives, the 3PAO can help the CSP achieve the FedRAMP prvisinal ATO in a shrter timeframe. As a trusted advisr r as the independent assessr, the 3PAO can prvide a clear radmap t meeting FedRAMP requirements and ptentially shrten the authrizatin timeline. FedRAMP Overview In 2010, the federal gvernment made a strng plicy stand in favr f clud cmputing with a series f plicy decisins and initiatives aimed at supprting the secure and efficient migratin f gvernment agency infrmatin t a clud envirnment. As early as 2012, early studies indicate that clud services have saved the federal gvernment mre than 5.5 billin dllars, with mre savings pssible in the future. 1 FedRAMP is the largest security initiative t facilitate this Clud First prcess. FedRAMP is nw a mandatry framewrk fr the cnsistent and cst-effective assessment and cntinuus mnitring f CSPs that wrk with gvernment agencies. The framewrk relies n independent 3PAOs, such as Veris Grup, t assess CSP systems t ensure that effective security cntrls are prperly implemented and t allw transparency and cnsistency between the gvernment and the CSPs.

2 Creating Mre Effective and Strategic Slutins FedRAMP prcesses cnsist f three distinct areas (see figure 1). The initial security assessment area, which is the first phase fr CSPs, includes fur steps: initiating the prvisinal ATO request; dcumenting and implementing the security cntrls; perfrming the security assessment (testing); and finalizing the security assessment reprt. There are mre than 20 different deliverables assciated with this area. Area 1 cncludes with the submissin f the Finalized Security Assessment Package t the Jint Authrizatin Bard (JAB) fr prvisinal authrizatin. 1 Security Assessment 2 Leverage Prvisinal Authrizatin 3 Onging Assessment & Authrizatin Figure 1 Challenges f FedRAMP Since FedRAMP authrizatin (i.e., prvisinal authrizatin) is required fr any CSP wrking with the federal gvernment, gaining the FedRAMP JAB acceptance and accreditatin apprval f clud fferings including infrastructure, platfrm, and sftware as a service (IaaS, PaaS, SaaS), has becme a primary cmpetitive advantage and challenge fr CSPs in selling their slutins t the federal gvernment. The FedRAMP methdlgy and security cmpliance requirements can create a cmplex, expensive, and demanding prcess fr CSPs. In the 14 mnths leading up t the FedRAMP Pre-launch phase, less than half f the twelve Clud BPA awardees had been issued an Authrizatin t Operate (ATO). Additinally, FedRAMP expects t authrize nly a very small number f CSPs in CSPs have several specific respnsibilities utlined by the gvernment thrughut the FedRAMP prcess. Thse respnsibilities include implementing security cntrls based upn the FedRAMP security baseline; creating security assessment packages in accrdance with FedRAMP requirements; and cntracting with an independent 3PAO t perfrm initial and nging security assessments (testing). Hwever, t decrease the risk f a CSP nt btaining authrizatin, the CSPs als have t vercme challenges nt fully specified by the gvernment, but instead evidenced by the experiences f the 3PAO. The biggest bstacle t FedRAMP authrizatin that CSPs face is lack f preparatin. In an effrt t enter the market as early as pssible, many CSPs are jumping int assessments prematurely, thereby wasting valuable time and resurces and inevitably prlnging the assessment prcess. The newly implemented FedRAMP assessment prcess requires a significant level f effrt unanticipated by many CSPs, and the prviders may als be unaware f the time, resurces, csts, and security requirements necessary fr assessments. The detail-

3 Creating Mre Effective and Strategic Slutins riented prcess and dcumentatin fr FedRAMP can be daunting fr small, mid-, and even large-sized CSPs withut guidance and explanatin. Veris Grup has identified several strategic and technical critical success factrs fr CSPs t help ensure successful and cst-effective preparatin fr 3PAO assessments. 3PAO Slutins The rle f the 3PAOs, twelve f whm are currently authrized at publicatin, is ne f independent assessr and expert in navigating FedRAMP prcesses. Veris Grup, LLC, is ne f the first accredited 3PAOs and is a current prvider f security assessments t leading industry CSPs. We leveraged ur lessns learned frm perfrming successful and thrugh security assessments fr CSPs t prvide recmmendatins t CSPs interested in selling an authrized clud slutin t the federal gvernment. Specifically, Veris Grup utlined a series f strategic and technical factrs that can have significant impact n the success f a CSP entering area 1 f the FedRAMP authrizatin prcess. Strategic Factrs Leadership Buy-In T prvide adequate prgram resurces and t set expectatins regarding cmpliance, the CSP s leadership must be aware and supprtive f the assessment prcess. The FedRAMP prcesses require specific preparatry wrk t be cmpleted by the CSP, and it is the leadership wh sets the expectatin that this wrk is nt ptinal, but is nw part f the expected duties f the IT peratinal, engineering, and security staff f the CSP. Leadership is als accuntable fr managing the risk f any existing r newly identified security vulnerabilities. Cmmunicatin between the 3PAO, FedRAMP fficials, and CSP leadership shuld facilitate this buy-in and awareness via the planning, executin, and debriefing activities. Dcuments & Prcesses Budgeting Outsurcing Depending n the system size, cmplexity, fr Assistance security psture and maturity, and architectural cnsideratins, FedRAMP assessments can becme an expensive investment that will require bth internal and external expenditures. Leadership Buy-In Strategic Factrs Cmmunicatin Budgeting It is necessary that CSP leadership understands these csts up frnt and calculates the ptential fr a psitive return n investment. The 3PAO is respnsible fr utlining these csts as realistic and defendable specific tasks and subtasks as they relate t the cmpnent-level security assessment and the entire assessment prcess. CSP leadership must ensure that the riginal qute prvided t them includes all expected csts and prvides a breakut f the csts, assumptins, and ptential scping and retesting issues inherent t FedRAMP that culd impact estimated schedule and csts.

4 Creating Mre Effective and Strategic Slutins Cmmunicatin FedRAMP is a transparent prcess. Open dialgue and interactin between the CSP and the FedRAMP PMO, JAB, and 3PAO frm the beginning ensures understanding f scpe, technlgy, security requirements, and assessment prcess, thereby decreasing risk and increasing the pprtunity fr authrizatin. Full and pen cmmunicatin will ensure all that stakehlders understand cmplex security issues as they relate t clud slutins. FedRAMP is an incremental and phased prcess with multiple critical cmmunicatin pints and milestnes thrughut the security assessment area. Weekly cmmunicatin between all stakehlders, full disclsure f relevant findings, and discussin and timely reslutin f all issues and risks are critical t the success f the prcess. As an end gal, ensuring that all issues have been reslved prir t the assembly f the Security Assessment Package fr submissin t the JAB will significantly increase the likelihd f a favrable authrizatin determinatin. CSPs shuld lk fr a 3PAO with prject management experience and a slid cmmunicatin plan thrughut the prcess. Outsurcing fr Assistance It is imprtant that CSPs fully vet and understand the pricing mdels, deliverables, and experience f all third party experts, including the 3PAO and ther preparatin cnsultants, wh will be assessing and assisting the CSP thrughut the FedRAMP prcess. Pricing mdels fr assessments shuld prvide clear dcumentatin fr included csts and utline pssible extra csts t be incurred. It is als crucial that CSPs prtect their intellectual prperty and technlgy with strng nn-disclsure agreements (NDAs) withut hindering the FedRAMP reprting respnsibilities required f the 3PAO. Leveraging f Security Dcumentatin and Prcesses T save time, mney, and resurces, CSPs shuld use existing system dcumentatin and security plicies, prcesses, and prcedures currently accredited under ther federal agency accreditatin bdies r leverage industry cmpliance standards (ISO, PCI, SOC, etc.), whenever pssible. There are many similarities amng industry security cmpliance framewrks s many cmpnents f an verall strng security prgram shuld be reused. Fr example, written accunt management prcedures r cntingency plans shuld be presented t a 3PAO t fulfill their testing requirements. Technical Factrs System Bundary Definitin and Inventry Preparatin CSPs shuld take time t thrughly dcument and baseline their entire clud envirnment and its system bundaries t avid any assessment impacts that wuld ccur if ther elements f the system are discvered by the assessr r are nt accurately dcumented. CSPs must have a thrugh understanding f the NIST and additinal FedRAMP security requirements that shuld be in place in rder t adequately detail their systems. Tls Technical Testing & Sampling System Bundary Definitin & Inventry Prep Technical Factrs Cntinuus Mnitring Cntrl Inheritance

5 Creating Mre Effective and Strategic Slutins A rbust and well-dcumented security prgram is necessary t successfully cmplete the security assessment. CSPs will need t plan fr additinal time t fully dcument and implement all security cntrls, prir t the security assessment. Failure t d s culd result in an incmplete security assessment r lengthy delays. A cmplete and accurate inventry that identifies all physical and virtualized devices must be maintained by the CSP. FedRAMP prvides tls such as the FedRAMP self-audit/assessment t guide CSPs thrugh this type f system preparatin. The 3PAO is als a valuable resurce fr a mre thrugh explanatin f the preparatin needed. Cntrl Inheritance Depending n the clud slutin and where it is hsted, CSPs shuld lk fr pprtunities t inherit security cntrl prtectin frm an existing FedRAMP authrized CSP, thereby reducing the assessment scpe and aviding duplicatin f testing effrts. Fr example, a particular SaaS r PaaS slutin may be able t inherit security prtectin frm an authrized IaaS envirnment n which it is hsted. In cases where the CSP des nt have management cntrl f the physical hsting envirnment, it may be necessary t ensure that Service Level Agreements and cntract agreements specifically require that the data center will mitigate any findings identified during the FedRAMP security assessment. Cntinuus Mnitring The cntinuus mnitring phase is the final and nging area f FedRAMP authrizatin that begins after a CSP btains a prvisinal ATO. Early n, CSPs shuld implement a strng cntinuus mnitring security slutin built arund autmatin, where pssible. This will help ensure that the CSP is prepared fr this imprtant phase f the FedRAMP prcess and will reduce lng-term security cmpliance csts and imprve real-time security psture. Rbust vulnerability management and cnfiguratin management prcesses are critical t maintaining the prvisinal ATO granted by FedRAMP. The relatinship with the 3PAO may cntinue int this phase thrugh quarterly vulnerability scanning and annual security assessments f the CSP s slutin. Develping a lng-term agreement with the 3PAO will allw the 3PAO t prvide cst-savings because the 3PAO will be familiar with the system and the prject management requirements f the relatinship. Technical Testing and Sampling Many clud slutins are cmprised f multiple technlgies and many instances f each. CSPs shuld ensure that planning, preparatin, and testing is cnducted n all technlgy types. A sampling plan shuld detail all f the including technlgies agreed upn with the FedRAMP PMO and 3PAO prir t the assessment and clearly identify them in the security assessment plan. The sample size f autmated testing must prvide a representative sample f the entire inventry. Manual testing sample sizes will vary by the applicability f the security cntrl t specific cmpnents r technlgy types. Tls The autmated tls that the 3PAO uses t perfrm the security assessment must be cmpliant with the FedRAMP standards. The 3PAO s cntract shuld utline all f the autmated tls that they will use t cnduct the assessment. Where applicable, all security testing tls must cnduct vulnerability scans with authenticated credentials within the system. CSPs shuld ensure that these tls meet the cnfiguratin baselines f the federal gvernment and additinal FedRAMP requirements and cmplement the security tls in use within the clud system bundary. This respnsibility cntinues int the cntinuus mnitring phase as well.

6 Creating Mre Effective and Strategic Slutins Clsing Summary A CSP s selectin f a 3PAO shuld be an infrmed and thughtful prcess. The right 3PAO can help guide the CSP thrugh the preparatin and dcumentatin prcess fr a FedRAMP assessment. The relatinship between the CSP and 3PAO has the ptential t be lng-term, s finding ne with the interpersnal skills necessary fr effective cmmunicatin, the technical knw-hw and experience fr prper independent assessments, and the prject management experience fr the rigrus and detailed dcumentatin required by FedRAMP is critical. References f previus clud security assessments shuld be prvided by experienced 3PAOs. A well-prepared CSP can lk frward t a smth rad tward FedRAMP authrizatin and increased access t ptential gvernment clients. 1 McKendrick, J. Clud Culd Cut $12 Billin frm U.S. Gvernment Annual Deficit: Study. April 30, Frbes.cm. David Svec is the c-principal and c-funder f Veris Grup, LLC, a Vienna, VA-based cybersecurity firm and accredited FedRAMP 3PAO. Veris Grup, LLC Attn: FedRAMP 3PAO Divisin 8229 Bne Blvd., Suite 750 Vienna, VA (703) fedramp@verisgrup.cm 8229 BOONE BLVD., SUITE 750 VIENNA, VA P: (703) F: (703) inf@verisgrup.cm