Are You FedRAMP Ready?

Your organization sees an opportunity to sell its Cloud Service Offerings (CSOs) to US Government Agencies. Now what? While nothing in the FedRAMP standard prohibits Cloud Service Providers (CSPs) from diving head first into a full authorization assessment, is that really a smart play?

Enter FedRAMP Ready, a preliminary designation that allows CSPs to join the FedRAMP Marketplace and have their CSO highly visible to all federal agencies who are actively researching cloud services that meet their organizational requirements.

While becoming FedRAMP Ready is not a guarantee that a CSP will become authorized, it does provide the government a clearer understanding of a CSP’s technical capabilities. Additionally, being FedRAMP Ready is a heavily weighted criteria to be selected to work with the JAB toward a P-ATO. So, how does this work?

To receive a FedRAMP Ready designation, a Third Party Assessment Organization (3PAO) must assess a CSP’s CSO and attest to its readiness for the authorization process.

During the assessment, the 3PAO completes a Readiness Assessment Report (RAR), which outlines a CSP’s capability to meet FedRAMP security requirements.

• If the CSP wishes to pursue the FedRAMP Ready designation, the RAR will be submitted to and reviewed by the FedRAMP Program Management Office (PMO).
• If the PMO is in agreement with the 3PAO’s attestation, the CSP will be formally approved for the FedRAMP Ready designation. FedRAMP Ready is designation that can only be granted for Moderate and High impact CSOs.
• FedRAMP authorization assessments intend to increase confidence in the security of cloud solutions that process and support the nation’s most critical information and missions.

As a result, the FedRAMP authorization process is a far cry from a rubber stamp compliance exercise. Your organization will need to invest significant resources, in both people and capital, to be successful. These costs create significant incentives for CSPs to ensure they conduct an assessment accurately and effectively on the first try.

Whether your organization decides to use the a RAR as an informal gap report, or intends to submit the results to the FedRAMP PMO, partnering with a 3PAO to conduct an assessment will allow your organization to identify and remediate deficiencies in a lower stress setting. Make your mistakes during the practice test, not the final exam.

First and foremost, no vaporware allowed. A 3PAO cannot assess what does not exist. Ensure your CSO is fully operational, preferably in production for 30 days before any assessment activities so that your organization has had enough time to work out any new system quirks.

Once you are confident the CSO is running smoothly, be sure your organization has clear understanding of the following five key areas of focus. If you followed the recommendation in the section above and created a SSP, you will have already addressed these areas:

Federal Mandates

Outlined in Section 4.1 of the Readiness assessment report, these Federal requirements are applicable to all FedRAMP authorized systems and all requirements must be met for the FedRAMP Ready Designation:

• Are FIPS 140-2 Validated cryptographic modules consistently used where cryptography is required?
• Can the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
• Is the system operating at Digital Identity Level 2 (for Moderate) or Level 3 (for High)?
• Does the CSP have the ability to consistently remediate high vulnerabilities within 30 days, moderate vulnerabilities within 90 days, and low vulnerabilities within 180 days?
• Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements? [https://www.archives.gov/records-mgmt/grs; PL 104-231, 5 USC 552]
• Does the system’s external DNS solution support DNS Security (DNSSEC) to provide origin authentication and integrity verification assurances? Please note: FedRAMP may consider alternative implementations for DNSSEC. Be sure to describe an alternative implementation for DNSSEC in the Executive Summary section.

Authorization Boundary

You cannot protect what you have not identified. An authorization boundary provides a full picture of a system’s internal components to a Cloud Service Provider (CSP) along with connections to external services and systems, accounting for all Federal information and metadata that flows through a system.

A 3PAO will perform discovery scans during the FedRAMP Readiness assessment that should be aligned with your organization’s definition of the environment. Per Section 3.1, Authorization Boundary, of the Readiness Assessment Report: Ensuring authorization boundary accuracy in the RAR is critical to FedRAMP authorization activities.

Inaccuracies within the RAR may give authorizing officials and FedRAMP grounds for removing a CSP from assessment and authorization activities.

System Narratives

As Albert Einstein said, “If you can't explain it to a six year old, you don't understand it yourself.” The Authorization Boundary comprises multiple mediums of depicting the scope of the system. Providing a clear description, free from all marketing language, sets the stage for a third party’s understanding of your CSO.

During the review process, ambiguity is interpreted as deficiency until proven otherwise. Accuracy, however, breeds confidence. The clearer this description is and the closer it mimics the network and data flow diagrams, the better. This exercise not only gives third parties confidence in your organization, it will ensure your staff also have an unshakable understanding of the environment.

Network Diagrams

As mentioned above, the network and data flow diagrams are another key medium of the Authorization Boundary definition.

• Include a clearly defined authorization boundary that accounts for the flow of all federal information, data, and metadata through the system.
• Clearly identify anywhere Federal data is to be processed, stored, or transmitted.
• Clearly delineate how data comes in to and out of the system boundary, including data transmitted to/from all external systems and services.
• Clearly identify data flows for privileged, non-privileged, and customer access.
• Depict how all ports, protocols, and services of all inbound and outbound traffic are represented and managed.

Segmentation

An Authorization Boundary definition is valuable, but only if it is accurate. Imagine installing new deadbolts and getting robbed because you forgot to lock them. This is the part of the assessment where a 3PAO would check those shiny new locks are functioning as intended.

During the assessment the 3PAO is required to base the assessment of separation measures on strong evidence, such as the review of any existing penetration testing results, or an expert review of the products, architecture, and configurations involved.

Prior to the assessment, a penetration test, performed by a qualified individual or third party, is highly recommended. If your organization chooses to forego a penetration test, you must provide other forms of compelling evidence that clearly demonstrate segmentation functions effectively, exactly as described in narratives and diagrams.