How Technology Helps Cloud Service Providers Achieve FedRAMP Certification

Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, team up to discuss how technology can make your journey to FedRAMP certification a more streamlined process, saving you time and resources.

FedRAMP was designed to provide a cost-efficient and risk-based approach to cloud adoption for federal departments and agencies. The creation of the FedRAMP security assessment framework was based on the Risk Management Framework (RMF) that implements the FISMA (Federal Information Security Modernization Act) requirements and NIST SP 800-53. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services relied upon by federal entities that store, process, and transmit federal information.

With technology now playing a major role in compliance assessments across the board, FedRAMP is no exception.  Technology allows organizations to quickly prepare for an assessment and conduct multiple assessments to streamline the compliance process.  Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss common compliance challenges with technology, automation’s role in infrastructure and environment, and how technology maintains compliance.  Let’s dive into their thoughts on how technology helps cloud service providers (CSPs) to achieve FedRAMP certification!

Preventing common compliance challenges with technology

While technology is not a silver bullet to FedRAMP compliance, it is an enormous value-add and huge success factor towards saving time.  Technology can not only help to better prepare you for your assessment but also drastically decrease the deduplication of efforts throughout the assessment process.  Let’s review five common compliance challenges and how technology can help to alleviate many of the pain points.

1. Documentation

An incredible amount of documentation is required for FedRAMP certification, including supporting information, evidence, boundary diagrams, and the information about the system itself.  Not only does your organization need all the technical requirements that meet the NIST 800-53 controls and FedRAMP requirements, but you must also detail the process in writing.  This effort can quickly become repetitive.  “You are required to use the FedRAMP SSP template that is more than 300 pages in length,” said Tony.  “When it’s properly populated with the diagrams, control implication statements and more, the document can easily balloon up to 750 to 1,000 pages in length, depending on the scope and complexity of the system.  I recommend reviewing FedRAMP’s initial authorization checklist that includes all of the documentation a CSP needs to provide when submitting for their authorization review.”

2. Interconnected Systems

It’s critical to understand how your organization is protecting data at its endpoints- more specifically, from where the data originated and to where it’s flowing.  If you’re working to earn a FedRAMP authorization, it’s important to note that anytime that data is passing across the boundary to a third-party service, it’s at least preferred they be FedRAMP authorized at the same level.  “We often see clients who want to use other commercial cloud systems, but FedRAMP JAB P-ATOs can only connect to other FedRAMP JAB P-ATO systems,” said Emily.  “With agency authorizations, there will be more options for connections to other clouds, but they must still adhere to a high level of other compliance standards.”

3. Encryption

Many organizations understand encryption is the key to keeping sensitive information secure, but there are many options in the modules and algorithms to choose from – many without an established standard. CSPs looking to obtain FedRAMP authorization must comply with the FIPS 140-2 standard, by using validated encryption modules, and understanding FIPS 140-2 usage requirements.

4. Continuous Monitoring

After earning a FedRAMP certification, the NIST 800-137 guideline dictates that your organization must continue to monitor the cloud service offering.  This helps to validate if the security controls are implemented correctly, performing as they should, and meet all FedRAMP baselines.  This will detect if any changes have occurred in the security posture of the system and assess your level of risk.

5. Data Collection for Multiple Assessments

Going through the FedRAMP assessment process means you’ll have to collect a great deal of data to prove that your organization is compliant.  Within the FedRAMP Moderate certification, there are 325 controls for data collection and many of these can require multiple pieces of evidence.  “It is not unusual to need 500 to 1,000 pieces of evidence, depending on your systems’ level of complexity,” said Emily.  “If you scale this requirement for data collection across multiple assessments, it becomes an enormous pain point.”

Many organizations do not have a dedicated compliance team on staff.  In a multiple assessment scenario, it becomes nearly impossible to keep up with the different compliance standards and the plethora of evidence to be collected.  It becomes critical to find technology, such as auditing software, that creates a smoother process to save both time and budget.  “To help manage this for our customers, Anitian has  built-in automated evidence collection to help alleviate this pain point,” said Emily.  “It is able to dynamically generate all the technical evidence from our platform that is required for a FedRAMP audit.  We have found this to really help customers accelerate a complex process.”

Automation’s role in infrastructure and environment

Both Anitian and A-LIGN provide compliance platforms that can assist with the assessment process. Anitian, offers a solution specific to preparing for FedRAMP.  “When it comes to building an environment, there’s really three main stages,” said Emily.  “First, all of the infrastructure needs to be stood up.  Second, the infrastructure needs to be configured and behaving as expected.  Third, there is a need for continuous compliance and security.”

In the first phase, Anitian uses infrastructure as code in their Compliance Automation Platform, that is prebuilt for a FedRAMP Moderate environment. The Compliance Automation Platform deploys quickly and seamlessly and is built on a collection of best-in-breed technology.

In the second phase, not all of the FedRAMP controls (325 total) can be answered by technology.  There are many controls that lean toward policies and procedures and must be answered by the organization going through the assessment.  For example, “how do you train new hires?”, “do you require background checks?”, “what is your business continuity plan?”.  Even through there is a human element to a portion of the second phase, technology helps to aid in the application requirements.

In the third phase, Anitian will securely monitor your data using a technology to threat hunt, perform incident response, check compliance and provide POAM reporting.  As part of their security operations phase, Anitian will also provide a 24×7 SecOps Stack.

The role of technology in assessments and compliance

Earning a FedRAMP certification is a heavy lift that requires many resources.  Once an organization believes they are ready to conduct their assessment, A-SCEND, A-LIGN’s end-to-end compliance management platform, comes into play.  “If your organization is pursuing multiple assessments, you do not want to spend the time and resources uploading the same documentation again and again,” said Tony.  “A-SCEND allows you to use the same tool to collect evidence to conduct assessments- centralizing documentation, policies and procedures to streamline the assessment process.”  By centralizing evidence collection and standardizing requests, A-SCEND makes it possible to consolidate multiple audits into a single annual audit.

What’s next?

The FedRAMP program is continuously evolving and rightfully so.  “You need a compliance framework to keep up with the industry’s technology trends,” said Emily.  “Your organization needs partners and technology that understand the requirements and can provide insight into FedRAMP throughout all phases of the assessment.”

“It’s every client’s decision on what role technology will play in their assessment process,” said Tony.  “FedRAMP is a large lift for any CSP and technology can greatly help your organization when preparing and going through the assessment process.”  Being FedRAMP Authorized offers a CSP numerous benefits, such as improved real-time security visibility and providing a uniform approach to risk-based management.  Your organization will save significant cost, time and resources by de-duplicating efforts related to meeting federal cybersecurity requirements.  Additional benefits include:

  • New revenue opportunities
  • Increased re-use of existing security assessments across agencies
  • Enhanced transparency between government and CSPs
  • Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process

Learn more about how A-LIGN and Anitian can help CSPs achieve a FedRAMP Ready and/or a FedRAMP Authorized status from application security to certification.

Reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446 or contact Anitian at [email protected] or 1-888-264-8426.