FedRAMP Tailored: New Program for Cloud Service Providers (CSPs)

The Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, released FedRAMP Tailored on September 28, 2017. This new Baseline was designed and developed for Cloud Service Providers (CPS) with Low-Impact Software-as-a-Service (LI-SaaS) Systems, supporting emerging technology as low cost and low-risk industry solutions.

What is the Purpose of FedRAMP Tailored?

After collaboration with government digital service teams, the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), the Joint Authorization Board (JAB) and third-party vendors, FedRAMP recognized the need to increase the existing program’s flexibility for quicker authorization and implementation of low-risk solutions.

FedRAMP Tailored is a policy and set of requirements to create a more efficient process for LI-SaaS providers to achieve a FedRAMP Agency Authorization to Operate (ATO), by achieving these three objectives:

  1. Streamline the authorization process for low-risk solutions including collaboration tools, project management applications, and open-source coding tools
  2. Standardize officials’ approach for measuring risks affiliated with authorizing LI-SaaS cloud applications
  3. Leverage cloud solutions for government use while ensuring security and privacy

Which Organizations Qualify?

To determine if an organization can be considered for FedRAMP Tailored, the CSP must first qualify as an LI-SaaS provider.

As defined by Federal Information Processing Standards Publication (FIPS PUB) 199 – Standards for Security Categorization of Federal Information and Information Systems, the CSP must categorize as low impact. Agencies and CSPs can identify and verify the impact level based on the information type currently used within the cloud environment.

Low impact level cloud service systems are only permitted to have the minimum personally identifiable information (PII), which is needed for login capabilities. This PII includes username, email address, and password; any other information disqualifies the CSP as an LI-SaaS.

If a CSP offers login capabilities, FedRAMP recommends using an existing ATO-covered agency directory to ensure login-related PII is not contained in the LI-SaaS.

In addition, the LI-SaaS needs to either provide its own cloud infrastructure or host within a FedRAMP-authorized Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

What are the Baseline Controls and Associated Tailoring Criteria?

FedRAMP Tailored provides a minimum set of control requirements, however by law, the Agency Authorizing Officials have the final decision to require additional controls if deemed necessary to maintain compliance with policies and procedures.

FedRAMP currently utilizes the NIST Risk Management Framework (RMF) in determining security control baselines for organizations of all levels of impact. FedRAMP then uses NIST SP 800-37 to specify additional sets of security controls for LI-SaaS services based on the type of use and information placed within the system.

There are six categories of FedRAMP Tailored LI-SaaS Baseline controls based on the FedRAMP Low Impact Baseline that are required to be addressed by the CSP:

  1. FED – The control is typically the responsibility of the Federal Government, not the CSP.
  2. NSO – FedRAMP has determined the control does not impact the security of the Cloud SaaS.
  3. Document and Assess (Required) – The control must be documented in Appendix B (FedRAMP Tailored Mandatory Templates), and independently assessed. This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated. A vendor must address how they meet (or do not meet) the intent of the control so that it can be independently assessed and detail any risks associated with the implementation.
  4. Document and Assess (Conditional) – If the condition exists, the control must be documented in Appendix B and independently assessed as above. If the condition does not exist, the CSP must attest to this in Appendix E (FedRAMP Tailored Self-Attestation Requirements).
  5. Inherited – Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS).
  6. Attest – The control must exist; however, the CSP may attest to its existence in Appendix E. (No documentation or independent assessment is required).

Within those six categories, there are 128 FedRAMP tailoring criteria for the FedRAMP Low Impact Baseline controls, which is also listed with details in Appendix A (FedRAMP Tailored Security Controls Baseline) as noted above. The tailoring process of baseline controls is only permitted within NIST SP 800-53 Revision 4.

When agencies are selecting the appropriate set of controls, it’s important to keep in mind that there are only two criteria for eliminating a security control from the baseline. The control is either exclusively federal, meaning it is the responsibility of the Federal Government, or the control does not directly impact the security of the LI-SaaS, which is determined by FedRAMP.

FedRAMP may also accept other certifications, including ISO 27001 and SOC 2 if the LI-SaaS provider offers an entire cloud stack.

See more: FedRAMP vs. FISMA: Choosing the Right Standard for Your Federal Clients

The release of FedRAMP Tailored is another step towards efficiently and effectively addressing the security of cloud environments and the increasing growing market. Through FedRAMP Tailored, government agencies can leverage emerging industry services and improve agility while maintaining security compliance.

As an accredited 3PAO, A-LIGN can help CSPs understand, navigate, and implement FedRAMP assessments based on their organization’s type and initiatives regardless of their readiness.

If you have any questions or if you would like to learn more about FedRAMP Tailored, please reach out to one of A-LIGN’s experienced assessors at info@a-lign.com or 1-888-702-5446.

HITRUST Updates: CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9

On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.

The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.

Read now: [Whitepaper] Building HITRUST: Related Frameworks, Scoping and Scoring

CSFBASICs

CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.

This update is scheduled for availability in Q3 of 2017.

HITRUST CSF v8.1

HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.

Watch now: [Webinar] What is HITRUST and How Does It Fit Into the Compliance Puzzle?

HITRUST CSF v9

The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.

The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.

HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.

HITRUST CSF v9 is scheduled to be available in July 2017.

Read now: [Blog] Back to Basics: What is HITRUST?

CSF Assurance Program v9

The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.

This program is scheduled for availability in Q3 2017.

Addressing Your HITRUST Needs

Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.

FedRAMP vs. FISMA: Choosing the Right Standard for Your Federal Clients

When pursuing federal clients or servicing existing federal clients, there are a number of unique compliance needs due to the sensitivity of the federal information. Standards such as FedRAMP and FISMA exist to create consistent security standards for organizations seeking federal agency clientele. FISMA, or the Federal Information Security Management Act of 2002 is the standard specifically used for federal agencies who are seeking an ATO, or an authority to operate by government agencies.

FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FedRAMP vs. FISMA: Similarities

FISMA and FedRAMP have similarities in that they both share the same standard, utilizing the same controls set within NIST 800-53. These controls include:

  • Access Controls
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment and Authorization
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental
  • Planning
  • Personal Security
  • Risk Assessment
  • System and Service Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Program Management

Additionally, both standards use the same requirements with the ability to offer prescriptive implementation levels depending on the risk within each system (low, moderate or high). Within each control family, the impact level and the number of controls tested can be broken down further. Below, you can review the number of controls tested at each impact level for both FISMA and FedRAMP.

fedramp-fisma-impact-level

Read More: Understanding Low, Moderate, and High Implementation Levels

Now that we understand the similarities among the two standards let’s begin to understand the differences.

FedRAMP vs. FISMA: Understanding the Differences

When becoming FISMA compliant, organizations are awarded an ATO from the specific federal agency to the organization, which is considered a one-to-one process. A one-to-one process means that each agency that an organization is seeking authorization from will have different requirements because of the unique needs that an agency may have, and thus multiple ATOs from multiple agencies must be maintained in order to keep those federal contracts. Thus, each authorization is done one at a time.

When becoming FedRAMP compliant, organizations are awarded an ATO that can be leveraged by any federal agency, which supports a “do once, use many” framework that provides a streamlined process for CSPs. FedRAMP, because of this framework, is more rigorous as it is intended to be used by any agency. In addition, FedRAMP is specifically designed with the needs of CSPs in mind, making it the appropriate assessment for cloud providers. Organizations are provided a P-ATO, provisional authorization to operate, or ATO, authorization to operate if a 3PAO’s, or third-party assessment organization, determines that the provider can demonstrate that the cloud services meet the baseline controls in FedRAMP. Once the 3PAO assesses and reviews the documentation, the results are submitted for final revision, at which time, an organization is awarded a P-ATO or ATO.

Additionally, FedRAMP’s authorization program requires that cloud providers receive an independent security assessment conducted by a 3PAO, or third-party assessment organization. Federal organizations are required to utilize companies that are FedRAMP-authorized when purchasing cloud services.

Becoming NIST 800-53 Compliant

As an accredited 3PAO, A-LIGN is able to manage your security needs and help you decide which standard is the best fit for your company. Understanding the differences between FedRAMP and FISMA is the first step to deciding which standard is appropriate for your organization based on organization type and compliance goals.

Regardless of the assessment that is right for your organization, the NIST guidelines allow organizations to use cloud services with increased security and efficacy. Contact the A-LIGN team today to discuss the benefits of FISMA or FedRAMP for your organization.

If you have any questions on becoming compliant with NIST 800-53 standards, please reach out to one of A-LIGN’s experienced assessors at info@a-lign.com or 1-888-702-5446.

FedRAMP: Outline of Timeliness and Accuracy of Testing

As FedRAMP continues to emphasize the FedRAMP Accelerated program, which is meant to reduce approval time for the Joint Authorization Board (JAB), they have released additional guidance on the Timeliness and Accuracy of Testing Requirements.

FedRAMP Timeliness and Accuracy of Testing

There are three categories associated with testing in the authorization package:

  1. Penetration Testing
  2. Vulnerability Scanning
  3. Security controls testing

The FedRAMP Timeliness and Accuracy of Testing Requirements guidance documentation applies to the evidence requirements for JAB authorizations. The evidence within the authorization package is required before a Cloud Service Provider (CSP) enters into the FedRAMP JAB Provisional Authorization to Operate (P-ATO) process.

When an organization is granted a provisional authorization, rigorous testing is required to understand the risk posture of these cloud systems. Because of this, the testing must be indicative of the true risk inherent within the cloud system.

Penetration Testing Requirements

A Penetration Test is when a professional Penetration Tester attempts to exploit system vulnerabilities in a variety of different ways, such as through the use of automated scripts, social engineering, or other methods. This type of testing is used to find potential weaknesses within an information system. These Penetration Tests must comply with all FedRAMP guidance.

Blog: What do Penetration Tests reveal?

When beginning the JAB P-ATO process, an organization must submit their Penetration Test plan and a Penetration Test report from an accredited Third Party Assessment Organization (3PAO).

The timeliness requirements conclude that:

  • When submitting the completed authorization package to FedRAMP to start the JAB P-ATO process, the Penetration Test must have been conducted within the last six months. CSPs should ensure that their Penetration Test is conducted as close as possible to the submission of the authorization package.
  • Once a JAB P-ATO is granted, CSPs must complete a new Penetration Test by an accredited 3PAO annually.

The accuracy requirements dictate that:

  • The Penetration Test be reflective of the current security capabilities and services of the cloud system seeking authorization.
  • Should there be significant changes to the system being tested, the JAB may require a new Penetration Test.

Vulnerability Scan Requirements

A Vulnerability Scan consists of running an automated program that looks for vulnerabilities within your system. From there, potential vulnerabilities are documented. Vulnerability Scans provide evidence for organizations by continuously monitoring a CSP’s risk posture. FedRAMP requires that organizations complete Vulnerability Scans in compliance with FedRAMP guidance.

Blog: Do you know the difference between a Penetration Test and a Vulnerability Scan?

When beginning the JAB P-ATO process, the CSP must submit Vulnerability Scans provided by a 3PAO as part of the authorization package, with monthly scans also being provided by the CSP.

The timeliness requirements conclude that:

  • When submitting the authorization package, the scans completed by a 3PAO must be current within 120 days.
  • Additionally, CSPs must submit the scans and a Plan of Action and Milestones (POA&M) current within 30 days prior to the initiation date of the JAB P-ATO.

In lieu of accuracy requirements, the Vulnerability Scan requirements include monthly scanning requirements, which are as follows:

  • During the JAB P-ATO process, vendors must submit monthly Vulnerability Scans and matching POA&Ms.
  • These scans and POA&Ms are treated as continuous monitoring to identify all vulnerabilities (high, moderate and low) on a CSP’s system. These scans must demonstrate:
    • There are no late high vulnerabilities on the system that are open for more than 30 days from the discovery date.
    • The CSP provides a POA&M to remediate all open high vulnerabilities within the 30-day remediation timeframe.
    • The CSP must remain in compliance with applicable requirements.
    • These scans must use the same scan tools and configurations as those run by the 3PAO in the Security Assessment Report (SAR).

Security Controls Testing Requirements

FedRAMP Timeliness and Accuracy of Testing requires that CSPs complete security control implementation testing, as set in the FedRAMP baseline standards. Each control within the baseline must be tested by a 3PAO with the appropriate evidence and documentation in the authorization package.

The timeliness requirements conclude that:

  • When submitting the completed authorization package, security control testing must be current within 120 days if the system lacks existing FedRAMP agency authorization. If the organization has previously been authorized, it must be current within 12 months.

The accuracy requirements dictate that:

  • All of the security control testing must be indicative of the current implementations, and must be completed by the same 3PAO.

If a high vulnerability is found during the testing documented in the SAR, any high findings should be closed within 30 days. In order to close findings, 3PAOs can perform targeted scans or can gather evidence to verify the closure of the high vulnerability.

How does it affect you?

This update is intended to assist all CSPs in order to provide clear guidance on how long assessments will remain valid, which will assist them in planning with their 3PAOs.

Additionally, this ensures that the JAB has timely evidence collection when granting provisional authorization. All of these things work in conjunction with one another to improve the FedRAMP approval process.

For more information on the FedRAMP Timeliness and Accuracy of Testing requirements for the timeliness of evidence associated with an authorization package with the JAB, please reach out to info@a-lign.com to speak with one of our security professionals.

FedRAMP Accelerated

FedRAMP-acceleratedAuthor: Cheryl Zobel, Managing Consultant at A-LIGN.

FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The FedRAMP Program Management Office (PMO) has retooled the program, specifically to improve the processes in place and reduce approval times.

Cloud services providers (CSPs) will now have readiness review upfront, which will be conducted through a Third Party Assessment Organization (3PAO) in order to reduce approval time for the Joint Authorization Board (JAB). This also means that meetings with the JAB should happen more quickly. Previously, System Security Plan (SSP) approval time at its fastest was 5 and a half months, with approval more typically running between 9 and 18 months. FedRAMP has recognized that this timeframe could be improved, and the changes are designed to bring approval time down to 3 to 6 months. This 2.0 version focuses on optimizing the preapproval process to help reduce the time needed to approve cloud vendors. While the process should be sped up due to the anticipated changes, the rigor of the security assessments should remain unchanged.

Once the 3PAO has conducted the readiness assessment and given passing marks, the JAB will review that information and, upon confirmation, declare the CSP FedRAMP ready. FedRAMP ready organizations have had their documentation reviewed by the FedRAMP PMO and have gone through the readiness review process. This program allows potential agencies and authorizing officials to go through the assessment and authorization process to become compliant more quickly.

FedRAMP has made the documents “FedRAMP Readiness Assessment Report Template” and the “FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs” available here for public comment until April 29, 2016.

Some of the major benefits include:

  • Providing a uniform approach to risk-based security management.
  • Enhancing transparency between government and cloud service providers.
  • Improving the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.

If you have questions regarding FedRAMP or how this update may impact your specific environment, please contact A-LIGN at info@a-lign.com or 1-888-702-5446.

FedRAMP Releases Updated Logo & FedRAMP Forward

 

FedRAMPSM has released their newly redesigned logo in coordination with the release of “FedRAMP Forward: 2 Year Priorities.”  FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.  

Continue reading “FedRAMP Releases Updated Logo & FedRAMP Forward”