There are a lot of very strong feelings about the Federal Risk and Authorization Management Program (FedRAMP) amongst cloud service providers (CSPs). I see it on LinkedIn all the time: highly qualified security folks who don’t see the point of FedRAMP and would rather it just go away.
On the other hand, there are those who see the overall need for requirements around protecting federal data but take issue with the program’s perceived rigidity. These discussions often criticize requirements such as:
- Mandating credentialed scans on every production host.
- The use of Federal Information Processing Standards (FIPS)-validated cryptographic modules.
- Reporting incidents to United Stated Computer Emergency Readiness Team (US-CERT) within the hour.
- Documenting formal policies, procedures, and a formal governance structure, etc.
In fact, few security practitioners outside the Washington, DC beltway make it a point to evangelize the security value of implementing FedRAMP baselines.
I would venture to say that FedRAMP critics are mistaking the forest for the trees. Required or not, it would be good practice for CSPs to embrace the FedRAMP baselines as a core part of their security programs.
Let me illustrate with a famous quote from former U.S. Secretary of Defense Donald Rumsfeld:
There are known knowns; there are things we know we know. We also know there are known unknowns… we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.
Politics aside, it’s an interesting concept, rooted in the Johari Window framework. This is a tool in psychology that helps people become more aware of their own conscious and unconscious biases.
The Johari Window has been used within Department of Defense circles for decades for risk management and strategic planning. Risk management is fundamental to security, so the Johari Window concept provides a key insight into unlocking the true security value of the FedRAMP program.
FedRAMP Identifies the Known Knowns for Security Compliance
Adopting an appropriate FedRAMP baseline provides assurance that all known knowns are understood and agreed to by all stakeholders. In this context, here are some examples of known knowns:
- There are different types of data that require different degrees of protection, which in turn carry associated expenses.
- Every single system can ultimately be reduced to a trackable list of hardware, firmware, or software components.
- All hardware, firmware, and software present vulnerabilities.
- Security tools must be configured properly to be effective.
- Some cryptographic modules are fundamentally stronger than others.
In a world saturated with risk, from advanced persistent threats (APTs) to natural disasters, organizations that do not implement security best practices commensurate to the sensitivity of their data will fail – period.
Effectively managing known risks is why adopting a cybersecurity baseline is critical – and it’s exactly what the FedRAMP baseline is designed to address.
FedRAMP Continuous Monitoring Tracks the Known Unknowns
FedRAMP’s Continuous Monitoring Strategy Guide requires a plan of actions and milestones (POA&Ms) that account for every planned control implementation, unmitigated vulnerability finding, or assessment finding.
In addition, FedRAMP requires CSPs to track the implementation of changes to the baseline itself, which occurs as the threat landscape itself evolves. This best practice ensures that, when unanticipated situations crop up (as they tend to do), the CSP is positioned to address the issue much more effectively than if they were taken completely off guard.
Learn more: Decoding FedRAMP Baselines: Get to Know Low, Moderate, and High Impact Levels for Compliance
Implementing a FedRAMP Baseline is an Effective Security and Compliance Strategy
Lastly, implementing the FedRAMP baseline reduces risk from unknown unknowns. Preparing for unknown unknowns is a risk in and of itself, due to the implicit nature of preparing for something that is, well, unknown. Traditional risk measurement techniques such as impact vs. likelihood fall short here, because it’s simply impossible to measure something you don’t know.
For instance, I don’t think CSPs ought to have a POA&M accounting for the possibility that aliens use hyperadvanced technology to hack into their relational database service (RDS) instance. That’s because the only way you can reduce risk in instances like this is through resilience: FedRAMP baselines require a robust incident response and contingency plan and training schedule, which is tested at least annually with red-team exercises that simulate an actual event (side note – if anyone wants to pay me to simulate a “red team” alien attack on an RDS instance, please reach out).
So – far from being a burdensome and worthless “paperwork exercise,” the intelligent adoption of the FedRAMP baselines to manage risk frees up CSPs from having to be reactive all the damn time.
In fact, CSPs can reduce overhead compliance costs and time to market challenges by leveraging automation opportunities such as OSCAL-based compliance artifacts. This way, CSPs can instead dedicate their resources to innovation, growth, and all that other good stuff that companies want to achieve.
FedRAMP isn’t perfect, but there is much security value to be gained by implementing it. Let 38North Security help your organization unlock that value by partnering on difficult compliance challenges.
Featured image: AJ Justo for UX Collective
