Blog Archives - Page 7 of 20

Before Pursuing FedRAMP Certification

There is an explosion of information out there on Federal Risk and Authorization Management Program (FedRAMP) timelines and authorization processes which can be overwhelming to sort through, adding unnecessary confusion to an already complex process. Many of the discussions around steps to FedRAMP Authorization largely gloss over one of the most important phases of a FedRAMP journey – the planning, analysis and preparation phase that precedes deployment and assessment. 1 – Planning for pursuit of a FedRAMP Authorization A FedRAMP journey has organization-wide impacts including but not limited to, technical implications, impacts to existing DevOps and DevSecOps programs; configuration management and versioning processes; employee security awareness and training; and even hiring guidelines – since most agencies have strict U.S. citizenship requirements for Cloud Service Provider (CSP) operators. Understanding why a cloud service offering (CSO) needs FedRAMP, how a FedRAMP Authorization works into broader company objectives, and what it will take

Webinar – Manage “Achieving DOD Impact Level 4 – Lessons Learned & Much More”

If you are an ISV or SaaS solutions provider looking to pursue US DOD and FedRAMP accreditations then please join our webinar discussion on DOD Impact Level 4 ATO and Lessons Learned. You can learn more by registering here. Date: Dec 7, 2022 02:00 PM in Eastern Time (US and Canada) The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond those established by the Federal Risk and Authorization Management Program (FedRAMP). Using the FedRAMP requirements as a foundation, the Defense Information Systems Agency (DISA) developed and maintains the DoD Cloud Computing Security Requirements Guide (CC SRG). The DoD CC SRG defines the standards for categorizing DoD information and information systems and breaks them into 4 Impact Levels (DoD ILs): • DoD IL 2 – Public or Non-Critical Mission Information • DoD IL 4 – Controlled Unclassified Information (CUI) or Non-CUI, Non-Critical Mission Information, Non-National Security Systems •

How to Successfully Plan, Implement and Support DoD IL5 Customers

As DoD agencies continue their migration of sensitive workloads to the cloud, there is a greater need to ensure those workloads are deployed around the rigorous DoD Cloud Computing Security Requirements Guide (SRG) at Impact Levels 4 and 5. Systems categorized at Impact Level 5 (IL5) are allowed to host non-public, unclassified National Security System (NSS) system data (i.e., U-NSI) or non-public, unclassified data. The work to support the path to IL5 is made easier by both stackArmor’s proprietary ThreatAlert® Authority To Operate (ATO) Accelerator and the company’s experience supporting the technical and architectural implementation of IL5 controls. ThreatAlert® ATO Accelerator provides a proven, independently audited secure digital platform that includes (1) a landing zone, (2) an “in-boundary” cloud general support system (GSS) and (3) compliance controls for the DOD IL5 package/SSP (System Security Plan). stackArmor provides our clients a suite of implemented security controls, evidentiary support and artifacts, and

Demystifying Container Scanning Requirements for FedRAMP, DoD SRG, and CMMC

When using containers, Cloud Service Providers (CSPs) are NOT precluded from adhering to host-based security guidelines and FIPS 140-2 (soon 140-3) encryption requirements

NIST Rev 5 – What it Means for FedRAMP

This is an older blog which has been superseded by the latest blog based on the official release of the Rev 5 baselines by the FedRAMP PMO. Since its inception, FedRAMP has used the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) procedures and guidelines as the foundation for providing standardized security requirements and control definitions for cloud service providers wanting to serve the federal market. In fact, FISMA, RMF, FedRAMP, OSCAL, and SCF all use NIST as a gold-standard foundation for standardized compliance guidelines. To align with the updates in NIST’s final release of Rev. 5 (which was drafted in 2020 and open to public comment through October 1 of 2021,) FedRAMP has re-established their control baselines accordingly. In December of 2021, FedRAMP released their new Rev 5 baselines, re-aligning with the NIST Rev. 5 update. The new baselines are a result of close collaboration between the FedRAMP

Accelerating FedRAMP, DOD, and NIST ATOs with stackArmor ATO Machine (ATOM)

Large software vendors, global defense contractors and organizations operating in hyper regulated markets must meet very specific government cybersecurity requirements. These requirements include ensuring data sovereignty as well as compliance with specific standards like FedRAMP or ITSG-33 in the US and Canada respectively. The rapid emergence of data sovereignty requirements are driving the increased need for “in-region” deployments that provide the ability to contain the data within a pre-specified area. External connections to corporate services, other SaaS services, or other systems cause the assessors to take a real hard look at data flows. This scrutiny and extra due diligence can slow down the accreditation process. These unique constraints create challenges for large global organizations looking to meet complex regulatory requirements in a cost-effective manner. This problem can be solved by using an “in-boundary” security and compliance model that limits the number of external connections and delivers a “region-gapped” service. stackArmor’s

Accelerating FedRAMP, DOD, and CMMC Compliance with stackArmor ATO Machine (ATOM)

Large ISV’s, Global Defense contractors and organizations operating in global hyper regulated markets must meet very specific government cybersecurity requirements.

Updated FedRAMP ATO Guidance for Readiness Assessment

The FedRAMP Program Management Office (PMO) issued updated guidance on the FedRAMP Readiness Assessment requirements.

FedRAMP Releases Updates to ATO Requirements based on NIST SP 800-53 Rev 5 for Public Review

The FedRAMP Program Management Office (PMO) at the General Services Administration (GSA) released the updated controls baselines based on NIST SP 800-53 Rev 5. The FedRAMP Security Assessment Framework (SAF) is based on the National Institute of Standards and Technology’s (NIST) Special Publication [SP] 800-53 Rev 4. FedRAMP is expected to migrate to NIST SP 800-53 Rev 5 after a period of review and comments. Proposed Updates to FedRAMP Controls based on NIST SP 800-53 Rev 5 There are several updates to the controls framework including the incorporation of threat risk scoring. FedRAMP is using a threat-based methodology as outlined in the MITRE ATT&CK Framework. FedRAMP published their intent to use threat-based scoring to provide additional prioritization of risks and need for the right types of controls. A cursory review of the DRAFT controls baselines shows the revised control counts for the various baselines: • Low baseline – 150 controls

FedRAMP can help Pipeline Operators Rapidly Mitigate Cyber Threats

The FedRAMP Security Assessment Framework (SAF) is a mature and cloud-based security framework that effectively provided security cover for regulated industries for over a decade.

How to fund security and modernize at the same time – FCW Article

The cost of pursuing a FedRAMP authorization for a software company range from $500,000 to $1 million for a single product. Obviously, this is especially burdensome for small companies — the same firms that often drive the innovation and modernization the government seeks.
Author: Michael Garland, Gaurav “GP” Pal

Government needs massive investment in FedRAMP – FCW Article

As the Federal Risk and Authorization Management Program marks its 10th anniversary, it’s time to applaud FedRAMP’s accomplishments — but also explore ways to scale its operations so the government can more quickly adopt innovative software solutions.
Author: Michael Garland, Gaurav “GP” Pal