We live in dangerous, risky times (thanks, Captain Obvious). Much of the danger stems from the risk of being deceived. Deceptions are everywhere these days, from friendly Nigerian princes asking for our bank account info to sophisticated misinformation campaigns funded by adversarial nation states, and (unfortunately) so, so much more.
Cybersecurity risk in particular is the “concern du jour,” and much of that risk revolves around mitigating the possibility of falling for deception. Organizations from mom-and-pop shops to Fortune 500 companies are falling for deceptions left and right. Politically, reducing cybersecurity risk remains a bipartisan issue, yet the risks seem to get more and more dire each year. This is not for a lack of trying, and the FedRAMP Program is a foundational part of the U.S. Government’s strategy to manage cybersecurity risk.
The Federal Risk and Authorization Management Program (FedRAMP) addresses cybersecurity risk around the use of cloud services by the U.S. Government. FedRAMP requires that Cloud Service Providers (CSPs) implement the NIST 800-53 security and privacy controls, which are part of the NIST Risk Management Framework (RMF).
Need help achieving FedRAMP certification? Get in touch with a cybersecurity expert today.
While FedRAMP is a voluntary program, compliance is required in order to sell cloud services to the U.S. Federal Government. Considering that the U.S. Government is the customer with the deepest pockets in the world, there is a strong market incentive to do it.
There are also significant costs associated with achieving and maintaining compliance. Whether or not to invest in FedRAMP is an important and complex business decision. Even if a cloud offering has no active Federal customers, it may still make sense to pursue FedRAMP as a gold standard that meets other NIST RMF based programs such as CMMC, TX-RAMP or CJIS that apply within the broader U.S. Public Sector, or even other security-minded sectors such as healthcare, finance, and education.
Once a company engages with the FedRAMP PMO or a sponsoring Federal Agency however, FedRAMP is no longer solely a business decision. A partnership is established between the cloud provider and the U.S. Government wherein responsibility is shared around stewardship of Federal data. As soon as an ATO is signed by a Federal Agency and Federal data enters the system, by law, the system is subject to the control requirements in the applicable FedRAMP baseline. The requirements remain applicable until the system is disposed of in accordance with the authorized Software Development Life Cycle (per SA-3).
The partnership extends beyond a relationship with a specific Federal Agency customer. A growing community comprises of U.S. Public Sector organizations and private sector cloud and managed IT offerings that serve them. The commonality between the members of this community is the prioritization of mission success as the desired outcome. Public Sector-focused organizations provide essential goods and services that the public rely on to keep society functioning. Achieving mission success depends on managing risk effectively. The overarching goal of FedRAMP, CMMC, TX-RAMP, and other U.S. and State Government-led cybersecurity initiatives is to ensure that companies providing services on behalf of the American people are performing risk management appropriate for the criticality of the mission.
Learn more: 3 Reasons Your Cloud Offering Needs to “Shift Left” on Compliance
Mission-oriented risk management differs from corporate risk management programs. While corporate risk management programs measure business risks against their impact to the bottom line, mission-focused organizations must also measure risk against achieving outcomes that benefit the public good. Thus, FedRAMP requirements ensure that organizations who wish to serve Public Sector customers perform mission-oriented risk management (for example, RA-3 and CA-6). Adopting the mission-first mindset ensures that private sector Cloud Service Providers serve as trusted partners for their Public Sector customers rather than coming to the table with different definitions of value.
The success (or failure) of public-private partnerships like FedRAMP hinge entirely on establishing and maintaining trust. Auditors cannot validate everything. Great auditors may have a finely tuned B.S. detector, but even the best miss things from time to time, and not all auditors are great.
Private sector companies must engage in good faith. Otherwise, their participation in FedRAMP is worse than pointless and actually hinders risk management efforts by wasting resources that would be better spent on actual security.
By intentionally adopting a mission-oriented approach, organizations can establish lasting trust with their Public Sector customers and align with their missions, while simultaneously achieving business objectives.
The following 5 recommendations provide organizations with concrete steps for establishing an operational model that prioritizes mission-oriented risk management:
- Designate an executive officer to be directly accountable for system risk. In FedRAMP terms, this is the System Owner that is identified by name in section 4 of the System Security Plan. This individual must be accountable for risk management across all of the organizations Public Sector programs (see item #4).
Usually, but not always, this role aligns with the Chief Information Security Officer (CISO). This is a challenging role because corporate executives also have a fiduciary duty to maximize value for shareholders.
As stated above however, the proposition to invest in entering the Public Sector market includes accepting a certain amount of initial financial risk, as the substantial cost of FedRAMP authorization may not be realized in revenue for at least a year or more. Once this business decision is made, business risk and mission risk become synonymous.
And this is how it ought to be. Ultimately, by helping the U.S. Public Sector achieve mission objectives the organization is creating value for the American public as well as their customers and their own organization; a win/win/win.
- Price Public Sector-focused offerings separately (and differently) from commercial offerings. Organizations are increasingly leveraging compliant offerings as part of a supply chain strategy for their own CMMC, CJIS, StateRAMP, TX-RAMP, DoD CC SRG, FISMA, PCI, HIPAA, and other regulatory requirements. Potential customers within this ecosystem are willing to pay a premium to obtain the assurance that their vendor’s risk posture is adequate.
Organizations ought to consider assigning specific Stock Keeping Units (SKU) for Public Sector focused offerings, separate from their commercial-focused SKUs. This practice also better delineates Public Sector use case-specific customer responsibilities as defined in the Customer Responsibility Matrix (CRM).
The price differential between commercial and Public Sector offerings offsets some of the financial risk around market entry by ensuring that business objectives are met as rapidly as possible.
- Select vendors who have embraced U.S. Public Sector use cases. The flip side of recommendation #2 is that organizations should also be leveraging vendors who prioritize Public Sector use cases. It can be incredibly frustrating and expensive to find out that a vendor will no longer be supporting FIPS 140-2 validated encryption with an upcoming release. Sticking with vendors that have established track records around supporting Public Sector use cases avoids risk and makes overall compliance much easier to achieve.
- Define the scope of Public Sector offerings carefully and holistically. Compliance can be very expensive, but especially when it is being done redundantly.
A good strategy for lowering operating costs of Public Sector-focused offerings begins with carefully defining what people, processes, and technologies will touch U.S. Public Sector data and/or sensitive metadata across the entire organization and centralizing wherever possible.
Consider this example. Let’s say an organization wishes to:
– Become compliant with CMMC Level 2 to meet DoD vendor requirements.
– Comply with CJIS in order to bid as a managed service provider on Law Enforcement RFPs. – Achieve FedRAMP authorization for one or more cloud offerings.
The organization should consider creating a holistic governance structure that encompasses all three initiatives and build an overarching system architecture that allows for re-use of internal tools and services such as access control, vulnerability remediation and configuration management. Establishing a singular architecture also significantly reduces annual assessment costs. It may even make sense to create a Public Sector-focused subsidiary to govern these offerings.
Considering how timelines around the release of new offerings and/or services impact existing authorizations is also important. Shared services that are intended to be leveraged across multiple offerings must reside in a system with an equivalent categorization (or higher). For example, significant changes to existing FedRAMP authorizations require approximately 1 month or more for review and approval, so establishing effective, efficient change management is key.
Learn more: Three Actions Your FedRAMP Cloud Offering Needs to Take Right Now to Implement Effective Change Control
- Leverage automation to minimize operating costs. Lastly, automating compliance processes by shifting left [link to shift left article] reduces operational costs further and improves visibility into security and compliance, enabling better organizations to achieve a better risk posture across the board.
These are dangerous times, but we can work together to address risk effectively. Let 38North Security guide your organization through the challenges of establishing and maintaining trust with Public Sector customers via a mission-focused risk management strategy. Talk to us today.