Your organization sees an opportunity to sell its Cloud Service Offerings (CSOs) to US Government Agencies. Now what? While nothing in the FedRAMP standard prohibits Cloud Service Providers (CSPs) from diving head first into a full authorization assessment, is that really a smart play?
Enter FedRAMP Ready, a preliminary designation that allows CSPs to join the FedRAMP Marketplace and have their CSO highly visible to all federal agencies who are actively researching cloud services that meet their organizational requirements.
While becoming FedRAMP Ready is not a guarantee that a CSP will become authorized, it does provide the government a clearer understanding of a CSP’s technical capabilities. Additionally, being FedRAMP Ready is a heavily weighted criteria to be selected to work with the JAB toward a P-ATO. So, how does this work?
Why should organizations care about FedRAMP Ready?
Understandably, while “spend money to save money” may be a valid argument, it certainly isn’t a compelling sales tactic. Fortunately, the FedRAMP PMO realized that to fulfill its mission of accelerating the federal government’s adoption of secure cloud solutions, they needed to incentivize the process for CSPs.
As a result, the FedRAMP PMO created the FedRAMP Marketplace, a searchable, sortable database of all cloud services that are FedRAMP authorized, FedRAMP Ready, or In Process for an authorization.
This benefit transforms FedRAMP Ready into a valuable marketing investment rather than yet another line item eating away at the security and compliance budget. For CSPs with dreams of seeing their CSO in use by all federal agencies, FedRAMP Ready will be essential.
A Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) allows all agencies to leverage your organization’s authorization package, and to be considered, a CSP must have an approved RAR. Annually, only 12 CSOs are selected for JAB review and holding a FedRAMP Ready designation is one of the three major prioritization criteria that the FedRAMP PMO uses for selection.
Partner with a 3PAO to maximize your investment
To receive a FedRAMP Ready designation, a Third Party Assessment Organization (3PAO) must assess a CSP’s CSO and attest to its readiness for the authorization process.
- During the assessment, the 3PAO completes a Readiness Assessment Report (RAR), which outlines a CSP’s capability to meet FedRAMP security requirements.
- If the CSP wishes to pursue the FedRAMP Ready designation, the RAR will be submitted to and reviewed by the FedRAMP Program Management Office (PMO).
- If the PMO is in agreement with the 3PAO’s attestation, the CSP will be formally approved for the FedRAMP Ready designation. FedRAMP Ready is designation that can only be granted for Moderate and High impact CSOs.
FedRAMP authorization assessments intend to increase confidence in the security of cloud solutions that process and support the nation’s most critical information and missions.
As a result, the FedRAMP authorization process is a far cry from a rubber stamp compliance exercise. Your organization will need to invest significant resources, in both people and capital, to be successful. These costs create significant incentives for CSPs to ensure they conduct an assessment accurately and effectively on the first try.
Whether your organization decides to use the a RAR as an informal gap report, or intends to submit the results to the FedRAMP PMO, partnering with a 3PAO to conduct an assessment will allow your organization to identify and remediate deficiencies in a lower stress setting. Make your mistakes during the practice test, not the final exam.
Where should you start?
FedRAMP Ready takes time. Time is money and money drives business decisions. Your organization should first examine the FedRAMP Marketplace to better understand the Federal Government’s need for your offering.
Take some time to scroll through the list of CSOs on the Marketplace. Do you notice any of your direct competitors or their solutions listed? If not, it’s your lucky day. As the only CSP with a particular CSO, all eyes will be on you. For some context, visit USA.gov and take a look at the A-Z Index of U.S. Government Departments and Agencies.
Consider the time it would take a sales person to cold call each Agency on the list. Now picture each of those Agencies coming directly to you. With a FedRAMP Ready designation, this dream sales scenario could become a reality.
The idea behind FedRAMP Ready is you demonstrate to agencies that you have a CSO that has the capability to pass authorization. When agencies need new products the FedRAMP marketplace is one of the first places to check because they can acquire a CSO significantly faster.
Keep in mind, the scenario above is only possible if your CSO is successful in attaining a FedRAMP Ready designation. To ensure your product and team will be ready for the assessment, you will need Executive buy in. FedRAMP Ready must be prioritized as a key business objective. It cannot be attained with spare minutes and hours left over at the end of a workday.
Executive buy-in will be most easily obtained with a clear, favorable cost benefit analysis. CSPs must weigh the combined costs of the assessment, advisory services, technical remediation, continuous monitoring activities and personnel hours, against the revenue potential from partnerships with Federal Agencies.
Once the Executive level is on board and willing to grant the project the proper resources needed for success, the first task to complete is the development of a System Security Plan (SSP). The SSP sets the foundation for all system design and security control implementations.
In documenting the SSP, your organization will be able to highlight the CSOs strengths and weaknesses, and the organization will have a better understanding of the system functionality, FedRAMP requirements and the NIST SP 800-53 controls.to better document the system design and controls.
Preparing for a FedRAMP Readiness Assessment
First and foremost, no vaporware allowed. A 3PAO cannot assess what does not exist. Ensure your CSO is fully operational, preferably in production for 30 days before any assessment activities so that your organization has had enough time to work out any new system quirks.
Once you are confident the CSO is running smoothly, be sure your organization has clear understanding of the following five key areas of focus. If you followed the recommendation in the section above and created a SSP, you will have already addressed these areas:
Outlined in Section 4.1 of the Readiness assessment report, these Federal requirements are applicable to all FedRAMP authorized systems and all requirements must be met for the FedRAMP Ready Designation:
- Are FIPS 140-2 Validated cryptographic modules consistently used where cryptography is required?
- Can the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
- Is the system operating at Digital Identity Level 2 (for Moderate) or Level 3 (for High)?
- Does the CSP have the ability to consistently remediate high vulnerabilities within 30 days, moderate vulnerabilities within 90 days, and low vulnerabilities within 180 days?
- Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements? [https://www.archives.gov/records-mgmt/grs; PL 104-231, 5 USC 552]
- Does the system’s external DNS solution support DNS Security (DNSSEC) to provide origin authentication and integrity verification assurances? Please note: FedRAMP may consider alternative implementations for DNSSEC. Be sure to describe an alternative implementation for DNSSEC in the Executive Summary section
You cannot protect what you have not identified. An authorization boundary provides a full picture of a system’s internal components to a Cloud Service Provider (CSP) along with connections to external services and systems, accounting for all Federal information and metadata that flows through a system.
A 3PAO will perform discovery scans during the FedRAMP Readiness assessment that should be aligned with your organization’s definition of the environment. Per Section 3.1, Authorization Boundary, of the Readiness Assessment Report: Ensuring authorization boundary accuracy in the RAR is critical to FedRAMP authorization activities.
Inaccuracies within the RAR may give authorizing officials and FedRAMP grounds for removing a CSP from assessment and authorization activities.
- Further guidance on Authorization Boundary Definition can be found on the FedRAMP Website: Determining Your FedRAMP Boundary Definition
As Albert Einstein said, “If you can't explain it to a six year old, you don't understand it yourself.” The Authorization Boundary comprises multiple mediums of depicting the scope of the system. Providing a clear description, free from all marketing language, sets the stage for a third party’s understanding of your CSO.
During the review process, ambiguity is interpreted as deficiency until proven otherwise. Accuracy, however, breeds confidence. The clearer this description is and the closer it mimics the network and data flow diagrams, the better. This exercise not only gives third parties confidence in your organization, it will ensure your staff also have an unshakable understanding of the environment.
As mentioned above, the network and data flow diagrams are another key medium of the Authorization Boundary definition.
- Include a clearly defined authorization boundary that accounts for the flow of all federal information, data, and metadata through the system
- Clearly identify anywhere Federal data is to be processed, stored, or transmitted
- Clearly delineate how data comes in to and out of the system boundary, including data transmitted to/from all external systems and services
- Clearly identify data flows for privileged, non-privileged, and customer access
- Depict how all ports, protocols, and services of all inbound and outbound traffic are represented and managed
An Authorization Boundary definition is valuable, but only if it is accurate. Imagine installing new deadbolts and getting robbed because you forgot to lock them. This is the part of the assessment where a 3PAO would check those shiny new locks are functioning as intended.
During the assessment the 3PAO is required to base the assessment of separation measures on strong evidence, such as the review of any existing penetration testing results, or an expert review of the products, architecture, and configurations involved.
Prior to the assessment, a penetration test, performed by a qualified individual or third party, is highly recommended. If your organization chooses to forego a penetration test, you must provide other forms of compelling evidence that clearly demonstrate segmentation functions effectively, exactly as described in narratives and diagrams.
When can we start?
Why not now? Please visit www.nccgroup.com for more information on NCC Group’s Federal service offerings. Call us at +1-800-813-3523 to learn how our 3PAO team can provide expert assessment or the advisory services that are essential to meet your unique needs