A Standardized Approach to FedRAMP Compliance for Complex Cloud Service Providers

Cloud Service Providers (CSPs) are scaling at faster rates in response to cybersecurity-focused Executive Orders, directives, and laws. Federal mandates, such as the Federal Risk and Authorization Management Program (FedRAMP), have served as catalysts for public sector cloud adoption as government entities continue to modernize their Information Technology (IT) infrastructure.

However, the speed at which CSPs acquire and/or develop new Cloud Service Offerings (CSO), coupled with executive-level pressures and limited IT budgets, can lead to siloed approaches to FedRAMP compliance within a single CSP organization. A standardized methodology is needed to harmonize compliance initiatives at the enterprise-level, and mitigate the redundancies, inefficiencies, and inconsistencies introduced by siloed approaches.

Towards an Enterprise-Level Approach to FedRAMP Compliance

Rather than pursuing an Authority to Operate (ATO) individually, CSO project teams should adopt a unified approach to FedRAMP compliance. CSPs should define, and mandate the use of, a methodology that standardizes security control implementation, assessment, authorization, and continuous monitoring. The methodology should be repeatable, have executive-level support, and include the following components:

  • A set of Common Controls (CC) inheritable by one or more CSO within a CSP organization.
  • A FedRAMP-authorized, CSP-owned and operated General Support System (GSS) that contains the CCs.
  • Dedicated support teams responsible for:
    • Implementing, maintaining, and managing the CCs.
    • Developing and maintaining actionable handbooks that each contain guidance for implementing a subset of the CCs.
    • Assisting CSOs with CC implementation in accordance with the handbooks.
  • An established gap analysis process that:
    • Identifies CC inheritance.
    • Assesses compliance with non-inheritable controls.
    • Identifies and maps weaknesses to actionable security recommendations.
  • Templates for all FedRAMP-mandated security documentation where a FedRAMP template does not exist (e.g., Incident Response Plan (IRP), Configuration Management Plan (CMP), control family policies and procedures, etc.).
  • An established process for engaging the support teams and executing the CC handbooks in chronological order that includes:
    • An assigned onboarding specialist per CSO who is familiar with the CCs, GSS, support teams, and FedRAMP process.
    • A RACI chart (e.g., Responsible, Accountable, Consulted, and Informed) defining the roles and responsibilities of all project stakeholders (e.g., project teams, program managers, support teams, Compliance Team, etc.) to help eliminate duplicative efforts.

CSO teams can utilize the methodology outlined above to obtain an ATO in one of two ways:

  1. By either utilizing the FedRAMP Significant Change Request (SCR) process to integrate with the GSS; or
  2. By pursuing an individual ATO while still leveraging the Common Controls offered by the GSS.

In either case, the engineering level of effort and assessment scope per CSO is drastically reduced, resulting in huge cost savings for the CSP.

Actionable Documentation Managed by Focused Teams

To facilitate an enterprise approach, CSPs should organize FedRAMP-required policies, procedures, and CC implementation guidance into actionable handbooks. The CSP should establish dedicated support teams each responsible for implementing, maintaining, and managing a subset of the CCs as documented by their assigned handbook. Each CSO project team would then engage the support teams in a specified order to facilitate a seamless integration with the GSS or adoption of the Common Controls.

For example, CSOs would coordinate with the applicable team to establish user accounts, roles, and permissions prior to requesting access to their system environment. An assigned onboarding specialist should monitor every step of the process and provide troubleshooting assistance, compliance advisory, and coordination between support teams, project teams, program management, and governing bodies such as the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB).

Back to the FedRAMP Future

The standardization and success (measured in cost and time savings) of a CSP’s FedRAMP compliance program is contingent upon the successful development and implementation of an enterprise-level methodology (as outlined previously). The concepts of Common Control packages and General Support Systems are not new. However, their adoption becomes more challenging as CSPs scale in both Cloud Service Offerings and organizational complexity.

To address these challenges, CSPs can adopt this proposed methodology to streamline the authorization process. The establishment of dedicated support teams, CC handbooks, and a sequential workflow guided by an onboarding specialist will lead to quicker production deployments, security package development, and delivery of new services to the public sector.

About the Author