How Technology Helps Cloud Service Providers Achieve FedRAMP Certification

 



Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, team up to discuss how technology can make your journey to FedRAMP certification a more streamlined process, saving you time and resources.


FedRAMP was designed to provide a cost-efficient and risk-based approach to cloud adoption for federal departments and agencies. The creation of the FedRAMP security assessment framework was based on the Risk Management Framework (RMF) that implements the FISMA (Federal Information Security Modernization Act) requirements and NIST SP 800-53. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services relied upon by federal entities that store, process, and transmit federal information.

With technology now playing a major role in compliance assessments across the board, FedRAMP is no exception. Technology allows organizations to quickly prepare for an assessment and conduct multiple assessments to streamline the compliance process. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss common compliance challenges with technology, automation’s role in infrastructure and environment, and how technology maintains compliance. Let’s dive into their thoughts on how technology helps cloud service providers (CSPs) to achieve FedRAMP certification!


Preventing common compliance challenges with technology

While technology is not a silver bullet to FedRAMP compliance, it is an enormous value-add and huge success factor towards saving time. Technology can not only help to better prepare you for your assessment but also drastically decrease the deduplication of efforts throughout the assessment process. Let’s review five common compliance challenges and how technology can help to alleviate many of the pain points.

1. Documentation

An incredible amount of documentation is required for FedRAMP certification, including supporting information, evidence, boundary diagrams, and the information about the system itself. Not only does your organization need all the technical requirements that meet the NIST 800-53 controls and FedRAMP requirements, but you must also detail the process in writing. This effort can quickly become repetitive. “You are required to use the FedRAMP SSP template that is more than 300 pages in length,” said Tony. “When it’s properly populated with the diagrams, control implication statements and more, the document can easily balloon up to 750 to 1,000 pages in length, depending on the scope and complexity of the system. I recommend reviewing FedRAMP’s initial authorization checklist that includes all of the documentation a CSP needs to provide when submitting for their authorization review.”


2. Interconnected Systems

It’s critical to understand how your organization is protecting data at its endpoints- more specifically, from where the data originated and to where it’s flowing. If you’re working to earn a FedRAMP authorization, it’s important to note that anytime that data is passing across the boundary to a third-party service, it’s at least preferred they be FedRAMP authorized at the same level. “We often see clients who want to use other commercial cloud systems, but FedRAMP JAB P-ATOs can only connect to other FedRAMP JAB P-ATO systems,” said Emily. “With agency authorizations, there will be more options for connections to other clouds, but they must still adhere to a high level of other compliance standards.”

3. Encryption

Many organizations understand encryption is the key to keeping sensitive information secure, but there are many options in the modules and algorithms to choose from – many without an established standard. CSPs looking to obtain FedRAMP authorization must comply with the FIPS 140-2 standard, by using validated encryption modules, and understanding FIPS 140-2 usage requirements.

4. Continuous Monitoring

After earning a FedRAMP certification, the NIST 800-137 guideline dictates that your organization must continue to monitor the cloud service offering. This helps to validate if the security controls are implemented correctly, performing as they should, and meet all FedRAMP baselines. This will detect if any changes have occurred in the security posture of the system and assess your level of risk.

5. Data Collection for Multiple Assessments

Going through the FedRAMP assessment process means you’ll have to collect a great deal of data to prove that your organization is compliant. Within the FedRAMP Moderate certification, there are 325 controls for data collection and many of these can require multiple pieces of evidence. “It is not unusual to need 500 to 1,000 pieces of evidence, depending on your systems’ level of complexity,” said Emily. “If you scale this requirement for data collection across multiple assessments, it becomes an enormous pain point.”

Many organizations do not have a dedicated compliance team on staff. In a multiple assessment scenario, it becomes nearly impossible to keep up with the different compliance standards and the plethora of evidence to be collected. It becomes critical to find technology, such as auditing software, that creates a smoother process to save both time and budget. “To help manage this for our customers, Anitian has built-in automated evidence collection to help alleviate this pain point,” said Emily. “It is able to dynamically generate all the technical evidence from our platform that is required for a FedRAMP audit. We have found this to really help customers accelerate a complex process.”
Automation’s role in infrastructure and environment

Both Anitian and A-LIGN provide compliance platforms that can assist with the assessment process. Anitian, offers a solution specific to preparing for FedRAMP. “When it comes to building an environment, there’s really three main stages,” said Emily. “First, all of the infrastructure needs to be stood up. Second, the infrastructure needs to be configured and behaving as expected. Third, there is a need for continuous compliance and security.”

In the first phase, Anitian uses infrastructure as code in their Compliance Automation Platform, that is prebuilt for a FedRAMP Moderate environment. The Compliance Automation Platform deploys quickly and seamlessly and is built on a collection of best-in-breed technology.

In the second phase, not all of the FedRAMP controls (325 total) can be answered by technology. There are many controls that lean toward policies and procedures and must be answered by the organization going through the assessment. For example, “how do you train new hires?”, “do you require background checks?”, “what is your business continuity plan?”. Even through there is a human element to a portion of the second phase, technology helps to aid in the application requirements.

Read Continue at – How Technology Helps Cloud Service Providers Achieve FedRAMP Certification

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

What is NIST 800-171?

Image
  Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171. Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information. National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What is Controlled Unclassified Information (CUI)? CUI is information crea...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more