Editor's note: The author of this guest column, David Svec, is co-principal and co-founder of Veris Group LLC, a cybersecurity consultancy and an accredited FedRAMP third-party assessment organization (3PAO) based in
The U.S. government has made a strong policy stand in favor of cloud computing with the Federal Risk and Authorization Management Program (FedRAMP), the largest security initiative to facilitate the secure and efficient migration of government agency data to a cloud environment. And while FedRAMP offers much-needed clarity for cloud providers going after this market, many still face serious obstacles when attempting to achieve compliance with the program's requirements.
FedRAMP is now a mandatory framework for the consistent, cost-effective assessment and continuous monitoring of cloud providers that work with government agencies. The framework relies on independent, third-party assessment organizations (3PAOs) to assess a cloud provider's systems to ensure transparency between government and cloud providers, and consistency in data security strategies.
Complying with the FedRAMP methodology and its security requirements can be a complex, expensive and demanding process for cloud providers. The roles of the 3PAOs are to be independent assessors and experts in navigating FedRAMP processes. As of August 2012, the federal government has accredited only ten 3PAOs to perform these assessments.
Since FedRAMP requires cloud providers to receive provisional authorization to work with the federal government, it has become both a competitive advantage and a challenge for providers to gain the acceptance, accreditation and approval of the FedRAMP Joint Authorization Board (JAB), which grants this authorization.
Overcoming obstacles to FedRAMP authorization
The biggest obstacle to FedRAMP authorization cloud providers face is lack of preparation. In an effort to enter the market as early as possible, many cloud providers are jumping into assessments prematurely, thereby wasting valuable time and resources -- and inevitably prolonging the process.
More on cloud provider security
Securing the data center: How to overcome the lack of cloud standards
Cheat sheet: Talking to clients about cloud computing security risks
Cloud computing security issues for providers: An overview
The newly implemented FedRAMP assessment process requires a significant level of effort unanticipated by many cloud providers, and the providers may also be unaware of the time, cost and security requirements necessary for these assessments. Without guidance and explanation, the detail-oriented process and documentation for FedRAMP can be daunting for cloud providers of any scale.
At Veris Group, one of the first accredited 3PAOs and already a security assessor for several cloud providers, we have drawn on the lessons learned from past experience in cloud security to provide recommendations to providers interested in selling authorized cloud services to the federal government. To help cloud providers ensure successful and cost-effective preparation for 3PAO assessment, Veris Group has identified several strategic and technical success factors that are critical for attaining FedRAMP compliance.
Strategic issues to consider for FedRAMP
- Leadership buy-in: A cloud provider's executive leadership must understand and endorse the assessment process in order to provide adequate resources and set expectations toward FedRAMP compliance. Leadership is also accountable for accepting and managing the risk of any new or ongoing security vulnerabilities. Communication between the 3PAO, FedRAMP officials and cloud providers' executive leadership should facilitate this goal via planning, execution and debriefing activities.
- Budgeting: Depending on the size, complexity, architectural considerations, and security posture and maturity of a cloud provider's environments, FedRAMP assessments can become expensive. They are investments that will require both internal and external expenditures. It's necessary that cloud providers' executive leadership understands these costs up front and ensures the potential for a positive return on investment.
- Communication: It's critical to start and maintain open dialogue and frequent interactions with the FedRAMP Program Management Office (PMO), JAB and the 3PAOs for providers to ensure their understanding of the scope, technology, security requirements and assessment process. As a result, cloud providers expose themselves to fewer risks and increase the likelihood for authorization.
- Verify consultant's fees and skills: It is important cloud providers fully vet and understand the pricing models, qualifications and experience of all third-party experts -- including the 3PAO and preparation consultants -- who will be assessing and assisting the provider throughout the FedRAMP process. Pricing models for assessments should provide clear documentation for included costs and outline possible extra costs to be incurred.
- Tap into existing accreditations: To save time, money and resources, cloud providers should try to use existing systems documentation as well as security processes and procedures currently accredited under another federal agency accreditation body.
Technical issues to consider for FedRAMP
- Document all systems: Cloud providers should take time to thoroughly inventory and baseline their entire cloud environment and all of its system boundaries. This will help providers avoid a situation in which the assessor discovers elements -- whose existence the provider has overlooked -- that don't fulfill FedRAMP requirements.
- Ensure security requirements are met: Cloud providers must have a thorough understanding of the NIST cloud security guidelines, which should be in place prior to assessment. A robust and well-documented security program is necessary to pass the security assessment. FedRAMP provides tools, such as the FedRAMP self-audit/assessment, to guide cloud providers through this type of system preparation.
- Find security controls to inherit: Cloud providers that don't operate their own data centers should look for opportunities to host their services with an existing FedRAMP-authorized cloud provider -- or inquire if their current hosting partner is FedRAMP-compliant -- which enables them to inherit some of the security controls the host already has in place. This reduces the assessment scope and avoids duplication of testing efforts. For example, a particular Software as a Service (SaaS) or Platform as a Service (PaaS) provider may be able to inherit security protection from an authorized Infrastructure as a Service (IaaS) environment on which it is hosted.
- Continuous monitoring: Cloud providers should implement strong, continuous security monitoring -- preferably based on a highly automated system -- early on in the design and deployment of their cloud services. This helps to later ensure the environment is prepared for this important phase of the FedRAMP process, reduce long-term security compliance costs, and improve the provider's real-time security posture.
- Technical testing and sampling: Many cloud services comprise multiple technologies and many instances of each. Cloud providers should ensure planning, preparation and testing is conducted on all technology types and both the FedRAMP PMO and 3PAO have agreed on and clearly identified a sampling plan prior to the assessment.
- Tools: Cloud providers should ensure the automated tools the 3PAO uses to conduct the assessment and verify the continuous monitoring program are compliant with FedRAMP standards. These tools must also meet the configuration guidelines of the federal government and comply with additional FedRAMP requirements.
A cloud provider's selection of a 3PAO should be a thoughtful process. The right 3PAO can help guide the cloud provider through the preparation and documentation of FedRAMP, and the relationship between the cloud provider and 3PAO has the potential to become a long-term partnership. A well-prepared cloud provider can look forward to a smoother road to FedRAMP authorization and increased access to potential government clients.
This was first published in August 2012