GROW YOUR BUSINESS WITH FEDRAMP WHAT TO EXPECT, HOW TO PREPARE

Transcription

1 GROW YOUR BUSINESS WITH FEDRAMP WHAT TO EXPECT, HOW TO PREPARE

2 Copyright 2015 Published by LBMC Security & Risk Services, LLC Nashville, Knoxville, Chattanooga All rights reserved. Except as permitted under U.S. Copyright Act of 1976, no part of this publication may be reproduced, distributed, or transmitted in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. Design by Hinge. Visit our website at II

3 Table of Contents Introduction....1 Chapter 1: Why FedRAMP Certification Matters....2 Chapter 2: What to Look for in a FedRAMP 3PAO Partner....6 Chapter 3: FedRAMP Readiness Assessment: What You Need to Know Chapter 4: FedRAMP Security Controls: Which to Focus on Most Chapter 5: FedRAMP Certification: The Final Step Looking to the Future Glossary...26 About

4 Introduction If your organization is in the federal cloud space or is determined to break into it, then you ve heard the term FedRAMP certification. Depending upon how much you have read on the subject, you may have more than a casual familiarity with the concept, but if not, you may be looking for answers to questions such as: What s the best way to go about navigating the complex, nuanced road to certification? And why is it imperative that you initiate the process, if not now, then in the near future? The Federal Risk and Authorization Management Program, or FedRAMP as it s known, is a government-wide program created to standardize how the Federal Information Security Management Act (FISMA) is applied to cloud computing services. First launched in 2012, FedRAMP is a follow-up to the government s Cloud First strategy. This government-wide program aims to reduce the time and money that individual agencies would otherwise spend on assessing a cloud provider s security. Prior to FedRAMP, each agency conducted its own risk assessment for every procured cloud service, which led to multiple and redundant security assessments of identical services. In addition, federal agencies were all over the FISMA compliance map each agency had a different interpretation of what compliance looked like. It became clear that a standardized process was needed, and so in 2011, FedRAMP was born. Inside you will find: An overview of the FedRAMP assessment process Tips on selecting the right certification partner A checklist to evaluate the state of your existing controls, and Information to ensure your certification process is seamless Though a handful of organizations have achieved FedRAMP certification, many more have not because they find the road to certification daunting. We ve written this guide to help shed some light on the process and to serve as a roadmap to achieving FedRAMP certification. 1

5 Chapter 1: Why FedRAMP Certification Matters The federal government spends billions of dollars every year securing products and services in the cloud. If your company works with the federal government in the cloud, or plans on expanding into that market, we recommend you initiate the FedRAMP certification process. Benefits include: Optimizing existing security assessment controls across agencies Saving money, time and resources Improving real-time security visibility Providing a uniform approach to risk-based management Enhancing transparency between the federal government and CSPs Cultivating trustworthiness, reliability, consistency and quality for the federal security authorization process The Office of Management and Budgets states that agencies must, use FedRAMP when conducting risk assessments, security authorizations, and granting Authority To Operate (ATOs) for all Executive department or agency use of cloud services. Companies that plan on doing business with the federal government in the cloud, or plan to expand their reach to include federal customers, should understand FedRAMP requirements and be FedRAMP compliant to flourish in the years ahead. 2

6 Chapter 1 Certification Is Good for Your Bottom Line While beginning the FedRAMP certification process is a requirement for all companies supporting federal agencies with cloud services, it also makes good business sense. Competition for federal cloud computing contracts will inevitably get fiercer as more agencies migrate to the cloud, and that means that there are a lot of dollars at stake. A September 2014 Government Accountability Office report of cloud spending for seven agencies found that, collectively, cloud computing investments accounted for $529 million, or 2 percent of their $80 billion IT budget. Cloud spending for the entire federal government, represents about 5 percent of all IT spending, or $3 billion, according to IDC Government Insights. Table 1: Cloud Computing Services Spent Fiscal 2012 vs Budgeted Fiscal 2014 (in millions of dollars) Agency Cloud Computing Services Spent Fiscal 2012 Cloud Computing Services Budgeted 2012 Increase in Amount for Cloud Computing Services DHS $74 $109 $35 (47%) GSA (131%) HHS (146%) SBA (* a ) State (191%) Treasury (22%) USDA (394%) Total $307 $529 $222 (72%) Source: GAO analysis of agency data GAO * Percentage increase is not calculable. 3

7 Chapter 1 And while $3 billion isn t chump change, that number will grow exponentially. Former Federal CIO, Vivek Kundra estimated that agencies had identified $20 billion worth of IT investments in their fiscal 2012 budgets that could move to the cloud. DHS identified nearly $2.5 billion of its own IT investments that could be appropriated for a cloud environment. FedRAMP certification affords your company access to a very profitable playing field. Better Security, Lower Risk FedRAMP plays a pivotal role in providing businesses and agencies with lower risk and better security controls by: 1. Providing joint security assessments and authorizations based on a standardized baseline set of security controls 2. Using approved Third Party Assessment Organizations (3PAOs) to consistently evaluate a Cloud Service Provider s ability to meet the security controls 3. Requiring continuous monitoring as an on-going security control Implementing these security controls helps give the federal government more confidence conducting business in the cloud and gives your company peace of mind that data will remain safe and secure. Finally, FedRAMP certification makes it much easier for you to comply with FISMA requirements, since it necessitates the implementation of NIST-based controls for your cloud system or service. When Should Companies Begin the Certification Process? The real answer is the sooner the better. While it is possible to procure a federal contract prior to receiving your FedRAMP ATO, it can be very challenging, if not impossible to fast track and secure certification within the required timeframe because the process is so time-consuming. The entire process can take anywhere from six to 18 months to 4

8 Chapter 1 complete. If the government requires a 95-day turnaround period after granting an organization a contract, that puts substantial pressure on Cloud Service Providers (CSPs). On average, the typical FedRAMP certification takes about 12 months which makes it nearly impossible for an organization to win a contract, and then go after certification within a 95-day period. Clearly if your organization wants to procure federal cloud work today, putting off certification until tomorrow is not a good strategy. Now is the time to pursue FedRAMP certification. At the very least, you should begin laying the groundwork for certification by preparing the necessary documentation required to gain authorization. Now that you recognize the benefits of FedRAMP certification, let s examine the key characteristics of an effective Third Party Assessment Organization (3PAO). 3PAOs are organizations that have been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. We ll reveal how to identify qualified FedRAMP 3PAOs in Chapter 2. 5

9 Chapter 2: What to look for in a FedRAMP 3PAO Partner No man is an island. As much as you might like to handle the certification process entirely on your own, whether you feel up to the challenge or just want to save money, it s best to enlist the experts. We urge you not to go it alone if you don t have a FedRAMP subject matter expert in-house or the dedicated resources to keep the process moving along efficiently. Selecting a FedRAMP 3PAO is a major decision you will be heavily relying on this partner to guide you through a very detailed process that leaves little room for misinterpretation. The right FedRAMP 3PAO will ensure a smooth sail through the lengthy certification process. 3PAO Selection Tips Are you FedRAMP certified? Do you have 3PAO certification? The CSP you partner with should answer yes to both questions. What about their size? Within the 3PAO market, there are small, 8a companies as well as huge government consulting firms. However, the size of the firm isn t what you should focus on. What really matters is expertise on two fronts. First, ensure that they have long track records in the FIMSA arena. It will help facilitate a seamless process, since FedRAMP has a FISMA foundation. Second, look for a firm that understands both the commercial and federal spaces. Those firms recognize that you serve two masters running a profitable business and achieving compliance. This outlook will allow them to make 6

10 Chapter 12 recommendations that ensure companies achieve an optimal balance between compliance and security processes that are scalable and cost-effective. NIST Experience is a Must When vetting providers, choose those with substantial experience with the National Institute of Standards and Technology (NIST) SP Revision 4 catalog of controls. Since NIST is the foundation component for FedRAMP and FISMA, a 3PAO with solid NIST background will have a better grasp of FedRAMP control intricacies. They will also possess a foundational framework that includes a deep understanding of the process and compulsory security controls ensuring that your certification audit will run more smoothly and efficiently. Cloud Services Knowledge Obviously, cloud service knowledge is a crucial attribute when selecting a FedRAMP 3PAO to work with. Their staff should be conversant in cloud architecture and cloud risk-based decision-making. In an ideal scenario, a 3PAO can facilitate all aspects of the certification process including preparation and readiness assessment, security plan development and remediation, and culminating with final completion of the FedRAMP certification package. Cross Functional Experience Yields Efficiencies If your company has already completed FISMA or PCI audits in previous years, then it s important to identify a FedRAMP 3PAO with knowledge in those areas as well. That experience will enable them to leverage existing documentation from previous years FISMA and PCI audits consistent with the FedRAMP credo, do once, use many times yielding a significant time saving advantage. We recommend you choose a firm that can discern the difference between a government-mandated requirement and a suitable control process. 7

11 Chapter 12 Ask their perspective on risk-based versus compliance-based and rule versus principle. Knowing their approach and where they place value will help you determine if you have the right person to assist you with the certification process. In summary, vet your 3PAO thoroughly. An experienced FedRAMP certified 3PAO is worth its weight in gold. You ll navigate the certification process more quickly, cost-effectively and efficiently. What s more, you ll reduce the possibility of failing the certification audit. In Chapter 3 we ll discuss the readiness assessment process to help you determine how FedRAMP ready you are. An experienced FedRAMP certified 3PAO is worth its weight in gold. You ll navigate the certification process more quickly, costeffectively and efficiently. 8

12 Chapter 3: FedRAMP Readiness Assessment: What You Need to Know A car must be serviced and maintained regularly if it is to operate efficiently and pass required inspections. The FedRAMP certification process is no different. The purpose of the FedRAMP readiness assessment is to determine a CSP s likelihood of successfully completing the FedRAMP certification process and receiving their ATO in a timely manner. The work done in this phase will determine how smoothly and expeditiously your FedRAMP certification application gets approved. Cloud Service Providers (CSPs) hoping to provide services to federal agencies will need to use the baseline controls listed within the FedRAMP requirements. A CSP must use an accredited Third Party Assessment Organization, or 3PAO, to certify that they meet the minimum FedRAMP requirements. The Players and their Roles Cloud Services Provider (CSP) A CSP can be either private sector/commercial or an agency operator. Provides information and documentation about the cloud system Updates information in response to comments from FedRAMP Implements security controls based upon FedRAMP security baseline Creates the security assessment package in accordance with FedRAMP requirements 9

13 Chapter 3 Contracts with an independent 3PAO to perform initial system assessment as well as required ongoing assessments and authorizations Maintains continuous monitoring programs Complies with federal requirements for change control and incident reporting Third Party Assessment Organization (3PAO) Performs initial and periodic assessment of CSP security and privacy controls Conducts independent, impartial review and assessment Reviews CSP documents for accuracy Develops Security Assessment Plan (SAP) Selects and develops test cases Conducts security testing Develops Security Assessment Report (SAR) Tests for ongoing Continuous Monitoring compliance FedRAMP PMO Establishes processes and standards for security authorizations Reviews incoming applications and initiates contact with a CSP Coordinates the readiness process Performs a completeness check and reviews the CSP s initial documentation Provides comments and feedback on documentation to the CSP Makes the final decision on whether the CSP can commence with the full FedRAMP assessment. Maintains repository of available security packages Provides Provisional Authorization for systems that can be leveraged government-wide. 10

14 Chapter 3 Figure 1: FedRAMP Players Figure 2: Outlines the Readiness Assessment, Testing and Reporting Phases: Prerequisites and SAP Development Execute CSP Testing Procedures Risk Analysis & SAR Development Phase 1: Prerequisites and the Security Assessment Plan (SAP) Development Companies that choose to have a 3PAO help them through assessment will be given a list of required documents that need to be available before the assessment process can begin. Some of these documents include: System Security Plan (SSP) Configuration Management Plan IT Contingency Plan Incident Response Plan Control Tailoring Workbook Control Information Summary FIPS 199 Template eauthentication Template 11

15 Chapter 3 Rules of Behavior Configuration Management Plan Information System Security Policies Privacy Threshold Assessment / Impact Assessment Security Assessment Report Plan of Action & Milestones It s a good idea to review your security policies and processes holistically within the context of the assessment. The 3PAO will then work with your company to develop the Security Assessment Plan, or SAP. Ideally, all system security, configuration management, incident response, and contingency plans should already be in place and consistently reviewed and enforced. Ongoing training in controls and policies should be present and proven. These benchmarks should be implemented long before the readiness assessment begins. The overall process is not difficult if you re working with a FedRAMP 3PAO well versed in FISMA and NIST controls and one who is familiar with the language and context behind the requirements. It s true, the requirements can be confusing. However, a good 3PAO will decipher what the requirements mean for you, anticipate any glitches, and provide guidance for what the FedRAMP PMO expects. The 3PAO you choose will also direct what documentation is needed, where procedures can be tightened, and the best method and order to do so. They ll help you avoid oversights, incomplete documentation, and flag misuses of resources. It s a good idea to review your security policies and processes holistically within the context of the assessment. Organizations need to understand first, what their risks are, and rank the probability of occurrence. The next step is identifying where the gaps are and how they can be filled including risk rating, cost, and time to complete. Once you ve properly addressed the gaps, you ll be better prepared for the real assessment. 12

16 Chapter 3 Phase 2: Execute CSP Testing Procedures Prior to arriving on site, the 3PAO will review your documentation. Then, your 3PAO will conduct comprehensive interviews with the relevant personnel specified for each area of the testing procedure. During the interviews, the 3PAO will record your methods and processes as well as how you have implemented each control in a comprehensive report that is provided to the FedRAMP PMO. After development and approval of appropriate test cases, the next step in this phase is on-site and off-site testing for each section of the test cases outlined in the draft SAP. Vulnerability scanning and penetration are a part of the test cycle and are integrated into this phase of the assessment. Phase 3: Risk Analysis & Security Assessment Report (SAR) Development The 3PAO will complete an overall SAR risk exposure table. From there, they will update the SAR, adding in the test results and the risk exposure data. They will then review the final draft of the SAR with your company to ensure accuracy. The 3PAO assessment team will package up all of the documentation created as part of the assessment and if all information is complete, the assessor will make arrangements to submit the SAR and all other required documentation to the FedRAMP Authorizing Officer (AO) for approval. The SAR will be a detailed report, outlining applicable and compliant security controls as well as those that are either irrelevant or noncompliant. This report is a very important deliverable since federal agencies use this document to quickly assess whether your organization is compliant with the required controls that are unique to their individual agency. If your company is not compliant with those controls, then your organization will be eliminated as a potential government CSP partner for that agency. Moving Ahead: Next Steps The process can seem intimidating. However, partnering with the right 3PAO can make all the difference. Next, we ll review which FedRAMP controls present the most challenges and how to best prepare. 13

17 Chapter 4: FedRAMP Security Controls: Which to Focus on Most The security controls and enhancements that are part of FedRAMP requirements are based on the National Institute of Standards and Technology (NIST) SP Revision 4 catalog of controls. These controls apply to cloud systems designated as low and moderate impact information systems. In order to address the unique security requirements of cloud computing for the federal government, some FedRAMP controls and enhancements are even more rigorous than the standard NIST guidelines and requirements for low and moderate systems. Foundational controls are crucial, but let s face it, scoping and implementing them can be time-consuming. Not every company has invested the time to adequately document their security controls which is why it s an area that can require additional work. Below we ll review what security controls need to be in place in order to adequately prepare for certification and ensure that security best practices are achieved as well as which security control families present the greatest challenges for most organizations. Although there are 18 individual security control requirements, the most common requirement that companies falter on overall is documentation. Quite often, documentation is incomplete or missing altogether, particularly if a company had moved through the process too hastily. We recommend that you pay particular attention to the following: 14

18 Chapter 4 Strong Security Access Controls Strong access controls are used for authenticating user access (including employee, 2nd and 3rd party vendor access) to FedRAMP or cloud-based data. Make sure your organization can identify the security controls that should be in place to ensure that access levels are appropriate for each individual. All identification and authentication processes must also be clearly defined and documented. Two-factor authentication, a requirement for FedRAMP certification, requires technical know-how as well as implementation support. Pay special attention to this control since it can be a stumbling block for many organizations, particularly smaller outfits who have not yet tackled this requirement. Planning and Governance Models An area that commonly requires additional work is the development of your company s formal governance models. Verify that a solid governance model is present for the environment and your security controls. Craft a security policy plan that addresses all these areas. A surprising number of organizations haven t formally documented their security policies. Smaller organizations in particular should heed this planning and governance advice. Unfortunately, many simply don t have the resources and time to really examine their policies and procedures as well as document them properly. This is where a readiness team can be invaluable. At times, upper management does not have a high level of involvement on governance. Perhaps there is a lack of formal management oversight in security training to facilitate strong adoption. Or maybe management isn t actively participating in the review of security related metrics with their IT teams. Ideally, upper management should take a lead role in documenting and enforcing all controls within an environment. Management is ultimately responsible for documenting, measuring, improving and following security planning best practices. This ensures that the organization maintains an 15

19 Chapter 4 effective, updated governance model and maintains an effective security posture. Clarity and Definition of Cloud Models Outline a clear and concise model for your organization s cloud procedures and policies, in accordance with your federal government work. The devil is in the details, so be as specific about those cloud model documents as you can. For example, simply saying that you offer cloud services will not suffice. You ll need to specify Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). And you must document all data directional flows and protocols in order to satisfy the initial documentation requirements. Management and Stakeholder Buy-In It s important to secure buy-in from all colleagues within your organization who will be responsible for providing the evidence and documentation needed to meet FedRAMP requirements. Take it a step further and enlist management buy-in to expedite the necessary internal support. Securing some dedicated resources is worth the investment to move the process along more quickly. If that s not feasible and you ll be utilizing someone already dedicated to a full time position, just be aware that it can nearly double processing time for your organization. Security Awareness and Training Programs A security policy will only be as effective as the training that supports it. To that end, be sure to establish and document your information security awareness and training program thoroughly. The level of training documentation is also important, so be sure to include the training methods, frequency and types of training provided. Configuration Management The configuration of information systems and their components have a direct impact on the security posture of your system as a whole. How those configurations are established, patched and maintained requires a disciplined, consistent approach in order to provide adequate security. 16

20 Chapter 4 Your organization s configuration management should support your continuous monitoring program. You are required to identify which configuration management standard you are applying in your FedRAMP application, so make sure you have a documented process about how all FedRAMP systems are configured and that they are configured consistently. Patch Management Patch management is held to the same standards as configuration management. FedRAMP will want to know how long you ve had a patch program, update frequency, and if patch management is well documented. Again, this area is subject to its own challenges including finding maintenance windows for all the necessary patching, testing and deployment steps all within the FedRAMP defined window for patch remediation Business Continuity and Contingency Planning Business continuity plans need to be implemented and documented. Ensuring that policies and procedures are well documented and consistently followed is the brass ring that organizations should go after. Deliberate planning and foresight into potential problems are attributes that will aid in developing a solid contingency process. Your plan should maintain an acceptable level of security under normal operations but also consider data breach scenarios, including plans for recovery and reconstitution when recovering from a major disaster. Incident Response FedRAMP auditors will pay close attention to this particular area. Coordination of your incident response program in collaboration with your federal agency client is imperative. You will also need to incorporate incident response procedures and escalation list contacts into your response procedures as mandated by the FedRAMP guidelines. Some of the key areas where you should focus on implementing incident response planning include the following areas: Incident response roadmap Structure and organization High-level approach 17

21 Chapter 4 Scope of reportable incidents Your organization s unique incident response requirements Vulnerability Assessment Program Your risk assessment plan should include vulnerability scans, application scans, and penetration testing. An external or internal vulnerability management team can help conduct risk assessments, detect any holes and forecast imminent threats. Continuous Monitoring In 2014, FISMA took their requirements a step further by underscoring the need for continuous monitoring and validation testing. Organizations are now required to monitor their systems in real-time, shortening the period it takes to detect and neutralize data attacks. Many of the control areas discussed above have components that require continuous monitoring. Continuous monitoring helps to identify changes in your security system as quickly as possible, fostering a more informed, risk-based decision-making process as well as pinpointing early threat detection. Your 3PAO can provide additional assistance on setting up your continuous monitoring program and associated schedules. Audit and Accountability Proper audit mechanisms should be in place including logging. Often logging is not done for a number of reasons. Perhaps because they don t have the personnel available to conduct daily log reviews. Or they simply don t have the storage capacity for voluminous amounts of data. At the other end of the spectrum, some companies store every log, but don t dedicate resources for review of anomalies and potential threats. FedRAMP requires specific logging procedures of system components. Logs must be available online for 90 days and up to a year offline. Additionally, there are explicit guidelines as to the type of data that needs to be logged including administrator access, networks, firewalls, and more. We ve now covered the most common control problem areas. Invest effort in addressing them and you will save your organization time during the certification process and avoid delays. 18

22 Chapter 4 The common thread in FedRAMP certification? Comprehensively identifying and understanding each step of your security protocols is crucial. And as always, they must be properly documented so that everyone is on the same page. If you find, after going through the certification process, that you are not 100% compliant, don t be discouraged. Depending on where you fall short, as well as your ability to prove that you can remedy the gap(s), you may still receive a green light to procure government work. If so, you will be given a grace period to complete the missing pieces. If not, know that the progress you ve made so far can facilitate a faster approval process the next go-around. You are now in the final stretch. In Chapter 5, we ll cover steps for an efficient FedRAMP certification assessment or audit. 19

23 Chapter 5: FedRAMP Certification: The Final Step You ve discerned the finer points of the FedRAMP guidelines and process. You ve likely identified areas within your organization for improvement as you strive for certification. You feel confident that your organization is ready for certification. So we will assume that the following is true: Your company has implemented the required controls Your company s SSP and other documentation is complete The policies and processes required to complete the FedRAMP assessment are in place Paths to Certification FedRAMP certification is a collective effort, which is why you need to become familiar with those involved, and their respective roles. While you have some flexibility as to how and when you use 3PAOs, there are restrictions which dictate how the key players can participate in the FedRAMP assessment and certification process. Specifically, if you partner with a 3PAO, you can t use the same company for both the readiness work and the audit. And if you use one organization for the readiness work, you must find another qualified 3PAO to perform the assessment or audit. 20

24 Chapter 15 Option 1 is where companies opt to do the prep work themselves and then use one 3PAO for either the readiness assessment or the audit. This applies to CSPs who may or may not have an agency sponsor and who have decided to submit their own package. This choice can lead to a longer process depending on the availability of dedicated resources and how well they are able to interpret FedRAMP requirements. It can also prove challenging to independently navigate the process and overcome any hurdles that may be encountered. Option 2 is the most common companies use one 3PAO for readiness work and another for the assessment or audit. Authorization Timelines Explained To receive FedRAMP certification, CSPs must complete a FedRAMP Initiation Request and follow one of three paths for achieving an authorization: JAB Provisional Authorization (P-ATO), Agency Authorization, or CSP Supplied Package. The first route is to gain a provisional ATO from the JAB, which requires a FedRAMP accredited 3PAO. Taking this path ensures a rigorous technical review by the FedRAMP Project Management Office (PMO), assessment from a FedRAMPaccredited 3PAO, and ends in a P-ATO from the DHS, DoD, and GSA CIOs. CSPs that have an agency sponsor or are agency authorized, can seek an ATO independently. They hire a FedRAMPaccredited 3PAO to complete and submit the required documentation, testing and security assessments to the GSA s office for verification. 21

25 Chapter 15 Last, companies can supply and submit their own package for review directly to FedRAMP. This CSP supplied package is assessed by a FedRAMP certified 3PAO and is then put into a queue for final review this final step is called a package in waiting. The timeline to actual certification will depend on which authorization path you have chosen. Figure 3 provides some estimated timelines for the certification paths. Figure 3: Estimated Authorization Timeline 6 months + JAB P-ATO ISSO & CSP Review SSP System Security Plan Security Assessment Plan Testing SAR & POA&M Review JAB Review CSP Addresses JAB Concerns 3PAO Creates SAP/ ISSO Reviews SAP JAB Review CSP Addresses JAB Concerns 3PAO Tests & Creates SAR ISSO / CSP Reviews SAR JAB Review CSP Addresses Jab Concerns Creates Authorize Final JAB Review / P-ATO Sign Off Quality of documentation will determine length of time and possible cycles throughout the entire process System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authorize Agency ATO CSP Implements Control Delta Agency Review CSP Addresses Agency Concerns Agency Review SAP Address Agency Notes 3PAO Tests & Creates SAR Agency Reviews SAR CSP Addresses Concerns CSP Creates POA&M Final Agency ATO Sign Off 4 months + Detailed Documentation It all boils down to details, particularly in the documentation process. Resolve to produce the most comprehensive documentation of every facet related to your system s security including polices, procedures, manuals, incident response plans, and system security plans. It s a vital part of a successful FedRAMP assessment. Without strong documentation, you simply won t move through the process in a timely and smooth manner. Use Available Checklist Resources We recommend you take advantage of available pre-fedramp checklists before you initiate the certification process. These will help keep you focused so you can progress in a logical, efficient manner and will streamline the path to certification. 22

26 Chapter 15 CSP Pre-FedRAMP Certification Checklist 1. Develop sound processes for handling electronic discovery and litigation support requests 2. Clearly define and describe the system boundaries 3. Identify customer responsibilities and what the CSP and agency must do to implement controls 4. Validate system provides identification & 2-factor authentication for network access to privileged accounts 5. Validate system provides identification & 2-factor authentication for network access to non-privileged accounts 6. Validate system provides identification & 2-factor authentication for local access to privileged accounts 7. Perform code analysis scans for code written in-house (non-cots products) 8. Confirm appropriate boundary protections 9. Remediate high risk issues within 30 days, medium risk within 90 days 23

27 Looking to the Future Although FedRAMP certification can be a very involved, lengthy process, it s a net positive leading to shared assurances, fewer assessments, better cloud security and greater overall efficiencies. FedRAMP continues to explore new ways to tweak the process. As it evolves, it will likely become more scalable too, particularly for smaller CSPs. As new ways are identified for small to medium businesses to undertake this process economically (and in a shorter time period with a simpler process), we will see more companies receive certifications which will be a win-win for everyone. We strongly encourage any entity that provides cloud services to attain certification. Compliance enforcement is on the horizon. It is only a matter of time. Start compiling your documentation today, including your governance models, remediation plans, and all security training programs, polices and procedures. Accurate, thorough documentation is essential to FedRAMP certification. Give yourself plenty of time to gather (or develop it) so you can move through the assessment process as quickly as possible. In the meantime, agencies and CSPs should recognize that FedRAMP is not a silver bullet, but evolving, so adopting these regulations and striving for greater collaboration between CSPs, 3PAOs and the agencies they serve benefits the community at large. Companies will also need to dedicate time to fully understanding the FedRAMP process and how the steps relate to the larger certification goal. The rigor of the requirements is designed to improve and enforce greater security in the cloud for all federal data. The speed that a company can move through the process is directly related to how robust their security protocols are when they initiate FedRAMP certification. FedRAMP Director Matthew Goodrich encourages those seeking certification to keep an eye out for FedRAMP to publish more guidance, education and training modules for their stakeholders first in a more generic manner and then more focused at specific stakeholder groups. Goodrich is committed to refining and facilitating a smoother, more coherent certification process, noting in a November 2014 Federal Computer Week interview, You ll also see us focus on the efficiencies of the program, incorporating lessons learned back into our documentation. Also, we re looking at how effectively we re using our [third-party assessment

28 organizations ] work product to cut down some of our review cycles based on the quality of the products they ve delivered to us, as well as aligning cloud providers with the most appropriate path for them to get authorization, whether that s the Joint Authorization Board, through the agency or directly through the [cloud service providers]. We will continue to grow, mature and adapt the program. This is good news for all companies seeking FedRAMP certification and for those federal agencies storing and processing data in the cloud. Additional Resources We recommend you explore: Guide to Understanding FedRAMP The FedRAMP Security Assessment Process. Take the free online FedRAMP training More FedRAMP resources including links to templates Additional information on FedRAMP from GSA Contact us for a free consultation:

29 Glossary FedRAMP Program Management Office (PMO) The FedRAMP PMO oversees the FedRAMP program. Joint Authorization Board (JAB) The Joint Authorization Board consists of the CIOs of the Department of Defense, the General Services Administration, and the Department of Homeland Security. Cloud Services Provider (CSP) Provides information about the cloud system, documentation and make updates in response to comments from FedRAMP. FedRAMP Readiness and Development Team Reviews incoming applications, performs a completeness check and reviews the CSP s initial documentation. Provides comments and feedback on documentation to the CSP and recommends to Director or Project Manager on whether to kick-off the full FedRAMP assessment. FedRAMP Director / FedRAMP Manager Make final decision of whether the CSP starts the full FedRAMP assessment. FedRAMP Agency Authority to Operate (ATO) A FedRAMP Agency ATO is a FedRAMP authorization that is issued by a Federal department, office, or agency. FedRAMP Information System Security Officer (ISSO) The FedRAMP ISSO refers to the information systems security officer that reviews security packages intended for the JAB. FedRAMP JAB Provisional Authorization A FedRAMP JAB Provisional Authorization is a FedRAMP provisional authorization issued by the Joint Authorization Board. Third Party Assessment Organizations (3PAOs) 3PAOs are independent entities that perform initial and periodic security assessments of the CSPs cloud systems. 3PAOs are hired by the CSP. 26

30 LBMC Security & Risk Services While regulatory compliance is mandatory, so is operating a successful business. A well-designed information security program provides critical intelligence about risks facing your business so your executive team can make well-informed decisions. As a member of the family of LBMC companies, LBMC Security & Risk Services separates itself from traditional information security firms by offering practical, cost-effective solutions that are customized to your unique risk environment. We tailor our assessments and deliverables to your organization s risk tolerance, providing the highest level of risk reduction for the associated cost. These practical solutions lead to real results and a tangible return on investment. LBMC Security Services is accredited as a Third-Party Assessment Organization (3PAO) for FedRAMP. We can help you understand if you re ready to comply with your requirements, and show you the controls you need to implement for better security and streamlined compliance. We can help your business in two ways: FedRAMP Readiness : If you re preparing to provide cloud services to federal agencies or readying for a FedRAMP assessment our security experts can help you identify compliance gaps and implement efficient, effective controls. LBMC will assist you with your application package and help you ensure that you re using the right security frameworks from the National Institute of Standards and Technology (NIST). 3PAO Assessment: As an accredited 3PAO firm, LBMC can conduct your FedRAMP-mandated third-party assessment. Through continuous monitoring we will validate your security framework and verify that your system remains secure, compliant, and complete. Ready to learn more? Contact us to discuss how we can help you. As part of our full suite of services, we offer: Risk Assessments Security Program Consulting HIPAA Assessments HITRUST Assessments SOC 1 & 2 Audits with HIPAA Mapping Managed Security Services CMS Information Security 27