Avoiding Common FedRAMP Pitfalls
You may have heard that achieving Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) is a complicated and time-consuming undertaking. This is likely based on the experience many cloud service providers (CSPs) have when they dive into FedRAMP headfirst without taking the time to plan and prepare for what is undeniably a rigorous endeavor.
Keep in mind that the objective of FedRAMP is to ensure that CSPs are providing secure products so the Federal Government can deliver its services more safely and effectively. It’s understandable that the process is rigorous, but organizations that take the time to prepare will have a smoother experience than those that don’t.
There are some common mistakes and misconceptions that are worth addressing to help your CSP business plan for a less stressful, more efficient path, to FedRAMP ATO status. The information in this article is based on the assumption that your organization is pursuing agency authorization rather than Joint Authorization Board (JAB) authorization, as this is the route the majority of CSPs take. With that in mind, here are some of the common pitfalls and some suggestions to facilitate the process.
Pitfall #1: Assuming FedRAMP Will Be a Quick and Easy Process
Even if your organization has been through other cybersecurity compliance audits in the past, and you feel confident in your current security posture, that doesn’t mean you will be able to breeze through FedRAMP. Accept that there are many gaps that will need to be filled because FedRAMP security standards are much more prescriptive compared to a more general security assessment, like SOC 2.
That said, you should absolutely view past audit and assessment experiences as steppingstones that can help assist your FedRAMP journey. For example, our client AchieveIt noted that because they had been though a SOC 2 Type II assessment, they understood much of the language and baseline requirements for FedRAMP, and had solid basic policies and procedures in place.
The company also had a robust security policy that was built out to follow certain ISO standards. While it did require modifications and enhancements for FedRAMP, having that existing security policy helped them have more informed conversations with their agency sponsor and the FedRAMP Program Management Office (PMO).
You’re not expected to be a FedRAMP expert, so my top tip for wrapping your head around the process is to ask a lot of questions — of everyone. This includes your third-party assessment organization (3PAO), your advisor, your agency, the PMO office, and your own staff. I also highly recommend looking through FedRAMP’s official library of training resources and their FAQ.
Pitfall #2: Overlooking the Benefits of Control Inheritance
In the world of cybersecurity compliance, it often pays to work smarter versus harder. Let me be clear that this doesn’t mean you should look for shortcuts or ways to “hack” FedRAMP. This will inevitably disrupt the process and everything will end up taking longer than necessary. However, there are some established techniques that can be used to expedite FedRAMP (and even lower associated costs).
For CSPs, inheriting as many security controls as possible from your underlying infrastructure provider can help reduce some of the preparation work for your FedRAMP authorization. That’s why it’s ideal to have your product hosted on a platform (IaaS or PaaS) that is FedRAMP authorized. Most of the major IaaS/PaaS providers have a FedRAMP authorization at either a Moderate or High Impact level. For example, a SaaS provider hosted on Azure or AWS won’t have to spend as much time and resources on control implementation and testing activities for those inherited controls.
When a CSP does not use a FedRAMP-authorized service and opts to manage their own servers and operating systems, control inheritance is not an option. Such an organization must include their infrastructure and platform within their authorization boundary.
While leveraging FedRAMP-authorized services may not be an option for every organization architecturally, I recommend moving in that direction wherever possible. It’s worth checking to see if there are any tools in your stack that are FedRAMP-authorized, since most organizations have this information publicly available. With the recent emphasis on supply chain risk management 3rd party or external services and systems are an area of concern for FedRAMP to ensure Federal data and metadata are protected at all times.
Pitfall #3: Underestimating the Power of Automation
The FedRAMP PMO and JAB have been working with the General Services Administration’s (GSA) Technology Transformation Services (TTS) arm to automate many security authorization processes. Because automation has become a key tenet of FedRAMP’s efforts to make processes more efficient and reduce the burden on CSPs, I advise you to investigate all available options.
A cutting-edge compliance management platform can help your organization automate and streamline tedious and unnecessarily laborious tasks. For example, an end-to-end platform such as A-SCEND, can centralize evidence collection across all audits and assessments so you don’t need to upload the same documents multiple times.
To that point, FedRAMP has been working with the National Institute of Standards and Technology (NIST) for several years to develop the Open Security Controls Assessment Language (OSCAL), “a standard that can be applied to the publication, implementation, and assessment of security controls”. OSCAL can help decrease the amount of time it takes to review security packages, as well as allow CSPs and 3PAOs to carry out their own self-tests prior to submission.
I suggest that you read this recent announcement regarding OSCAL validation rules to learn more about how this open source language increases opportunities for automation and accelerates handoff between key players through the FedRAMP ATO process.
While there’s no denying that the road to FedRAMP ATO can be complex and, at times, confusing, don’t fall victim to the myth that this process is inherently painful or overwhelming. Like virtually all areas of compliance, it comes down to having the right people, processes, and technology in place to facilitate transparency, accountability, and efficiency across the entire journey.
Is your organization pursuing FedRAMP Ready and/or a FedRAMP Authorized status? As a top accredited 3PAO for FedRAMP, A-LIGN has the knowledge and skills necessary to perform these security assessments.