(Elite) Eight Things CSPs Need to Know About FedRAMP When it Comes to Security Engineering

Larry Spector
Michael Bays

Understanding key aspects of FedRAMP compliance and security engineering can help cloud service providers (CSPs) effectively navigate the FedRAMP process and ensure the security of their cloud services for government customers. As a CSP, here are eight things you need to know.

1 – The “impact level” of your offering affects the level of security that it will be required to attain 

  • Low: Loss of confidentiality, integrity, and availability would have a limited adverse effect on an agency’s operations, assets, or individuals. 
  • Tailored Li-SaaS (Low Impact-Software as a Service): This is a subset of Low for applications that do not store personal identifiable information (PII) beyond what is generally required for login capability (i.e. username, password, and email address). 
  • Moderate: Accounts for the majority of solutions. This is most appropriate when the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. 
  • High: Usually used in law enforcement and emergency services systems, financial systems, health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.   

Learn more: Decoding FedRAMP Baselines – Get to Know Low, Moderate, and High Impact Levels for Compliance

2 – Continuous monitoring is non-trivial 

Part of the assessment process includes scanning and remediation of the in-scope systems. Once an authorization has been granted, the CSP’s security posture must be monitored according to the assessment and authorization process. Failure to comply with this requirement can result in suspension or revocation of the Authority to Operate (ATO). These ongoing assessments are to ensure that the security controls which were in place at the time of assessment remain effective in the face of new exploits and attacks. Repeat assessments also ensure that changes to the system and environment do not have an adverse effect on the security posture.  

Focus areas include, but are not limited to: 

  • Vulnerability scanning, host and network based
  • Intrusion detection 
  • Vulnerability remediation in a timely fashion, based on the risk level of any findings
  • Account management to automatically disable unused and unnecessary user IDs
  • System/application event auditing  

References: https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf 

https://www.fedramp.gov/assets/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf

https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Performance_Management_Guide.pdf

3 – Incident response and reporting must be part of normal operations

CSPs need to have a comprehensive incident response plan to assist with preparation, detection and analysis, containment, eradication and recovery. All of this needs to be tested regularly and updated based on new threats. CSPs must be prepared to respond and mitigate breaches but at the same time communicate with stakeholders including federal agencies they serve. CSPs must report all incidents, which include any suspected or confirmed event, that results in the potential or confirmed loss of confidentiality, integrity, or availability to assets or services provided by the authorization boundary. 

Some critical vulnerabilities, such as “zero day” exploits may be considered incidents by FedRAMP or individual agencies, and must be actioned as such. 

References: 

https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf

https://www.fedramp.gov/assets/resources/documents/CSP_Incident_Communications_Procedures.pdf

4 – Configuration and change management processes can actually make things easier 

Configuration management is necessary in order to track, evaluate and maintain system components to ensure it stays in a secure state. When it comes to FedRAMP, CSPs need to establish some type of baseline configuration, track for unwanted changes, and ensure that changes to the system are logged or recorded.  

Leveraging Infrastructure as Code (IAC) will make change tracking easier to document, as well as being a core component in disaster recovery. 

Significant Changes which must be assessed for security impact and approved before implementation include but are not limited to: 

  • new OS versions or variants 
  • use of new external services 
  • changes to security controls 
  • new code releases 
  • boundary changes 
  • tooling changes 
  • location or provider changes,  

Learn more: 3 Reasons Your Cloud Offering Needs to “Shift Left” on Compliance

Reference: 

https://www.fedramp.gov/assets/resources/documents/CSP_Significant_Change_Policies_and_Procedures.docx

5 – Encryption and data protection requirements can be tricky 

CSPs must develop and follow a strict process when it comes to encryption and data protection. FedRAMP places an emphasis on protecting federal information through encryption and other data protection measures. CSPs must implement encryption when it comes to data at rest, and data in transit. Following the approved methods from National Institue of Standards and Technology (NIST) will assist in the implementation of encryption to protect your data.  

FIPS 140-validated or NSA-approved cryptographic modules (CMs) are to be used where cryptography is required. For example, encryption is required for federal data at-rest [SC-28], data in-transit [SC-8(1)], and authentication [IA-2(11)] for FedRAMP Moderate and High systems. Cryptography encompasses more than just encryption. It includes digital signatures, encryption, key management, message authentication, random number generation, and secure hashing. 

In some cases, there are FIPS 140 updates or modes which can be used with existing tooling. Otherwise, it may be necessary to migrate to or implement from scratch approved solutions and tools in order to meet the requirements. 

Reference: 

https://www.fedramp.gov/assets/resources/documents/3PAO_Readiness_Assessment_Report_Guide.pdf

6 – Automation is important 

Automation can effectively manage FedRAMP compliance and help maintain your security posture. Automated tools can help monitor security controls, detect changes to your baseline configurations, and help manage encryption keys. In addition, it’s possible to automate remediation through the application of patches, configuration changes, and system updates. 

Some automation examples include: 

  • Azure Policy: Allows CSPs to define and enforce policies, to assess and remediate non-compliant configurations and issues across the Azure environments.  
  • Azure Defender for Cloud: Offers threat protection and security monitoring capabilities that are essential for FedRAMP continuous monitoring requirements. This tool automates security assessments, provides recommended actions needed in order to remediate vulnerabilities, and monitors the security posture of the environment. 
  • AWS CloudFormation: Allows CSPs to model and provision resources in an automated and secure manner. This is crucial for a rapidly deployed environment that needs to adhere to FedRAMP requirements.  
  • AWS Security Hub: Provides a view of high priority security alerts and compliance status across your AWS environments or accounts. This tool can help automate security checks against specific standards and practices of FedRAMP, making the continuous monitoring manageable.  

7 – Scope matters – don’t overdo it 

According to the CSP_A_FedRAMP_Authorization_Boundary_Guidance_DRAFT 

“An authorization boundary for cloud technologies describes a cloud system’s internal components and connections to external services and systems that will process federal data or federal metadata. All external services that process, store, or transmit federal data or sensitive federal metadata must either be included in the authorization boundary or reside in a FedRAMP authorized system fedramp.gov page 1 FedRAMP Authorization Boundary Guidance at the same FIPS-199 impact level.”  

Scoping the system boundary involves analyzing and determining system configuration baselines, system components, environments, and all of the services that fall under the FedRAMP authorization. With proper scoping, you will be able to cover all aspects of the cloud services and ensure it is being assessed for compliance. The main goal here is to avoid oversight that could lead to vulnerabilities, but also to avoid including too much and making the FedRAMP process more complicated as a result. 

8 – FedRAMP is an ongoing process, and doesn’t end with authorization 

Achieving FedRAMP ATO isn’t the finish line, it simply allows the CSP to operate within the FedRAMP program.  

Once approved, CSPs still need to continuously monitor their systems, provide regular assessments, and report on security statuses of their services and resources. They must also keep the system components up to date with respect to vulnerability remediation, and make sure that simple changes are documented while significant changes receive proper, documented approval. 

As mentioned earlier- failure to comply with post ATO requirements can result in suspension or revocation of ATO. 

38North can help with your security engineering and FedRAMP compliance needs. Get in touch with a security expert today. 

About the Authors
Larry Spector
Michael Bays