There is an explosion of information out there on Federal Risk and Authorization Management Program (FedRAMP) timelines and authorization processes which can be overwhelming to sort through, adding unnecessary confusion to an already complex process. Many of the discussions around steps to FedRAMP Authorization largely gloss over one of the most important phases of a FedRAMP journey – the planning, analysis and preparation phase that precedes deployment and assessment.
1 – Planning for pursuit of a FedRAMP Authorization
A FedRAMP journey has organization-wide impacts including but not limited to, technical implications, impacts to existing DevOps and DevSecOps programs; configuration management and versioning processes; employee security awareness and training; and even hiring guidelines – since most agencies have strict U.S. citizenship requirements for Cloud Service Provider (CSP) operators. Understanding why a cloud service offering (CSO) needs FedRAMP, how a FedRAMP Authorization works into broader company objectives, and what it will take to get there is not a small task. Organizations need to invest in adequate planning time, preferably with the support of a trusted FedRAMP advisor, before deciding when, if, and how to proceed.
2 – Budgeting for FedRAMP.
FedRAMP compliance requires budgetary commitments that are not insignificant. There are hosting and licensing requirements, human resource (HR) requirements including the engagement of highly skilled system personnel, and 3rd Party Assessment Organization (3PAO) assessment costs (initial assessments, annual re-assessments, and interim significant change assessments, as needed). The effort can impact operational and capital expenses. An organization needs to understand the full financial commitment before initiating the effort.
3 – Finding the right partners.
This can be a daunting task. From technology s to FedRAMP consulting to 3PAO assessment, finding the right partners and formalizing those relationships takes time. It is recommended that an organization take some time, do some research, and meet with multiple partners before making any formal decisions that will have long-lasting impacts.
4 – Preparing through gap analyses (technical, operational, management).
Gap analyses are useful tools that can identify areas of improvement needed to achieve FedRAMP compliance. Technical preparation for FedRAMP Authorization may require significant re-architecture and re-development, depending on the as-is state of a CSO when beginning the journey. Some technical gaps can be remediated quickly and with little development effort (e.g., swapping out non-FIPS libraries with FIPS validated versions, and ripping and replacing non-authorized external systems with FedRAMP authorized systems), and some can be quite time consuming. As an example, CSPs that have proprietary encryption algorithms will need to go through a lengthy and expensive FIPS validation process. This is time consuming and expensive, even with the help of FIPS-validation acceleration support.
- Get management and operational houses in order.
Nearly two thirds of FedRAMP controls focus on management and operation aspects of a CSP rather than the technical aspects fot he CSO. Having a mature DevOps or software development lifecycle (SDLC), complete with change control board, ticketing and issue handling, and incident response processes is required. Organizational processes around hardware and software distribution, employee hiring and termination, and security and awareness training – all of which are governed by FedRAMP baseline controls, are heavily scrutinized as well.
- Address obvious technology shortcomings.
Making the effort to identify and remedy technical showstoppers before jumping head-first into the authorization process is key to saving time and resources. Some CSOs may require a completely new architecture and design in order to, prevent time-consuming re-work down the road. Many technical compliance gaps can be addressed through the following types of approaches:
- Leverage FIPS validated libraries and require FIPS mode where possible.
- Select authorized cloud hosts whose Infrastructure/Platform-as-a-Service (IaaS/PaaS) controls can be inherited. This can save weeks of time researching, procuring, installing, configuring, and hardening a custom monitoring stack.
- Take a “buy-versus-build” approach to compliance, the quickest and easiest way to shore up gaps is often to find a FedRAMP authorized solution.
- Limit reliance on external sources and services to those already holding FedRAMP authorizations that are equal to or above the authorization level being sought for the CSO.
5 – Finding an ATO Sponsor.
For CSPs who have existing, committed government customers that are willing to sponsor, there will be little to no effort here. However, for the majority of CSPs without this existing relationship, securing a sponsor can take months if not years. A government agency must have enough buy-in to the CSO that they are willing to invest the time and effort into being a sponsor. There is always the possibility, for sponsor-less CSPs, to obtain a Joint Authorization Board (JAB) sponsorship. However, JAB sponsorship opportunities are very difficult to secure. Many CSPs without a clear path to an agency sponsor choose to pursue a “FedRAMP Ready” status by undergoing a Readiness Assessment performed by a 3PAO. While “FedRAMP Ready” is not sufficient to grant an ATO or obtain full FedRAMP Authorization, it can a CSP listed on the FedRAMP marketplace, increase overall traffic to and awareness of the CSO, and may help secure a sponsor since there is a proven commitment to the FedRAMP Authorization process.
While there is no easy way to get a FedRAMP Authorization, establishing a reasonable plan, securing a budget, finding the right partners, and doing some pre-engagement remediation of showstopping gaps will make the whole journey go much smoother.
stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services. Visit https://www.stackArmor.com to learn more or contact us by filling out this form to schedule a free briefing.
© 2023 stackArmor, Inc. All rights reserved.