“What are the common reasons Cloud Service Providers (CSPs) fail to achieve a FedRAMP Authority to Operate (ATO) in a timely manner?”
At Schellman, we get this question a lot, and as such, we’ve put together a concise list of five of the most common pitfalls noted throughout our experience in performing initial FedRAMP assessments for more than 50 Cloud Service Offerings (CSOs), as well as ways to avoid them.
1. Agency Sponsor – While having an agency involved is more-or-less a given, not having an engaged agency sponsor can hamper the CSP’s ability to get off-the-ground, never-the-less authorization.
Though Joint Authorization Board (JAB) endorsement is an option via the FedRAMP Connect program, almost all CSPs pursue the agency sponsor/authorization path for their initial authorization. When pursing authorization, it is important for CSPs to have an open and active line of communication with their agency sponsor in order to understand the risk tolerance of the agency and the risks that the agency is willing to accept. Specifically:
a. An agency is a must-have to move forward with the assessment. FedRAMP Ready is the only vehicle available to CSPs that do not have an agency.
b. Communication between the CSP and FedRAMP Program Management Office (PMO) is also important.
i. CSPs are encouraged to reach out to the PMO directly via email@example.com
ii. CSPs can setup a kickoff meeting before formal assessment activities are conducted so the PMO can understand the CSO’s architecture and CSP personnel involved in the process. The FedRAMP PMO can be a great resource for answering specific questions and getting ahead of potential roadblocks related to the FedRAMP process.
2. Consulting / Advisory Partner – When CSPs move forward in building a system and/or undergoing a FedRAMP assessment without the appropriate expertise in building and launching a FedRAMP environment, it can become a problem.
It is important to engage early in the process with a partner who has significant experience in the FedRAMP space, especially prior to the system design phase. While some larger organizations may already have in-house experience, many rely on additional consulting partners who can help in several ways, including:
a. Proactively avoiding delays for re-architecture or retesting because certain control interpretations were not considered or were misinterpreted by the CSP.
b. Assist in the time-consuming yet critical process of creating and documenting the System Security Plan (SSP) and its 13 attachments.
c. Share their expertise for the nuances of FedRAMP and the knowledge gained in an established relationship with FedRAMP PMO, which often includes the latest and greatest guidance from the FedRAMP PMO—information that might not even be formally published yet.
d. Saving time and money—even though consulting partners may be an added expense for CSPs in some ways, engaging a consulting partner will likely actually save time and money throughout the process.
*Note that Schellman is a Type A, assessment only, Third Party Assessment Organization (3PAO). We do not perform consulting or advisory services and do not endorse any specific advisory firm.
3. Authorization Boundary – In some cases, CSPs will design a system without fully understanding and incorporating the FedRAMP Authorization Boundary Guidance.
a. During the system design phase, CSPs should review every external dependency and system interconnection. Each of these should be documented, including a description of the service, where it is hosted, compliance status (FedRAMP ATO, ISO certified, etc.), what data is transmitted/stored/processed, how the data is secured in transmission, any risks to Confidentiality, Integrity, and Availability (CIA), and any mitigating factors the CSP has in place. External services and interconnections to systems that are not FedRAMP authorized can cause issues with wider FedRAMP authorization at the higher impact levels.
b. CSPs tend to encounter difficulties with the authorization boundary when attempting to bring minimally modified commercial systems through the FedRAMP process. However, creating a standalone FedRAMP system or segregating a separate FedRAMP zone are other options that tend to be successful from an authorization boundary perspective. The goal should be to limit the scope of the FedRAMP environment to make it easier to secure, manage, and meet the FedRAMP guidance.
c. All dataflows both crossing the boundary and inside the boundary should be documented and secured in accordance with FedRAMP requirements. For each dataflow or access path is important to consider FIPS 140-2 validated encryption, multifactor, auditing, and relevant access controls.
4. Vulnerability Scanning - While CSPs typically know that vulnerability scanning needs to be performed at three layers—operating system / infrastructure, web application, and database—they are often surprised by the importance of vulnerability scanning and timely remediation required by FedRAMP. Specifically, that:
a. Scans must be performed in an authenticated manner, with all plugins enabled, for all hosts in the authorization boundary. The results also need to be available in an acceptable format (e.g., nessus, csv, xml).
b. Database vulnerability scans can sometimes be difficult to implement based on the architecture of the CSO. FedRAMP is looking for “compliance scans” performed on databases against CIS L1 benchmarks (or DISA STIGs). Database vulnerability scans must authenticate to and scan the database itself, not the underlying OS that the database runs on, as the OS is already captured in the environment-wide OS vulnerability scans.
c. Every open vulnerability discovered in vulnerability scans at the end of the FedRAMP assessment (whether overdue or not) is reported in the Security Assessment Report (SAR).
d. Deviation requests for potential operational requirements (ORs), false positives (FPs), or risk reductions must be formally documented in the Plan of Action and Milestones (POA&M) and the FedRAMP Vulnerability Deviation Request Form.
5. Penetration Test - Many times CSPs push back on certain attack vectors or are not content with the language of an authorization letter; however, it actually is important to conduct a penetration test in accordance with the FedRAMP guidance and without any delays. A late, incomplete, unsatisfactory, or penetration test with high severity findings can significantly impact the SAR and the ultimate FedRAMP ATO decision.
In order to avoid this:
a. CSPs should familiarize themselves with the FedRAMP penetration test guidance and related Schellman penetration test blog post well before beginning a FedRAMP assessment. CSPs should also begin coordinating with and informing corporate IT and legal personnel regarding the overall penetration test--the legal team is typically involved in reviewing the penetration test authorization letter, while corporate IT assists with certain attack vectors where the corporate environment is leveraged to gain access to the FedRAMP environment. Ensuring all parties are aware of their roles and the penetration test activities that will be conducted can help prevent delays to the overall assessment timeline.
b. CSPs should remember and utilize their noteworthy ability to correct findings during and before the completion of the assessment. Because agencies typically will not accept a package with an open high penetration test penetration test finding, such an ability is incredibly beneficial when it comes to those findings that are of high severity or are easily fixed.
About the AuthorMore Content by Kevin Carr