The FedRAMP Program Management Office (PMO) issued updated guidance on the FedRAMP Readiness Assessment requirements. Given the increasing importance of pursuing a FedRAMP Ready designation for commercial cloud service providers, it is important to understand the updated guidance.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Commercial Cloud Service Offerings. There is growing adoption of FedRAMP accredited cloud services by Federal, State and Local agencies. Based on the latest Deltek Federal Cloud Market report released in Sept 2021, over $4B was spent by Federal agencies in FedRAMP accredited cloud services. The overall market for cloud services across Federal agencies and DOD is expected to grow to over $11.4B by 2023. It is expected that recent security incidents, as well as the Whitehouse Executive Order on Cybersecurity, will continue to drive increased adoption of FedRAMP certified cloud services.
Commercial organizations pursuing FedRAMP certification have three pathways to pursuing a FedRAMP ATO, one of them is being listed in the FedRAMP.gov marketplace as FedRAMP Ready. Being assessed FedRAMP Ready allows a cloud service provider 12 months to obtain an agency sponsor or pursue a Joint Authorization Board (ATO) accreditation. Increasingly, Federal Agencies are seeking FedRAMP Ready status prior to sponsoring a cloud service provider to ensure the commitment and capability of the cloud service provider to pass an ATO assessment.
FedRAMP Readiness Assessment Guide Updates
FedRAMP has updated the Readiness Assessment Report (RAR) Guide and templates to provide enhanced guidance for Third Party Assessment Organizations (3PAOs) as well as Cloud Service Provider organizations. A FedRAMP Readiness Assessment allows a commercial organization to prepare and understand if their offering has the key capabilities required to obtain a FedRAMP authorization. The FedRAMP Readiness Assessment is performed by a 3PAO and a Readiness Assessment Report (RAR) is generated, which is submitted to the FedRAMP PMO for review and acceptance. Upon the successful acceptance of the RAR, the cloud service provider is listed on the FedRAMP.gov marketplace for a period of 12 months.
The newly released guidance when compared to the initial release in 2017, provides 19 pages of descriptive content with requirements and expectations versus the summarized presentation format consisting of 5 pages in the initial guide. This additional content is very helpful as it clarifies specific requirements and allows cloud service providers to be better prepared for a Readiness Assessment. The content in the guide is summarized in 12 key steps that are listed below. Please note that the content provided below is in summary format and readers should read the authoritative guide on the FedRAMP.gov website.
12 Steps for FedRAMP Readiness Assessment
The updated guidance lists 12 key steps that are aimed at ensuring consistency and completeness during a FedRAMP Readiness Assessment by a 3PAO.
1. Validate the Authorization Boundary
Providing a clearly delineated authorization boundary with the necessary detail that includes flows of all federal information, data, and metadata through the system. The quality and completeness of the diagram is critical to identify internal, external, and non-production services like dev, test, etc.
2. Identify All Data Flows and Stores
Comprehensive data flow diagrams (DFDs) and written description of the data flows within and throughout the authorization boundary. Each DFD must also be high resolution, reflect the same components as the authorization boundary diagram (ABD), and must explicitly identify everywhere internally and externally federal data and metadata at rest and in transit is in relationship to the system authorization boundary.
3. Determine Leveraged FedRAMP Authorizations
All FedRAMP-leveraged cloud services must be clearly identified and listed with a status of Authorized. If the cloud service offering is a SaaS, then subscriptions to underlying services such as IaaS or PaaS must be documented accurately.
4. Determine External and Corporate Systems and Services
FedRAMP defines a ‘connection’ as any communication path used to push, pull, or exchange data and/or information, including application programming interfaces (APIs). All third-party providers and external services/systems must be reported should be FedRAMP accredited as well if hosting federal data or meta-data.
5. Application Programming Interfaces (APIs)
API’s must be called out separately in addition to the external connection. Any APIs used to access data and interact with other systems’ software components, operating systems, and microservices must be listed in a category by themselves.
6. Strong Physical and/or Logical Separation Measures within the System
The solution must be designed in a manner to meet strong physical and/or logical separation measures within the system to provide ‘defense in depth’. The system must provide adequate segmentation and isolation of tenants, administration, and operations, and address user-to-system, admin-to-system, and system-to-system relationships.
7. Compliance with Federal Mandates
For both Moderate and High baseline systems, there are six Federal Mandates that must be met. Non-compliance with any of these six items are show-stoppers that will stop a Readiness Assessment in its tracks. These mandates include compliance with FIPS 140-2 for encryption, authentication support with CAC/PIV, meeting Federal Records Management Requirements, and ensuring DNSSEC compliance amongst other items.
8. Ensure DNSSEC is In Place
All external authoritative DNS servers must reply with valid DNSSEC responses. Also, all external domain(s) used to access the service must be verified as being registered with a DNSSEC signature.
9. Verify FIPS 140-2 validated encryption within and throughout the System Boundary
For FIPS 140-2 validated encryption, FedRAMP expects that all Moderate and above federal data and metadata is encrypted for all DAR and DIT internally, externally, and traversing the service boundary.
10. Assess Security Capabilities Sections
Companies must demonstrate the system’s technical, management, and operational capabilities using a combination of methods, including interview, observation, demonstration, examination, and onsite visits as needed. The review includes policies, processes, procedures, and evidence of significant progress towards completed documentation. It is important to demonstrate the maturity of the organization and its ability to host federal data.
11. Provide Complete Executive Summary
The RAR Executive Summary is the summarized description of the service for prospective agency customers. The Executive Summary must be exact, concise, and easily understood. The FedRAMP PMO recommends beginning the Executive Summary just as you would prepare a white paper, using the RAR-prescribed subsection headers that correspond with the bullets that 3PAOs are specifically asked to address in the RAR’s Executive Summary.
12. Complete Each Security Control Capability Statement
The cloud service provider must be prepared to provide detailed information on each security control to allow the 3PAO to complete the Readiness Assessment Report (RAR).
FASTTR on AWS
stackArmor has developed the FASTTR on AWS program to accelerate the ability of organizations to meet FedRAMP ATO requirements. The FASTTR program (Faster ATO with Splunk, Telos, and ThreatAlert® for Regulated Markets) provides a complete end-to-end solution that delivers an audit-ready environment in weeks and days. The FASTTR on AWS program reduces the time and cost associated with getting FedRAMP Ready by doing away with costly gap assessments, ad-hoc documentation preparation, and time-consuming security product evaluations by delivering an audit-ready dedicated authorization boundary, NIST compliant security services and a complete ATO package in a matter of days and weeks. The solution includes a defense in depth compliant security platform with over 18 security services directly mapped to NIST controls and a complete FedRAMP ATO package with policies, procedures, and plans. The solution is deployed “in-boundary” using the ThreatAlert® ATO Machine (ATOM) platform-as-code (PaC) to deliver a fully audit-ready environment with built-in FedRAMP and DOD compliant security requirements. Contact us to schedule a free consultation to help accelerate your FedRAMP ATO project.