Undergoing a FedRAMP authorization can be a daunting and expensive task, especially if you’re a small business or start-up. You may have budgeted for the independent third-party assessor (3PAO) and the resources needed to support your cloud offering’s functionality. But have you budgeted for the security solutions you’ll likely need to buy if you want to meet FedRAMP requirements?
The unfortunate reality of FedRAMP is that implementing the required FedRAMP controls requires a significant investment in technical capabilities. In this blog post, we’ll explore a few technical capabilities you should budget for, and the security control requirements associated with them at the Moderate baseline. The first four security solutions are explicitly called out in control requirements, whereas the last one requires some interpretation.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a process that verifies users with two or more authentication factors. The three authentication categories that qualify for MFA controls are something you know (i.e. a password or PIN), something you have (i.e. hardware token), and something you are (i.e. biometrics like a fingerprint).
The FedRAMP controls explicitly state that the system must implement MFA for access to all accounts, whether privileged or unprivileged. Unfortunately, you can’t just use any MFA solution to meet these requirements. An important piece that isn’t obvious in the MFA-specific controls is ensuring that your MFA solution uses FIPS 140-2 validated algorithms (though some agency-authorizations may let you get away with non-FIPS 140-2 validated MFA tools like Microsoft of Google authenticator).
If you plan to use a cloud-based MFA solution, then make sure you check out the FedRAMP Marketplace to ensure that it is FedRAMP-authorized at the same authorization level as the information system in scope.
| Control ID | Control Name | Control Requirement |
| IA-2 (1) | IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS | The information system implements multifactor authentication for network access to privileged accounts. |
| IA-2 (2) | IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS | The information system implements multifactor authentication for network access to non-privileged accounts. |
| IA-2 (3) | IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS | The information system implements multifactor authentication for local access to privileged accounts. |
| IA-2 (11) | IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS – SEPARATE DEVICE | The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [FedRAMP Requirement: FIPS 140-2, NIAP Certification, or NSA approval]. |
Vulnerability Scanning and Code Analysis
Vulnerability scanning and code analysis is important for identifying vulnerabilities and coding issues. To meet FedRAMP requirements, you’ll need a vulnerability scanner that can execute authenticated scans of your operating system/infrastructure, databases, and web applications. If containers are used within your environment, some additional requirements exist.
Additionally, while development environments are a bit of a gray area as they can be scoped out of the system boundary, there is a requirement that static and dynamic code analysis tools are used as part of the development process.
| Control ID | Control Name | Control Requirement |
| RA-5 | VULNERABILITY SCANNING | The organization: a. Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| SA-11 (1) | DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS | The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
| SA-11 (8) | DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS | The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. |
Malicious Code Protection
Malicious code protection mechanisms are solutions that protect against malicious code including viruses, worms, spyware, etc. Per FedRAMP, malicious code protection mechanisms must be employed at system entry and exit points. Therefore, anti-virus software should be installed on all the operating systems within the environment.
Typically, antivirus software uses signature definitions to identity malicious code. But FedRAMP also requires nonsignature-based malicious code detection mechanisms. So you must also implement a heuristics-based anti-malware solution if that feature is not provided by your anti-virus software.
| Control ID | Control Name | Control Requirement |
| SI-3 | MALICIOUS CODE PROTECTION | The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: Perform periodic scans of the information system [FedRAMP Assignment: at least weekly] and real-time scans of files from external sources at [FedRAMP Assignment: to include endpoints] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [FedRAMP Assignment: to include alerting administrator or defined security personnel] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| SI-3 (7) | MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION | The information system implements nonsignature-based malicious code detection mechanisms. |
File Integrity Monitoring
File integrity monitoring, sometimes referred to as file integrity management, are tools that monitor and analyze the integrity of critical assets using a verification method. FIM tools are important because they protect sensitive files, data, and applications and are used to help identify potential security breaches.
| Control ID | Control Name | Control Requirement |
| SI-7 | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRETY | The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. |
Security Information and Event Management
Security Information and Event Management tools ingest event data from multiple sources across your environment to provide event correlation and analytics. There isn’t a control that explicitly states you must have a SIEM. However there are a handful of controls that are hard to meet without one.
Manually reviewing all the logs and activity within your environment can become tedious and time consuming. It’s basically looking for a needle in a haystack. Ingesting data in one central repository such as a SIEM and configuring detection rules and alerting can help you more easily manage all the data and quickly identify potential security incidents affecting your environment.
| Control ID | Control Name | Control Requirement |
| AU-6 (1) | AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION | The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. Supplemental Guidance: Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. |
| AU-6 (3) | AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES | The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. Supplemental Guidance: Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness. Related controls: AU-12, IR-4. |
| SI-4 | INFORMATION SYSTEM MONITORING | The organization: a. Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| SI-4 (1) | INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM | The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
| SI-4 (4) | INFORMATION SYSTEM MONITORING | INBOUND COMMUNICATIONS TRAFFIC | The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions. |
| SI-4 (16) | INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION | The organization correlates information from monitoring tools employed throughout the information system. |
Contact Us to Help
We’ve identified five different security solutions that need to be implemented to meet FedRAMP requirements. If they are already incorporated into your environment, then great. If not, now is a good time to start researching solutions and their associated costs.
If you weren’t already aware of these requirements, then you should consider having 38North Security conduct a gap analysis of your cloud service offering. During a gap analysis, information is collected from interviews and artifacts to evaluate the existing security controls of your cloud solution against the FedRAMP security control baseline to identify non-compliant controls and remediation measures. The results of the gap analysis can be used to ensure that you’re allocating resources and funding to the areas where it’s needed to ensure that you obtain a FedRAMP authorization.
