A FedRAMP Readiness Assessment is an opportunity for Cloud Service Providers (CSP) targeting government clients to demonstrate that they are ready to begin the FedRAMP process in earnest. With the end goal being a Provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or an ATO granted by a Federal Agency, CSPs, through the Readiness Assessment process, signify that their service offering implements key specified technical controls and is at a level of maturity to start the FedRAMP authorization process.
This guide will help you and your organization determine whether or not you should pursue a FedRAMP Readiness Assessment and what to keep in mind as you prepare.
What is FedRAMP?
Each year, the government targets more of its IT expenditures toward commercial cloud services. For 2017, the government plans to spend over 8% of its IT budget on cloud based services. Security is always a concern when moving government services to the cloud. The Federal Risk and Authorization Management program is the government program instituted to address the security of commercial cloud service providers and help government Authorization Officials (AO) manage risk in a cloud-based environment.
FedRAMP employs independent Third Party Assessment Organizations (3PAO) to assess the security of the commercial cloud service providers against the NIST 800-53 security control catalog and additional FedRAMP requirements. Based on the assessment, Federal AOs, can determine whether the risk is acceptable to allow the system to process its agency’s data. If the risk is acceptable, the CSP receives an ATO and is allowed to provide cloud services to that Federal Agency. These ATOs can be leveraged from one Federal Agency to another, thus decreasing the effort and financial investment to be authorized to provide services to multiple Federal Agencies. Each agency must assess risk and subsequently grant an ATO based on acceptable risk levels.
Do You Need A FedRAMP Readiness Assessment?
FedRAMP Readiness Assessments are required for those CSPs seeking a JAB P-ATO, but they are not required for CSPs seeking an ATO from one of the Federal Agencies. While it is true that FedRAMP Readiness Assessments are not required as part of the Federal Agency ATO process, the FedRAMP PMO strongly encourages CSPs to consider having a readiness assessment performed. Why you ask? Read on.
How Will a FedRAMP Readiness Assessment Help You As a CSP?
Whether required or not, performing a FedRAMP Readiness Assessment can help a CSP in the following ways:
- Obtaining the “FedRAMP Ready” status from the FedRAMP PMO signals to potential Federal Agency clients that a given CSP is serious about obtaining a FedRAMP authorization. You cannot achieve FedRAMP Ready status without a significant commitment to the process and a system that has demonstrated compliance with specific technical FedRAMP requirements.
- Obtaining the FedRAMP Ready status will demonstrate that the CSP is on the right track regarding the level to which the FedRAMP requirements are implemented. With a large percentage of the technical controls, there are varying degrees of breadth and depth to which the control can be implemented. Let’s use auditing as an example. Is auditing enabled at just the primary components of the CSP offering (e.g. the custom application) or at every component within the service offering (e.g. custom application, operating systems, databases, application servers, etc.)? How mature is the process to review, analyze, and report on the audit data collected? Are all logs aggregated to a central location and analysis performed using automated mechanisms that correlate audit events and alert on suspicious events? Or are only a portion of the audit logs analyzed for suspicious events without an alerting capability? The maturity level to which a CSP implements a control is a significant indicator when determining their FedRAMP readiness.
- If a CSP does not currently have a Federal Agency with which they are partnering in the FedRAMP process, being FedRAMP Ready strengthens a CSP’s marketing position in order to sell to Federal Agencies. Please note that being “FedRAMP Ready” does not mean that your service offering is ready to be used by Federal Agencies. It is, though, an indicator that CSPs are likely to either be granted a P-ATO by the JAB or an ATO by a Federal Agency. The FedRAMP Ready status is valid for one year at which time the CSP must demonstrate a partnering relationship with a Federal Agency, be prioritized by the JAB, or undergo another readiness assessment. Demonstrating FedRAMP Readiness is a significant differentiator between CSPs.
What Can You Expect From A FedRAMP Readiness Assessment?
The readiness assessment process is a fairly significant departure from the “traditional” FedRAMP assessment process. Whereas the traditional FedRAMP process necessitates that the volumes of required documentation be complete upfront, a FedRAMP Readiness Assessment concentrates on the security capabilities currently operating in the system. Policies and procedures should be completed. While the documentation in the System Security Plan (SSP) of how each control is implemented within the system does not have to be complete, CSPs should demonstrate they have started the process and understand the level to which they need to document their control implementations.
In order to attest to a CSP’s FedRAMP readiness, 3PAOs must perform a certain level of testing and observation vice relying solely on what is documented by the CSP. The 3PAO will also conduct in person interviews with the CSP technical and security teams to determine the operational maturity of the CSP. Therefore, at least one onsite visit is required.
What Areas Should CSPs Focus On When Preparing For A FedRAMP Readiness Assessment?
While CSPs must understand and address all the FedRAMP Readiness Assessment requirements, below are five key areas to focus on during preparation for the assessment:
- Federal Requirement Mandates: There are five Federal Requirement Mandates that CSPs must meet, or CSPs cannot be assessed as FedRAMP Ready. Since these are mandatory, CSPs must ensure these are met before starting a FedRAMP Readiness Assessment. The Federal Requirement Mandates, as defined in the FedRAMP Readiness Assessment Report template, are the following:
- Are FIPS 140-2 Validated or National Security Agency (NSA)-Approved cryptographic modules consistently used where cryptography is required?
- Can the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
- Is the system operating at eAuth Level 3 or higher?
- Note: eAuth Level 3 means that there is high confidence that the asserted identity during the identification and authentication process is valid.
- Does the CSP have the ability to consistently remediate High vulnerabilities within 30 days and Moderate vulnerabilities within 90 days?
- Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements and Freedom of Information Act (FOIA) requirements?
- Boundary definition: In order to successfully assess a system, there must be a clear understanding of the scope of the components inside and outside the system boundary. If the system boundary is not clearly understood and documented, an system component could go unassessed thus resulting in a potential vulnerability or attack vector within the system. Discovery scans will be executed to validate the system boundary.
- Data flow diagrams: Much like having a firm understanding of the system boundary, it is also very important to accurately define how federal data flows into, through, and out of the system. Security controls must be applied to safeguard the data during processing, transmission, and storage. Therefore, the diagrams depicting the flow of data through the system must be accurate.
- Multi-factor authentication: Put simply, passwords alone are a poor authentication mechanism. In its 2016 Data Breach Investigations Report, Verizon found that “63% of confirmed data breaches involved leveraging weak, stolen, or default passwords.” Multi-factor authentication is mandatory for privileged accounts and should be enabled for all system users.
- Segregation/isolation of users and data: CSPs must be able to demonstrate that their system enforces segregation of users and data. All access to data must be from authorized sources and data must be logically segregated within the data store. This also includes restricting the flow of information to only authorized locations internal or external to the information system.
How Long Does a FedRAMP Readiness Assessment Take To Complete?
While not as extensive as the full assessment, a FedRAMP Readiness Assessment is still a rigorous process. Technical implementations for key FedRAMP requirements must be operating effectively within the system. So how long does it take? The FedRAMP PMO estimates that the FedRAMP Readiness Assessment process should take between two to four weeks for a “mid-size, straightforward system” divided roughly half between 1.) testing and information gathering and 2.) analysis of the results and report writing.
There is an important caveat to the question on timing, though – the FedRAMP PMO also does not expect all CSPs to pass the readiness assessment the first time. The readiness assessment process will likely identify gaps that need to be addressed by the CSP. This will naturally lengthen the process. Once the gaps have been addressed satisfactorily, the 3PAO will submit the FedRAMP Readiness Assessment Report (RAR) to the FedRAMP PMO.
FedRAMP assessments are only required for CSPs pursuing the JAB path for authorization, but they are recommended for CSPs working to achieve a Federal Agency authorization because it demonstrates the high likelihood that the CSP will successfully complete the full FedRAMP assessment and achieve a FedRAMP authorization.
Achieving a FedRAMP Ready status differentiate CSPs within the federal marketplace. To increase the likelihood of success the first time, CSP’s must have a firm understanding of the all the assessment requirements and ensure Federal mandates, boundary and data flow definition, multi-factor authentication, and client and data segregation are clearly addressed and implemented.
If you are interested in learning more about FedRAMP or FedRAMP Readiness Assessments, contact us.
Looking for more information about FedRAMP? Read An Introduction To The Federal Risk and Authorization Management Program (FedRAMP).
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.