The recent spate of cybersecurity attacks on critical service providers such as pipeline operators, manufacturers, and software companies require an urgent response. Senior executives like the Chief Information Officer (CIO), Chief Information Security Officers (CISO), and Board Members are looking for quick solutions and rapid outcomes. The FedRAMP Security Assessment Framework (SAF) is a mature and cloud-based security framework that effectively provided security cover for regulated industries for over a decade.

What is the FedRAMP Security Assessment Framework (SAF)?

FedRAMP Security Framework (SAF)

The Security Assessment Framework (SAF) for the Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for enforcing security on commercial systems. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS).

FedRAMP defines a set of security requirements and controls for commercial cloud services and prepares them to host government data. For example, the recent security directive from TSA in response to the Colonial Pipeline security breach requires critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA. TSA has provided detailed guidance to pipeline operators on how best to go about managing digital risk.

The intent of these guidelines is to bring a risk-based approach to the application of the security measures throughout the pipeline industry. Some of the elements in the TSA’s pipeline security guidelines include:

• Assessments used to determine facility criticality;

• Threat assessments identifying known or potential adversaries;

• Vulnerability assessments identifying security weaknesses;

• Risk assessments (based on threat, vulnerability, and consequence, considering facility criticality assessment findings);

• Risk mitigation to determine and implement appropriate risk reduction countermeasures; and

• Ongoing risk management to monitor, reassess, and modify the program.

All of these activities are easily covered by the FedRAMP framework that includes the development of a comprehensive Systems Security Plan (SSP) and associated security controls that must be implemented. These security controls cover 17 control families and comprehensively prescribe how to manage risk covering people, process and technology. There is nearly 100% overlap and coverage of key requirements outlined by TSA’s pipeline security guidance such as:

  • perform risk analysis and assessments to identify gaps and implement a continuous monitoring program of IT and OT systems.
  • review access control measures that include developing clear policies and procedures employed to reduce security risks throughout the company.
  • ensure systems maintenance and testing through established plans and procedures to cover critical security issues including monitoring, data encryption, vulnerability management to ensure that security systems and equipment are maintained and function properly.
  • develop and maintain strong personnel security programs that include policies and procedures for managing personnel including background checks, training, and compliance with Federal and state laws.
  • deploy and maintain incident response plans and procedures ensuring compliance with recent TSA security directives.

All of these needed policies, procedures and plans are well defined in the FedRAMP framework making it easier to comply and get started. Pipeline operators and owners can also use qualified independent auditors called 3PAO’s who have deep domain knowledge and expertise in helping organizations accredit their systems, policies and procedures.

Accelerate Security and Compliance with FedRAMP accredited Cloud Services

Implementing strong cybersecurity measures can be complex and costly. FedRAMP accredited cloud services such as Amazon Web Services (AWS) provides a comprehensive set of security and data management services that can be rapidly enabled within days and weeks. For example, the recent security directive from TSA in response to the Colonial Pipeline security breach, requires critical pipeline owners and operators to implement vulnerability management and incidence response measures. Native services like AWS Systems Manager provide automated patching for Linux and Windows servers. Other native services like AWS Cloudtrail, Config, Cloudwatch, Security Hub and others provide rapid security incident and event management capabilities. A comprehensive cybersecurity program should consider the following capabilities:

  • Vulnerability management
  • Intrusion prevention and detection
  • Anti-Virus and malware management
  • Security incident and event management
  • System hardening and patch management
  • Continuous monitoring alerting and logging
  • Multi-factor authentication and centralized user management
  • Strong data encryption with FIPS compliant modules

A number of these services are readily available on AWS or can be added with minimal effort.

ThreatAlert® Security Platform on AWS for Kick Starting a Security and Compliance Program

The ThreatAlert® Security Platform is an integrated solution that delivers a ready-to-go data hosting platform on AWS combined with security services and comprehensive documentation that ensures compliance with FedRAMP, FISMA/RMF, and CMMC requirements. The data hosting platform is delivered as a landing zone with pre-defined networking, security, management, and application zones to securely host multiple applications and protect their data. Common security and management services are deployed in the security zone to meet stringent FISMA, FedRAMP, DOD CC SRG security requirements for boundary protection, logging, monitoring, alerting, incident response, vulnerability management, and security incident event management (SIEM) amongst others. Given the standardized architecture and associated security services stack, a pre-filled suite of documentation and control descriptions with coverage for over 2/3 of the controls is included in the ThreatAlert® Compliance Docs package. The documentation package includes policies, procedures, plans, and control descriptions to help jumpstart the project and reduce costs. Learn more by visiting our ThreatAlert® solution overview page.