What agencies need to know when working with a FedRAMP-approved vendor
- By Bob Ainsbury
- May 16, 2016
FedRAMP is getting a lot of press lately, and for good reason: The Federal Risk and Authorization Management Program raises the bar on the confidentiality, integrity and availability of data hosted in cloud solutions. The result is more reliable systems where citizen and agency data is significantly safer and more secure.
To date, much of the press coverage has centered on cloud vendors announcing the status of their FedRAMP-iness, but that’s only half of the story -- the boring half. The other half is about the agencies and the obligations they have under FedRAMP.
Before exploring agency obligations, it helps to understand the underpinnings of FedRAMP -- namely, a suite of security requirements. These requirements have been evolving for more than two decades and are grounded in the pioneering work at National Institute of Standards and Technology. The entire FedRAMP ecosystem is designed to ensure compliance with these security requirements as applied to cloud service providers. CSPs have to complete a thorough security package. Arguably, the two most important documents in that package are the System Security Plan (SSP) and the Security Assessment Report (SAR).
The SSP details how all the adopted security controls (or safeguards) are met, and the SAR, prepared by an independent security auditor accredited by FedRAMP, confirms whether or not the organization is indeed following those controls. Every SSP includes a set of controls that cover everything from how frequently the CSP conducts background checks, to what the CSP does in the case of a catastrophic datacenter failure, to how the organization monitors system access to quickly identify signs of attack and unauthorized access.
It’s worth noting that the specific details of each control vary from vendor to vendor. Further, some agencies that have unique security risks or data sensitivity need add additional NIST control requirements beyond the minimum control baseline mandated by FedRAMP. Compliance with the controls is dominated by the obligations of the cloud provider, but many controls also include important requirements that agencies must follow. By way of comparison, the most advanced home security system is only effective if the home occupants follow good security practices: If they leave the key under the welcome mat, security can be easily compromised. The same goes for agencies: If they allow past employees to keep their credentials after departure, security is clearly undermined.
The agency obligations are not onerous, but compliance is critical. Obligations can vary from agency to agency and vendor to vendor, but the majority are very consistent, logical and easily followed without serious disruptions to productivity or business processes.
There are typically three broad areas of controls where the agency carries compliance responsibility: user management, privacy and training.
It should be no surprise to learn that system users represent a major class of vulnerability, so FedRAMP provides a number of controls related to user access. Consequently, the agency has a responsibility to manage who has access to its cloud system, to know what privileges they have within the system and most important, to disable accounts when employees no longer require the access. In addition, there are mandatory access control rules requiring two-factor authentication either through a phone or using personal identity verification cards through the Office of Management and Budget’s MAX program. Other controls may also define whether access is restricted to certain IP addresses or certain times of the day, who can view what data, and so forth.
Each agency must develop and adhere to data privacy policies. Put simply, they must document what information can be stored, shared and with whom. The number of controls is influenced by the sensitivity and breadth of data that the system manages. The data privacy policies also reflect and enforce the data privacy commitments that are provided to people/organizations whose data is captured.
Yes, there are more controls focused on those humans. The training category of controls ensures that all employees who have access to the cloud solution understand the agency’s policies. This training should embrace user management and privacy but can expand into other areas as the agencies see fit. Agencies might include rules on account or password sharing, supervisory responsibilities for system admins, laptop management and the like.
Security always includes shared responsibilities between users and the vendor. Even though a bank might have excellent security controls, users can still put their financial data at risk if they aren’t careful. It’s just the same for agencies. FedRAMP ensures that the vendor and the agency take strong measures to protect the confidentiality, integrity and availability of the ever growing base of cloud solutions serving government and citizens.
In closing, if you work in or advise a federal agency, make sure that all of your cloud providers are FedRAMP authorized (it’s mandatory for all federal agencies), and make sure that you understand your agency’s responsibilities and obligations. If you work in state or local government, your interests, and the interests of the people you serve, would be well-served by adopting CSPs that follow the FedRAMP standards. Several states have even begun to mandate FedRAMP compliance.
Bob Ainsbury is the chief operating officer at GovDelivery.