Any organization seeking to provide cloud products or solutions to a federal agency will need to go through a FedRAMP Readiness Assessment and then a full FedRAMP assessment to receive an Authorization to Operate (ATO) which ensures the security of its hosted information meets FedRAMP requirements. The Federal Risk and Authorization Management Program (FedRAMP) is a government-developed standardized approach to security assessment, authorization, and continuous monitoring of Cloud Service Providers (CSPs). Only Third Party Assessment Organizations (3PAO) may perform FedRAMP assessments.

Rather than needing multiple assessments, FedRAMP is an integrative standardized audit designed to be a common one-stop-shop for CSPs. FedRAMP follows the “do once, use many” methodology. FedRAMP’s myriad of benefits includes efficiency of resources, both cost effective and time-saving.

The goal of FedRAMP is to increase confidence in the security of cloud solutions through continuous monitoring and consistent use of best information security practices and procedures.

As organizations explore their federal audit options, A-LIGN’s experienced assessors have compiled and answered five frequently asked questions to help organizations better understand the assessment process.

1. Does FedRAMP apply to me?

Any Cloud Service Provider (CSP) that is currently or looking to become a third-party vendor for federal agencies must become FedRAMP certified. State government agencies may also require third-party CSPs to become FedRAMP certified. There is also the StateRAMP program for CSPs working with State governments.

2. Do CSPs need an agency sponsor to become FedRAMP certified?

Yes, there are two processes in which CSPs can become FedRAMP certified. The first is through an agency sponsorship when a government entity vouches for a CSP streamlining their approval process. The other option is for CSPs to go through the Joint Authorization Board (JAB) that includes a readiness assessment which reviews controls and upon passing provides joint provisional security authorization.

3. What are the key processes of FedRAMP?

The key processes of FedRAMP include a security assessment, leveraging and authorization, and ongoing assessment and authorization. The security assessment involves a set of requirements from the NIST 800-53 Rev. 4* controls to test security authorizations. In the FedRAMP repository, federal agencies view security authorization packages and leverage these packages to grant authorization. Once granted, continuous assessment and authorization, or continuous monitoring, activities must be in place to uphold authorization.

*FedRAMP will be transitioning to NIST SP 800-53 Rev. 5.

4. Is penetration testing mandatory for a FedRAMP ATO?

Yes, a penetration test is a mandatory part of the assessment process if the CSP is moderate or high-risk level impact. Third-Party Assessment Organization (3PAO) must perform mandated penetration testing.

5. How do I start the process of becoming FedRAMP certified?

The process is dependent on an organization’s current level of compliance with NIST SP 800-53 Rev. 4. If an organization has never written a System Security Plan (SSP), evaluating current security controls against the controls in the NIST SP 800-53 Rev. 4 is recommended.

Becoming FedRAMP Compliant

If you are a Cloud Service Provider (CSP) currently providing, or seeking to provide, services to federal agencies, A-LIGN can make your FedRAMP process seamless. We will support you during your entire FedRAMP journey, from readiness to authorization.

You may have noticed the United States’ Federal Risk and Authorization Management Program (FedRAMP) is now gaining traction in other parts of the world. It begs the question, “Does my business need a FedRAMP assessment?”

FedRAMP was originally launched in 2011 as a way for the U.S. government to manage security risks as they adopt products and services that store, process, and transmit federal information in the cloud. Although FedRAMP is usually leveraged as a way for cloud service providers (CSPs) to meet Federal Information Security Modernization Act (FISMA) requirements, a growing number of organizations are using this risk-based standard to not only enhance their security, but to also stand out from the competition and win new business.

Let’s take a look at why a European business would want to pursue FedRAMP authorization and the many benefits to their organisation.

Why would a European business pursue FedRAMP Authorization?

There’s one main factor that most often motivates European businesses to pursue FedRAMP Authorization to Operate (ATO) status: They would like to sell a cloud service offering (CSO) to the U.S. government.

FedRAMP was specifically designed to ensure that CSPs with a software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) CSO have adequate information security to do business with a U.S. federal agency. The specific requirements that a CSO must fulfil are dictated by FISMA and its subsequent memorandums.

In other words: If your business is a CSP that would like to sell a cloud-based solution to the U.S. government, you must obtain FedRAMP. Bonus- FedRAMP’s “do once, use many approach” means that when you achieve FedRAMP ATO status, your security package can be reused by any federal agency. You will also be listed in the FedRAMP Marketplace, which is often the first place federal agencies look when sourcing a new CSO.

What are the benefits of FedRAMP for European businesses?

Before we dive into the benefits, it’s worth noting that FedRAMP is not a quick and easy process that your business can sail through without much effort. It is a serious undertaking that requires patience as you work to fill your existing security gaps.

That being said, achieving FedRAMP ATO status comes with several advantages that make the effort required more than worth it. Here are a few to consider:

• The ability to re-use FedRAMP across multiple U.S. government agencies
• More robust security and risk mitigation for your CSO
• Enhanced real-time security visibility
• Improved trust among customers, prospects, and partners
• A marketing proof point that can be used in the private sector

Additionally, the new FedRAMP control baselines using NIST 800-53 Rev 5v uses an evolving, threat-based approach that allows CSPs to keep their information security efforts up to date against new and emerging threats.

How can my business get started with FedRAMP?

There are two options to choose from when looking to authorize a CSO through FedRAMP: a Joint Authorization Board (JAB) provisional authorization (P-ATO) or an ATO issued by an individual U.S. government agency. For more guidance on selecting your authorization strategy, I highly recommend reading through the FedRAMP CSP Authorization Playbook.

Below are the four high-level steps involved in the FedRAMP authorization process:

1. Document

Your business must categorize the CSO being considered for FedRAMP in accordance with NIST FIPS-199. The category (Low, Moderate, or High impact) that applies to your CSO depends on how much harm would be caused by a security breach. See our guide Understanding Federal Compliance for more details about these impact levels.

2. Assess

A federally-accredited third-party assessment organization (3PAO) conducts a security assessment to determine if your CSO meets the baseline controls required for FedRAMP. If they do meet the baseline controls, the 3PAO will submit an assessment package attesting to your compliance.

3. Authorize

The government agency will review the security package and either approve to organization as FedRAMP authorized or request additional testing. A final review is then conducted by the government agency and FedRAMP Program Management Office (PMO) to decide if they will accept the risk associated with the use of the CSO. If approved and accepted, Authorizing Officials will issue an ATO letter.

*For the P-ATO route, this review process will also include the FedRAMP JAB.

4. Continuously monitor

After authorization is granted, you must provide monthly deliverables to the agency (or agencies) using your CSO to demonstrate that your cloud security controls are continuing to operate effectively. You must also have a 3PAO complete an annual security assessment to ensure the system’s risk posture remains acceptable.

Work with a top FedRAMP assessor

While FedRAMP was created to assist the U.S. government to rapidly, rigorously, and consistently assess the security of cloud solutions, it also benefits CSPs. From earning more U.S. federal work to increasing trust among customers and prospects in the private sector, there are several reasons why your European business may want to pursue FedRAMP authorization.

Looking to firm up your plan for FedRAMP? As an accredited 3PAO that is one of the top five FedRAMP assessors in the world, A-LIGN is ready to perform your security assessment. In fact, we are currently a FedRAMP 3PAO for a growing number of European CSPs. If you have already chosen a 3PAO, but could use some guidance throughout the preparation process, our independent team of advisors can help you with control implementation, process documentation, and everything in between. Learn more about our comprehensive FedRAMP services.

More and more customers are asking for demonstrated SOC 2 compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC 2 reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats.

For organizations seeking a SOC 2 report, there are two attestation options available: Type 1 and Type 2. What type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to SOC 2 compliance is clear.

What Is a SOC 2 Report?

A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. The scope of a SOC 2 examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. The security of your environment is based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants (AICPA) and consist of five categories:

• Common Criteria/Security (required)
• Availability (optional)
• Processing Integrity (optional)
• Confidentiality (optional)
• Privacy (optional)

The Difference Between Type 1 and Type 2 Reports

What Is a Readiness Assessment?

Now that you understand the difference between a Type 1 and Type 2 report, how can you best prepare for your SOC 2 examination? A-SCEND’s SOC 2 Readiness Assessment is designed to make your organization’s SOC 2 project easier through automation so you can assess how prepared you are before the audit begins. Used for internal purposes, this assessment provides your organization with a greater understanding of the demands of a SOC audit. The deliverables include a listing of your current controls, as well as identification of gaps that require remediation prior to the full assessment.

We also recommend completing our SOC Readiness Checklist before undergoing a full SOC 2 assessment to see how close your organization is to reaching its requirements for a SOC 2 audit. 

Evaluate Your Compliance

With our SaaS SOC 2 Readiness Assessment, you not only benefit from getting ready in half the time, but you also gain the support of experienced SOC 2 auditors from the top SOC 2 issuer in the world.

Is a Cloud Service Provider (CSP) ready to undergo the extensive FedRAMP authorization process? That’s what the FedRAMP Readiness Assessment Report (RAR) intends to find out.  

A Third Party Assessment Organization (3PAO) will leverage the RAR to document and validate a CSP’s full implementation of the technical capabilities required to meet FedRAMP security requirements. Let’s take a look at what’s involved in a FedRAMP Readiness Assessment and the steps outlined in the updated FedRAMP RAR guide.  

What Does a FedRAMP Readiness Assessment Entail?  

Completing a RAR requires a 3PAO, such as A-LIGN, to: 

• Confirm full implementation of the Cloud Service Offering’s (CSO) technical capabilities
• Understand how a CSO works and operates 
• Validate what is implemented within the CSO 
• Understand the key functionalities of the CSO and document the RAR in a way that is comprehensible by agency customers that may not have a strong technical background 
• Verify that the stated authorization boundary of the CSO and the data flows within the system are practical, secure, and logical  

While a Readiness Assessment is intended to determine a CSO’s readiness to achieve FedRAMP authorization, it does not guarantee it. CSPs can use the process as an opportunity to discover and remediate any deficiencies in a CSO’s capabilities, as well.  

The RAR must specifically, clearly, and succinctly provide an overview of the system as well as a subjective summary of a CSO’s overall readiness. This includes rationale such as notable strengths and other areas for consideration. The 3PAO should answer RAR requirements and questions, stating what they found (observations and evidence) during their review, and, most importantly, how they determined whether a CSP adequately addresses the question area. 

In a thorough 19-page document, FedRAMP provided updated guidance as well as templates for 3PAOs evaluating CSPs for readiness. Below, you’ll find a summary of the 12 steps 3PAOs should follow when preparing a RAR as outlined in the new guidance.     

1. Validate the Authorization Boundary 

Assessing any CSO for readiness begins by determining whether the offering has a clearly defined and maintainable authorization boundary. It falls on 3PAOs to perform full authorization boundary validation to ensure nothing is missing from the CSP identified boundary, and all included items are present and part of the system boundary.  

This step also extends to the need for 3PAOs to conduct a discovery scan. This is intended to identify operating systems running on the network then map them to IP addresses, identify open ports and services, and gather rudimentary information on targeted hosts.  

2. Identify All Data Flows and Stores Within and Throughout the Authorization Boundary  

A 3PAO must validate the data flow diagrams (DFDs) and provide a written description of the data flows. Each DFD must be high resolution, reflect the same components as the authorization boundary diagram, and explicitly identify every location where federal data and metadata is in relation to the 3PAO system authorization boundary. 

3. Determine Leveraged FedRAMP Authorizations  

For a FedRAMP-leveraged CSO, a 3PAO must provide the specific details regarding this relationship. The leveraged offering must be listed on the FedRAMP Marketplace with a status of Authorized (not FedRAMP Ready or In Process). An Authorized status can only be achieved upon approval of a full assessment package by the Joint Authorization Board (JAB) or the Project Management Office (PMO). If a 3PAO is assessing a SaaS then it must ensure that subscriptions to underlying services (IaaS, PaaS) are accurately documented. 

4. Determine External and Corporate Systems and Services 

Within the RAR, a 3PAO must indicate a CSP’s connections to external systems and services, including corporate systems and services that are not part of the authorization boundary. It must divulge the use of third-party providers and external services / systems lacking FedRAMP authorization at the time of RAR completion. The 3PAO will also need to provide a mini analysis of the RAR external leveraged services and its risks.  

5. Application Programming Interfaces (APIs)  

While they are connections, APIs have their own category within the RAR. 3PAOs must identify each API a CSO uses. 

6. Assess and Describe the Strength of the Physical and/or Logical Separation Measures within the System  

A 3PAO must make an assessment of physical and/or logical separation measures based on very strong evidence, such as the review of any existing penetration testing results, or an expert review of the products, architecture, and configurations. In the absence of a penetration test, a 3PAO must provide a rationale for being able to prove that there is adequate segregation of tenants and data. 3PAOs must also analyze all border devices to ensure they provide appropriate segregation from other systems, and describe the methods used to verify the strength of separation. 

7. Ensure Federal Mandates Are Met  

3PAOs assessing Moderate and High baseline systems must ensure six federal mandates are met. 

1. Are FIPS 140-2 Validated cryptographic modules (IAW SC-13) consistently used everywhere cryptography is required? This includes all SC-8, SC-8(1), and SC-28 required encryption.  

2. Does the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?  

3. Is the system operating at Digital Identity Level 3?  

4. Can the CSP consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days?  

5. Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements?  

6. Does the system’s external DNS solution support DNS Security Extensions (DNSSEC) to provide origin authentication and integrity verification assurances?  

The answer must be “yes” for all six questions before submitting the RAR. 

8. Ensure DNSSEC Is in Place  

It is incumbent upon the 3PAO to verify that the external authoritative DNS server replies with valid Domain Name System Security Extensions (DNSSEC) responses. Additionally, any external domain used to access a CSO must be verified as registered with a DNSSEC signature. The authoritative server is signed by the Top-Level Domain server, which is in turn signed by the root server. The entire signature chain will be checked by the recursive server, so any broken signature breaks the whole chain.  

9. Verify FIPS 140-2 Validated Encryption within and throughout the System Boundary 

For FIPS 140-2 validated encryption, all Moderate and High-level federal data and metadata must be encrypted for all DAR and DIT within and throughout the system boundary. CSPs or vendors using FIPS 140-2 validated modules are required to have a certified security policy stating how their products must be used to ensure their security. 

10. Assess Security Capabilities Sections  

3PAOs must conduct assessments of several of the system’s technical, management, and operational capabilities via a combination of interviews, observations, demonstrations, examinations, and on-site visits. The assessment must be done based on an accurate ABD and DFD and should not rely on a CSP’s written documentation and interviews.  

11. Complete Executive Summary and Ensure Alignment with Entire Document  

The Executive Summary must contain a number of items, including overall alignment with the NIST definition of cloud computing and a self-service portal. This document should also note whether the CSP is pursuing a JAB P-ATO or an Agency ATO, while highlighting the CSPs strengths and weaknesses. The executive summary also asks that 3PAOs describe risks associated with interconnections and with the external systems and services that are not FedRAMP Authorized. Organizations should be sure their final Executive Summary is exact, concise, easily understood and free of any marketing content that promotes their products or services.  

12. Complete Each Security Control Capability Statement to Include the 3PAO Test Methodology  

To successfully complete a RAR, 3PAOs must complete each security control capability statement in every section of the RAR, and convey the capability, supporting evidence, and any missing elements. The capability cannot simply be a copy and paste from the System Security Plan (SSP) but rather a fully addressed question and then the 3PAO should indicate how they interviewed, examined, and or observed the capability in place. Throughout the security control capability statement, we suggest a 3PAOs only answer “yes” if the answer is consistently “yes.” Partially implemented areas should be answered “no” with a description of what is missing to achieve a “yes”.  

A-LIGN Can Help 

Does the FedRAMP certification process seem overwhelming? A-LIGN can help by making the process seamless. As a top five FedRAMP assessor, we understand the FedRAMP journey from readiness to authorization.  

Get in touch with us to learn how we can guide you to authorization.  

At the end of last year, the Federal Risk and Authorization Management Program (FedRAMP) released a draft of their FedRAMP Revision 5 (Rev 5) baselines. Since the inception of the program in 2011, FedRAMP has used NIST (National Institute of Standards and Technology) standards and guidelines to offer standardized security requirements for cloud service providers (CSPs). As such, the forthcoming FedRAMP Rev 5 is based on NIST 800-53 Rev 5, which was released in September 2020.

Read on to discover how FedRAMP Rev 5 compares to Rev 4, next steps for the program, and other relevant FedRAMP updates.

FedRAMP Rev 4 vs. Rev 5: Introducing a threat-based methodology

The most noteworthy difference between FedRAMP Rev 4 and Rev 5 is that FedRAMP has introduced a threat-based methodology to determine which controls to add on to the established NIST 800-53 Rev 5 baselines.

Specifically, FedRAMP evaluated each NIST 800-53 Rev 5 control on its ability to protect, detect, and/or respond according to the methods outlined in the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework v8.2. MITRE ATT&CK is a carefully curated, regularly updated knowledge base covering cyber threat behavior.

Benefits of FedRAMP’s new threat-based approach include:

• Enhanced security against the top threats to federal information systems
• Identification of notable gaps and duplication in security efforts
• Streamlining of the overall FedRAMP authorization process
• Increased potential for reuse of authorization packages across government agencies

Control differences in FedRAMP Rev 4 vs. Rev 5

When NIST 800-53 Rev 5 was released, NIST called it “not just a minor update but rather a complete renovation.” I’ve previously written about how this special publication introduced new control categories with a focus on outcome-based controls as well as a greater emphasis on privacy. Consequently, FedRAMP Rev 5 also provides a “proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.” 

In past revisions of FedRAMP, the number of controls required has been significant, especially for Moderate and High impact levels. However, the new threat-based methodology has minimized the amount of controls added by FedRAMP. Listed below are the number of additional controls that the FedRAMP Program Management Office (PMO) and Joint Advisory Board (JAB) have proposed in addition to the current FedRAMP baselines:

• Low Baseline — 1 additional control
• Moderate Baseline — 17 additional controls
• High Baseline — 22 additional controls

Ultimately, the strategic control selection put forward for FedRAMP Rev 5 will enable a more efficient security authorization process for all parties involved.

Next steps for FedRAMP Rev 5

The draft of the FedRAMP Rev 5 baselines is open for public comment until April 1, 2022. You can provide feedback on the proposed baselines by annotating this document and emailing it to [email protected] before the deadline.

After feedback has been collected from government entities and the federal security community, FedRAMP will review all public comments and update the Rev 5 baselines accordingly. Once these final changes have been made, FedRAMP Rev 5 will be officially published alongside related documentation, guidance, and an estimated compliance timeline.

When FedRAMP Rev 5 is released, it will include Open Security Controls Assessment Language (OSCAL) versions of the updated baselines. FedRAMP uses OSCAL to automate a large portion of security package review. CSPs and third-party assessment organizations (3PAOs) may also use OSCAL to carry out their own self-tests prior to submission. This technology ultimately results in a faster and more accurate validation and authorization process.

Additional FedRAMP updates

FedRAMP announced two important updates at the beginning of this year that I’d also like to highlight. First, the program released an updated Readiness Assessment Report (RAR) Guide and templates that are designed to provide more detailed guidance for 3PAOs in assessing CSPs. After completing a RAR, a 3PAO will attest to an organization’s readiness for the official authorization process. The new guide and templates are designed to reduce complexity and redundancy in the process, as well as provide clearer instructions based on feedback from 3PAOs and CSPs.

The second relevant piece of FedRAMP news is the publication of an updated CSP Authorization Playbook to give CSPs a more comprehensive understanding of what the authorization process entails. This updated playbook exists across two volumes: Volume I details how to prepare for FedRAMP, various paths to authorization, and items to consider prior to getting started. Volume II focuses on the development of a high-quality security package to reduce the need for revisions during the review process, including tips for delivering a coherent, digestible package.

Taking the fast track to FedRAMP

All of the new FedRAMP updates indicate that the program is taking feedback from the federal security community seriously and is actively working to make the authorization process faster and more efficient for everyone involved. That being said, it can be difficult to adapt to change, especially if you are not deeply familiar with the federal compliance space. As a result of this change, I recommend you review the Revision 5 updated controls and guidance to begin implementing any gaps identified.

Is your organization getting ready to pursue FedRAMP Authorization to Operate (ATO) status now or in the future? A-LIGN is an accredited 3PAO and one of the top FedRAMP assessors in the world based on our in-depth knowledge of federal compliance and hands-on experience helping CSPs get ready to do business with the U.S. government. Visit our website to learn more about our FedRAMP services.

Are you feeling safe about your organization’s personal data because of standard security policies and procedures you have in place? Don’t be fooled by a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation from the top levels down.

The cost of a data breach increased 10% in the past 12 months, the highest increase in the last seven years, according to IBM’s Security Services 2021 Cost of a Data Breach Report. With remote work greatly increasing out of necessity due to the COVID-19 pandemic, cybersecurity is more important than ever. IBM’s report found that remote work directly contributed to a $1.07 million increase in breaches. While security policies and procedures are important in protecting your data, your organization should consider one largely overlooked area of weakness- human error. Examples of human error risk factors include:

• Administrator system misconfiguration
• Not updating systems appropriately
• Not managing system patches
• Default password usage
• Default user ID usage
• Lost devices
• Misplaced devices
• Unlocked devices
• Incorrect disclosure procedures

Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error. Let’s dive into 15 ways your organization can better protect itself against human error and ultimately prevent data breaches.

Security Training & Human Resources

1. Education from the Top Down

It’s no accident that I noted education as the first tip. Individuals in management may think that because they have a seasoned IT security director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to their organization is important in preventing risks.

The development of policies and procedures to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is necessary in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.

2. Hire Security-Savvy Employees

Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization while trying to implement security controls. When recruiting individuals, management should keep in mind that those they hire will play a paramount role in ensuring the security processes and procedures put in place will be followed.

In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.

3. Develop an Exit Strategy

It’s crucial to create an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.

Limiting Access to Data

4. The Less Data, the Better

Since cyber criminals can only steal information that the organization has access to, one of the major ways to minimize risk is to limit data availability:

• Don’t collect information that isn’t relevant to your business.
• Reduce the number of places where data is physically stored.
• Purge data early and often.

You prevent data breaches by minimizing the amount of data your organization stores on-premises or in the cloud.

5. Zero Trust

Restrict access of resources to only the people who need them. Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are.

For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to read the document; they will not be able to edit or modify that document in any way.   

This restriction around privileges is done intentionally. After all, a zero-trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.   

6. Purge Your Data Properly

It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.

Too often, employees think that they are getting rid of all their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.

The Impact of Remote Work

7. Monitor Your BYOD Programs

BYOD or Bring Your Own Device, is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations allow this type of program so that employees are able to use technology that they have a better understanding of.  This reduces training time and increases productivity. Oftentimes, BYOD occurs unintentionally as more of the workforce operates remotely and has daily access to their own devices.

However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.

In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.

By implementing strong BYOD policies that require employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:

• Password and device-encryption requirements
• Update and patch requirements
• Lost or misplaced device notification for emergency response and remote data-wiping
• Utilization of tracking software
• Establishment of secure app workflows
• Anti-malware software
• Jailbreak prevention
• Sandboxing
• Device partitioning

The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.

8. Secure Your Networks

Employees are constantly on mobile devices, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”

Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.

IT’s Role in Security

9. Update Software with All Patches and Updates

Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions. Security and IT teams should not only be aware of the latest software but execute on all patches and updates.

10. Develop “Appropriate Usage” Guidelines for Company Technology

Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.

11. Hold Outside Vendors to the Same Standards

By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations, or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach.

Service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.  

At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.

Preparedness & Disaster Recovery

12. Prepare for the Worst

Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen. While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.

A-LIGN’s Ransomware Preparedness Assessment service review the risk, security preparedness and existing controls utilizing the NIST cybersecurity framework. This assessment allows A-LIGN’s expert to identify any gaps in your organization’s cybersecurity plan, uncover cybersecurity vulnerability through penetration testing and social engineering and ensures you know how to respond if an attack occurs.

13. Test Out Your Disaster Management Plan

Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it becomes a reality.

14. Audit Your Organization Regularly

By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.

15. Notify Early and Appropriately

If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.

The sooner that your team is able to respond to an incident, the greater the chance you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.

Taking Steps Toward a Fully Secure Organization

I have found that most organizations begin with a combination of VPN and multi-factor authentication, or they adopt a zero-trust architecture, but that is only the start. Every organization needs to understand its own architecture in order to identify its threat surface. Penetration testing can also help to identify and highlight some of these risks.

Ultimately, it comes down to the importance of knowing where your assets reside, and implementing the appropriate security training, policies and procedures needed to protect them.

You may have heard that achieving Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) is a complicated and time-consuming undertaking. This is likely based on the experience many cloud service providers (CSPs) have when they dive into FedRAMP headfirst without taking the time to plan and prepare for what is undeniably a rigorous endeavor.

Keep in mind that the objective of FedRAMP is to ensure that CSPs are providing secure products so the Federal Government can deliver its services more safely and effectively. It’s understandable that the process is rigorous, but organizations that take the time to prepare will have a smoother experience than those that don’t.

There are some common mistakes and misconceptions that are worth addressing to help your CSP business plan for a less stressful, more efficient path, to FedRAMP ATO status. The information in this article is based on the assumption that your organization is pursuing agency authorization rather than Joint Authorization Board (JAB) authorization, as this is the route the majority of CSPs take. With that in mind, here are some of the common pitfalls and some suggestions to facilitate the process.

Pitfall #1: Assuming FedRAMP Will Be a Quick and Easy Process

Even if your organization has been through other cybersecurity compliance audits in the past, and you feel confident in your current security posture, that doesn’t mean you will be able to breeze through FedRAMP. Accept that there are many gaps that will need to be filled because FedRAMP security standards are much more prescriptive compared to a more general security assessment, like SOC 2.

That said, you should absolutely view past audit and assessment experiences as steppingstones that can help assist your FedRAMP journey. For example, our client AchieveIt noted that because they had been though a SOC 2 Type II assessment, they understood much of the language and baseline requirements for FedRAMP, and had solid basic policies and procedures in place.

The company also had a robust security policy that was built out to follow certain ISO standards. While it did require modifications and enhancements for FedRAMP, having that existing security policy helped them have more informed conversations with their agency sponsor and the FedRAMP Program Management Office (PMO).

You’re not expected to be a FedRAMP expert, so my top tip for wrapping your head around the process is to ask a lot of questions — of everyone. This includes your third-party assessment organization (3PAO), your advisor, your agency, the PMO office, and your own staff. I also highly recommend looking through FedRAMP’s official library of training resources and their FAQ.

Pitfall #2: Overlooking the Benefits of Control Inheritance

In the world of cybersecurity compliance, it often pays to work smarter versus harder. Let me be clear that this doesn’t mean you should look for shortcuts or ways to “hack” FedRAMP. This will inevitably disrupt the process and everything will end up taking longer than necessary. However, there are some established techniques that can be used to expedite FedRAMP (and even lower associated costs).

For CSPs, inheriting as many security controls as possible from your underlying infrastructure provider can help reduce some of the preparation work for your FedRAMP authorization. That’s why it’s ideal to have your product hosted on a platform (IaaS or PaaS) that is FedRAMP authorized. Most of the major IaaS/PaaS providers have a FedRAMP authorization at either a Moderate or High Impact level. For example, a SaaS provider hosted on Azure or AWS won’t have to spend as much time and resources on control implementation and testing activities for those inherited controls.

When a CSP does not use a FedRAMP-authorized service and opts to manage their own servers and operating systems, control inheritance is not an option. Such an organization must include their infrastructure and platform within their authorization boundary.

While leveraging FedRAMP-authorized services may not be an option for every organization architecturally, I recommend moving in that direction wherever possible. It’s worth checking to see if there are any tools in your stack that are FedRAMP-authorized, since most organizations have this information publicly available. With the recent emphasis on supply chain risk management 3^rd party or external services and systems are an area of concern for FedRAMP to ensure Federal data and metadata are protected at all times.

Pitfall #3: Underestimating the Power of Automation  

The FedRAMP PMO and JAB have been working with the General Services Administration’s (GSA) Technology Transformation Services (TTS) arm to automate many security authorization processes. Because automation has become a key tenet of FedRAMP’s efforts to make processes more efficient and reduce the burden on CSPs, I advise you to investigate all available options.

A cutting-edge compliance management platform can help your organization automate and streamline tedious and unnecessarily laborious tasks. For example, an end-to-end platform such as A-SCEND, can centralize evidence collection across all audits and assessments so you don’t need to upload the same documents multiple times.

To that point, FedRAMP has been working with the National Institute of Standards and Technology (NIST) for several years to develop the Open Security Controls Assessment Language (OSCAL), “a standard that can be applied to the publication, implementation, and assessment of security controls”. OSCAL can help decrease the amount of time it takes to review security packages, as well as allow CSPs and 3PAOs to carry out their own self-tests prior to submission.

I suggest that you read this recent announcement regarding OSCAL validation rules to learn more about how this open source language increases opportunities for automation and accelerates handoff between key players through the FedRAMP ATO process.

Key Takeaways

While there’s no denying that the road to FedRAMP ATO can be complex and, at times, confusing, don’t fall victim to the myth that this process is inherently painful or overwhelming. Like virtually all areas of compliance, it comes down to having the right people, processes, and technology in place to facilitate transparency, accountability, and efficiency across the entire journey.

Is your organization pursuing FedRAMP Ready and/or a FedRAMP Authorized status? As a top accredited 3PAO for FedRAMP, A-LIGN has the knowledge and skills necessary to perform these security assessments.

Do you ever feel a bit confused by some of the language used in the world of compliance? You’re not alone. For those outside of the industry, it can be difficult to tell which words and phrases are essentially synonymous, and which seem similar but actually have completely different definitions. What’s the difference between accreditation vs. compliance? Or certification vs. attestation? How do you explain controls versus requirements to stakeholders in your organization?

Read on for answers to those questions and more as we demystify some of the most frequently confused and conflated terms in compliance.

Certification vs. Authorization vs. Accreditation vs. Compliance

Certification

A certification is the document that many people picture when they think about the end result of verifying compliance. Because certification is issued by a third-party entity, it enhances trust in an organization’s compliance with certain rules or standards. At A-LIGN, we can help organizations earn the most requested certifications, including ISO 27001, ISO 27701, ISO 22301, HITRUST, CMMC (when it is released), and others.

The forthcoming Cybersecurity Maturity Model Certification (CMMC) program will be an example of a certification to prove that organizations have adequate controls and processes in place to protect federal information.    

Authorization

The concept of authorization exists primarily within the federal compliance space. Authorization means that an organization has been given the green light to do business with a federal agency. Due to the sensitive nature of government-related information, the assessment and authorization process entails a comprehensive evaluation of information system policies, security components, various documentation, and additional safeguards.

With FISMA (RMF), FedRAMP and StateRAMP, the assessment will culminate in an official authorization package that provides the authorizing government agency or agencies with all the information they need to make a risk-based decision. If the level of risk is determined to be acceptable, the organization will be granted an authorization to operate, typically through and Authority to Operate (ATO) letter signed by the agency’s Authorization Official (AO).

Compliance

Sometimes, a certification for a compliance standard does not exist, as is the case with SOC 1 and SOC 2. Though you will often see the term “SOC 2 certification” that statement isn’t really accurate. With SOC 2, an organization undergoes an assessment resulting in an attestation report which proves compliance. In an attestation report the third-party assessor ​​documents a conclusion about the reliability of a written statement, to which the organization they are assessing is held responsible.

In some cases, such as NIST 800-171 or NIST 800-53 frameworks like FISMA (when used for internal compliance purposes), self-attestation of compliance is the only option. For increased reliability, you can leverage an independent third-party assessment organization such as A-LIGN to help guide you through the self-assessment process.

Compliance is the overarching concept to which all of the terms discussed below are related and simply means that your management system fully adheres to, or is compliant with, the requirements of a given standard or regulation. Oftentimes, an organization asserting that they are compliant with a standard is not enough — their prospects, customers, or partners may want to see official proof that their compliance has been tested and confirmed by an independent third-party. For example, a SOC 2 report can be shared as proof of compliance after a non-disclosure agreement has been signed by both parties. A SOC 3 report is meant to be shared publicly and placed on your organization’s website.

Accreditation

In the context of compliance, accreditation refers to the status of a certification body (CB) that has been thoroughly tested and vetted so they may provide a high level of assurance in the certifications they award. In other words, accreditation means that an organization is qualified to perform certain compliance assessment services.

For example, A-LIGN is an ISO 27001 and ISO 22301 official certification body that is accredited through the ANSI-ASQ National Accreditation Board (ANAB). This means when an organization receives an ISO certification through us, they can call it an “accredited certification.” When a CB has not been approved by a national accreditation authority, the “unaccredited certifications” they issue may not be accepted under some circumstances, such as contractual requirements. This can mean that an organization must re-do the work to earn an accredited certification.

Audit vs. Assessment

Often used interchangeably in conversation, there is a difference between cybersecurity compliance audits and assessments. An auditessentially captures a snapshot of compliance at a certain point in time and is an evaluation of IT and security performance against certain controls, specifications, or guidelines. An assessment, on the other hand, provides a higher-level overview of cybersecurity maturity, and often includes an audit as part of the final stage of the process.

By taking a deeper look at all the factors that impact the area being assessed, an assessment can help an organization understand the areas they need to focus on improving. Because security posture and effectiveness can drift between audits, we find organizations that conduct internal self-assessments on a regular basis will move through an external assessment or audit more smoothly and efficiently.

It’s worth nothing that in the federal compliance space, the term audit is typically not used — assessment is the preferred nomenclature. The official NIST glossary defines audit as:

“(The) independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.”

NIST defines assessment as:

“The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.”

Policy vs. Procedure

It’s important to make the distinction between these two interconnected concepts that come up frequently in compliance. Policies are the overarching principles that guide how you make decisions and operate on a day-to-day basis. A policy can be thought of as a framework that expresses the why behind certain tactics and objectives. Keep in mind that policies aren’t set in stone and carry a degree of flexibility, meaning they can and should be updated as the company evolves and expands.

Procedures describe, in detail, the steps that should be taken in specific situations. They have a defined beginning and end, and are often repeated to achieve certain outcomes. Procedures are more about the how related to a certain area of compliance. For a more detailed look at how policies and procedures work together, check out What Are the Top Policies and Procedures Needed for a SOC 2 Audit?

Requirements vs. Controls

When learning about the details of a given compliance audit or assessment, you may see the terms “requirement” and “control” used in similar contexts and wonder what the difference is. Both terms are used to describe certain processes, procedures, or activities that an organization may have to perform to manage cybersecurity risk.

The key difference here is that requirements are mandatory (e.g., a regulation, law, contractual commitment, or policy) while controls are typically not. Controls are the procedures and preventive measures that an organization executes to address an identified risk. By mapping controls to specific requirements, organizations can identify similarities across various control sets and requirements and design strategies to streamline their efforts, saving time and resources. A Master Audit Plan (MAP) is a valuable tool for pinpointing areas of overlap across frameworks so you can map controls more efficiently.

In federal compliance, the control is the risk-reducing mechanism and the requirement is the requisite value for that control (e.g., data retention). A given control’s requirement can change depending on the compliance standard. For example, FISMA has a data retention requirement of at least three years while the HIPAA requirement is a minimum of six years.

Building Trusting Relationships Through Compliance Marketing

As you continue to learn more about compliance and the nuances of different concepts and topics, we suggest you leverage a strategic compliance partner to guide you to success. More than 2,500 global organizations trust A-LIGN to assist them in managing and reducing cybersecurity risks.

We deliver a unique single-provider approach as a:

• Licensed SOC 1 and SOC 2 Auditor
• Accredited ISO 22301, ISO 27701, and ISO 27001 Certification Body
• HITRUST CSF Assessor Firm
• Accredited FedRAMP 3PAO
• Candidate CMMC C3PAO
• PCI Qualified Security Assessor Company

If you are in need of a strategic compliance partner capable of addressing every step of your audit or assessment across the scope of each major framework, A-LIGN is here to help.

Download the Ultimate Cybersecurity Guide

In the past year, we’ve seen new privacy legislation introduced throughout the world. At the same time, the number of data breaches grew significantly from 2020 to 2021. In 2022 and beyond, we expect more of the same. Cybersecurity and privacy concerns are increasingly becoming top of mind for companies across all industries. These concerns are exacerbated by new threats to remote-first workforces and the looming threat of downtime, financial loss, and reputational damage that can occur from a cybersecurity incident.

Companies have long sought to mitigate their own risk through certifications like ISO 27001, compliance with regulations like GDPR, or by conducting risk assessments and penetration tests to strengthen their cybersecurity posture. But now, we’re seeing a shift in the ecosystem.

For service and technology providers, a growing number of customers are demanding providers step up their security efforts and participate in vendor risk management programs to ensure cybersecurity and data privacy efforts extend to the provider’s network of partners and other third-party vendors as well.

What is a Vendor Risk Management Program?

Vendor risk management (VRM) programs present a formal way for companies to evaluate and measure risks associated with using third-party services and IT suppliers. It’s a way for companies to ensure that linking their systems with a provider’s does not expose them to any threats that would negatively impact business performance or cause disruption. It’s also a way for partners to ensure that service providers aren’t opening the door to any new threats when onboarding and working with new customers.

Vendors are now an extension of internal teams and must be evaluated as such. Risks to a vendor’s business can create a butterfly effect for partners and result in major damage to a network of customers. As a result of this shift, partners are holding each other accountable and to a higher standard.

This new standard has led to a significant rise in the number of vendor risk management programs being implemented. It’s a sign of the times: More companies are becoming aware of the threat landscape and more deliberate in how they manage their own vendor risks. Plus, with the rise of globalization and cloud services, reliance on third-party vendors to execute major components of a business’s operations is more critical than ever.

The Rise of Vendor Risk Management Programs

What prompted this rise in awareness? Beyond the rise in cybersecurity incidents (and rise in reporting of such incidents across news outlets), three things brought cybersecurity and privacy to the top of everyone’s mind this past year:

• An increase in privacy-related legislation
• The prolonged shift to remote work
• A rise in turnover driven by “The Great Resignation”

1. Privacy Legislation

Data privacy has been a top priority for regulators over the past few years. From the introduction of GDPR in the European Union to LGPD in Brazil, and many state-by-state laws within the U.S., the consequences for improper protection of customer data are at an all-time high. Organizations that store and use customer data are at risk of paying hefty regulatory fines if that information is not properly protected. Therefore, when evaluating vendors, especially those who will also have access to customer data, it’s become even more important to select partners who have sufficient data protections in place. After all, if a data leak or breach were to occur as a result of poor security practices through a partner, the responsibility would fall on your organization’s shoulders as the primary provider.

2. Shift to Remote Work

Remote work presented an interesting challenge for security professionals. It forced security teams to place an increased emphasis on educating employees about threats — like phishing scams and accessing private networks in public spaces.

But it also presented an opportunity for many cybersecurity professionals to reassess how their networks are accessed (and by whom) and which services are most essential to conducting business. As those services are evaluated, so too are the security threats associated with them.

3. Turnover and “The Great Resignation”

Employee turnover proved to be another area that forced security professionals to re-evaluate their systems and processes. “The Great Resignation” ushered in a wave of turnover that left companies with gaps in institutional knowledge at various levels and a lack of resources to execute on pre-existing strategies. Experiencing turnover within their own organizations brought awareness to many companies about how similar employee turnover at their vendor organizations could trickle down and impact business continuity, and thus the security of a vendor’s link to their own internal systems.

What Does This Mean for Service Providers?

These factors have created somewhat of a perfect storm, alerting companies to the risks of working with third parties and creating more urgency to implement systems that address and mitigate that risk. As a result, service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.

With custom risk management and reporting requirements for each customer, the administrative oversight of simply doing business can become much more burdensome on service providers. To ease that burden, rely on experts like A-LIGN to ensure you are up to date with the necessary audits, attestations, and data privacy best practices.