Here’s something we, and many cloud service providers (CSPs), know: Achieving Federal Risk and Authorization Management Program (FedRAMP) authorization opens a whole world of lucrative opportunities and growth. That’s why more CSPs than ever are making the decision to pursue this path.
Despite its growing popularity though, there’s still a lot of confusion surrounding the process. Even by itself, meeting all FedRAMP compliance requirements is already a large undertaking.
However, there are some very questionable decisions we’ve seen too many CSPs make. Some are so detrimental that they’ve made us pause and wonder whether they really wanted to get to the end of this journey.
Here are the fatal mistakes we see from CSPs and some very important things they (you) need to know.
First of All, What is FedRAMP?
FedRAMP is a comprehensive U.S. government initiative that facilitates the adoption of secure cloud services across government agencies. It standardizes the security assessment, authorization, and continuous monitoring of cloud products and services.
By complying with FedRAMP, cloud service providers demonstrate their commitment to robust security, making them more attractive to government clients. This allows them to break into the large streams of revenue available coming from the Federal government, Department of Defense, State, Local, and Tribal organizations.
On top of all that, FedRAMP is one of the highest security standards in the world. That makes FedRAMP-authorized offerings attractive even to commercial consumers.
Understanding FedRAMP’s Purpose
FedRAMP was established to aid the federal government’s transition to cloud computing, offering a unified approach to security assessment. Its goal is to ensure that cloud services and products utilized by federal agencies adhere to rigorous security standards.
What Are FedRAMP Requirements?
To achieve FedRAMP authorization for a cloud service offering, the cloud service provider (CSP) must prove their systems and processes can handle sensitive federal data securely.
In order to meet the requirements, CSPs must complete a rigorous, in-depth examination of their systems through the following processes:
- Security Assessments: A standardized process that involves rigorous testing and evaluation of CSPs cloud services to ensure they meet federal security standards.
- Authorization Packages: CSPs are required to prepare and submit an extensive authorization package, including documentation such as System Security Plans (SSP), Risk Assessments, and Incident Response Plans.
- Third-Party Assessment Organizations (3PAOs): CSPs must have their security controls assessed (and periodically assessed) by an independent, FedRAMP-accredited Third-Party Assessment Organization.
- Continuous Monitoring: FedRAMP requires regular monitoring and reporting of the security status to the FedRAMP Program Management Office (PMO) and the relevant federal agencies.
- Incident Reporting: CSPs must have mechanisms in place for incident detection and reporting, and are required to report security incidents in a timely manner, as defined by FedRAMP guidelines.
- Data Encryption: Data must be encrypted both in transit and at rest, using methods that comply with federal standards.
- Identity and Access Control: CSPs must implement thorough identity, authentication, and access control procedures to ensure that only authorized users can access the cloud services.
- Compliance with Federal Laws and Regulations: CSPs must ensure their services are compliant with all relevant federal laws and regulations, including the Federal Information Security Management Act (FISMA).
- Plan of Action and Milestones (POA&M): CSPs are required to develop and maintain a document (the POA&M) that outlines how any deficiencies in security controls will be addressed and mitigated.
- User Responsibility: CSPs must clearly define and communicate the security responsibilities that are shared between the provider and the federal agency using the cloud service.
Meeting these requirements is essential for CSPs seeking to provide cloud services to federal agencies, as it demonstrates their commitment to maintaining the highest standards of security and data protection.
What Are the Challenges of FedRAMP Compliance for CSPs?
Through extensive consulting and direct experience with CSPs, 38North has pinpointed several critical issues that complicate the FedRAMP journey. These issues arise both during initial authorization and throughout the continuous monitoring phase.
Overall, there are three general considerations underpinning complications: Lack of FedRAMP knowledge and understanding, lack of full executive support, and prioritization of rapidly adding new services over ensuring security best practices.
Here are five mistakes many CSPs make that can put FedRAMP authorization at risk. Let’s get into detail.
Mistake Number 1: Making Decisions Based Solely on Revenue Projections
When pursuing FedRAMP authorization, organizational leaders often base their decisions on input from sales and account executives. These executives typically approach leadership with high-level revenue projections. While this is an important figure to know, it’s nowhere close to all the information needed by executive decision makers to make an informed decision.
Leadership should be presented with qualified demand, the cost of building a new environment (typically 30-50% higher than a commercial offering), and potential revenue. This revenue should include all customers requesting the CSP’s FedRAMP authorized product.
This would assist decision-makers to know if the potential Return on Investment (ROI) is worth the initial investment into building a new environment for the authorization process. and not decide based on seeing large dollar signs. It ensures decisions are grounded in financial viability rather than being swayed by the prospect of substantial profits.
Mistake Number 2: Thinking FedRAMP Authorization is the End Goal
Most organizational decision makers believe that getting their service authorized is the finish line when really, it’s just the starting line. Building the service or platform to the high standards required by FedRAMP based on the NIST 800-53 revision 5 baseline is an enormous amount of work and incredibly costly.
This can be compared to preparing to run a marathon. Successfully running a marathon requires a large amount of commitment, training, preparation, and investment — just to get to the start line. FedRAMP authorization is the start line. Everything a CSP does to be properly prepared will make success in the race (post authorization continuous monitoring) successful.
Mistake Number 3: Half-Hearted Executive Support
A lack of knowledge and understanding of FedRAMP and the associated commitments is a common problem in and of itself. However, it tends to compound when there is not full agreement and support for the initiative across all business units within the company.
Business units like Software Engineering, Product, Sales, Security, GRC, and others tend to be very siloed. This often leads to a lack of a unified vision and project prioritization goals in work packages.
Engineering tends to be very software/application development focused and supporting the SaaS/PaaS platforms. Meanwhile, GRC is typically focused on maintaining existing compliance certifications (SOC2, PCI, ISO) and portfolio expansion (FedRAMP, ISMAP, etc.).
For a FedRAMP effort to be successful, there must be a top-down approach from the executive level down with full buy-in and commitment to the effort. A FedRAMP effort can flounder, stall, be abandoned, or fail when there is no buy-in across the full organization.
For example, if the engineering team is not committed to the effort, there will be no support and the environment build will not happen. Top-down support for a FedRAMP authorization can manifest as high-level company goals for the year. One approach to ensure focus and prioritization is incorporating team and individual performance goals related to the project, which influence promotions and bonus incentives
Mistake Number 4: Prioritizing Adding New Features Over Security
Companies that are competitive in their space (think upper right Gartner Magic Quadrant) live on the cutting edge of technology. There is the constant pressure to keep their existing market share and gain more.
The bottom line is, all businesses have to make money, but the federal government values risk management very heavily. CSPs must find the balance of effective security and risk management combined with new innovations. Innovating with new products and features and meeting customer requests are ways to keep and gain more of the market share. If the executive staff values innovation and revenue more than sound product and environment security practices, it places the company at risk.
Many times, companies make the decision to “accept the risk” stating they will release the product, feature, or service and go back later to fix an accepted risk. Most companies do not have a mature risk management program and these fixes end up in a backlog that only grows.
Mistake Number 5: Moving Too Quickly
Another challenge when placing more emphasis on adding features rather than security is the speed at which companies operate and offer new products and features. Quick release and deployments of products and features into a commercial environment is very easy. However, in a heavily regulated environment with a FedRAMP authorization, this is not always possible.
There exists a clearly defined process for implementing specific types of changes that necessitate approval before deployment. Additionally, an assessment process is required before any product or feature can be made generally available to customers in the production environment. This process generally takes a couple to a few months to complete.
How CSPs Can Avoid These Mistakes
So, what can companies do to establish a firm foundation and make the marathon FedRAMP journey successful long term?
- Get Smart: Learn about FedRAMP and gain an understanding of what achieving an authorization means for the company, organization-wide.
- Gain Understanding: Getting FedRAMP authorized for a SaaS/PaaS offering is just the beginning of the journey.
- Get Buy-in: From the highest executive levels down into the business units, buy-in and support to the FedRAMP initiatives is of critical importance.
- Find Balance: Being on the cutting edge of technology is challenging. Find the balance between innovation and security.
Avoid Common FedRAMP Mistakes with 38North
To efficiently navigate the path toward becoming a FedRAMP-authorized cloud service offering, having an effective roadmap is critical. It’s not a route with a lot of room for trial and error. Working with a compliance consultant can make a world of difference.
At 38North Security, our experienced FedRAMP advisors have helped hundreds of companies achieve authority to operate. We’ll provide the guidance and support you need to avoid these common mistakes and more.