New FedRAMP Program: Not Half-Baked but Not Cooked Through

Management Office (PMO), Department of Homeland Security, Third Party Assessor Organization (3PAO), the Cloud Service Provider (CSP) and the Executive departments and agencies.

An authorization will begin when an agency and/or CSP approaches the PMO to request a FedRAMP authorization. The PMO will provide guidance on the controls which need to be in place, the process to be followed and the documentation which will need to be provided. The CSP will then implement the controls and document them in a System Security Plan (SSP).

The CSP will also coordinate with DHS at this stage to implement continuous monitoring and develop a Continuous Monitoring Plan (CMP). DHS is still developing the cloud version of continuous monitoring but it will involve periodic reporting of security related status information and metrics to a DHS organization, most likely US-CERT.

Once the SSP is in place the agency or CSP can contact a 3PAO to have the cloud system assessed. The PMO will maintain a list of accredited 3PAOs. The 3PAO will work with the agency and/or CSP to develop a Security Assessment Plan (SAP), have it approved and finally execute the assessment. The Security Assessment Report (SAR) will be generated from the assessment. Any findings from the SAR which cannot be remediated before the assessment is completed will be listed with a deadline and the resources required for resolution in the Plan of Actions & Milestones (POA&M).

The agency and/or CSP will then provide the PMO with a Security Authorization Package (SAP) which at minimum is made up of the SSP, the SAR, the POA&M list and the CMP. The PMO will add the SAP to the queue for review by JAB and prioritize it appropriately. Priority will be given to secure Infrastructure as a Service (IaaS), contract vehicles for commodity services, and shared services especially where the cloud system has an existing ATO. Priority will also be given to cloud systems that can help rapidly develop lessons learned and mature the overall FedRAMP program.

The JAB will then review the Security Authorization Package to determine whether a provisional authorization should be granted. Periodically the JAB will review previous authorizations to ensure they are updated regularly and when changes to authorization status occur report this to the affected agencies.

Throughout the lifetime of the cloud system DHS will continue to monitor it. DHS will be monitoring not just for security purposes but also to collect metrics which FISMA requires be reported to Congress. The PMO will maintain a repository of authorizations for cloud systems. When agencies want to adopt a cloud solution they can use this repository to determine whether there is an existing authorization for the cloud solution they are interested in. If there is they can leverage that authorization and use PMO supplied templates to develop their contracts and SLAs.

Some Gotchas

Trusted Internet Connections (TIC) is an initiative meant to limit the exposure of Federal networks to Internet based attacks. It requires agencies to limit the number of points of presence connecting them to the Internet to an absolute minimum. The FedRAMP memo (4.d.vi) requires CSPs route network traffic to meet the requirements of TIC. This may be infeasible under some cloud service models.

It has been suggested that there may be too many acronyms and abbreviations involved in a FedRAMP process where the CSP, 3PAO, DHS, PMO and JAB create, evaluate and monitor SSP, CMP, SAP, SAR, POA&M, other SAP, SLA, MOU, MOA and possibly an ICA for a FISMA A&A ATO. There is some truth to this suggestion.

Does FedRAMP Apply?

A critical task in the coming days will be for IT service vendors to determine if they fall into the cloud category. If they do then they will be required to eventually go through the FedRAMP program.

Identification is straightforward thanks to Special Publication (SP) 800-145 A NIST Definition of Cloud Computing [PDF]. It defines five essential characteristics for cloud computing to be checked against: Is it an on-demand self-service? Does it offer broad network access? Is resource pooling used? Can it provide rapid elasticity? Is it a measured service? If the answer for all five questions is yes, FedRAMP authorization is most likely required.

Almost all cloud computing systems will require FedRAMP authorization. The exceptions are very limited and must meet three requirements: It must be a private cloud, implemented on premises of the Executive department or agency and not be provided to other entities (including those within the department or agency).

Not Done Yet

The policy memo and other guidance released by the Federal CIO and GSA on December 8th is far from complete FedRAMP program. It isn’t half-baked but it isn’t cooked through yet.

Throughout the FedRAMP memo components of the program are directed to develop the standards, policies, practices and other infrastructure elements necessary to support the FedRAMP mission.

The most important element missing currently is the security control catalog which makes up the requirements for CSPs. This NIST SP 800-53 Revision 3 [PDF] derived control catalog will be published within 30 days. Within 60 days the FedRAMP PMO will publish a plan or CONOPS for how agencies and CSPs will go through assessment and authorization. By 90 days the JAB will publish its governance model. And finally at 180 days the FedRAMP PMO will be operating and ready for business.

#####

FedRAMP has been in the works for quite some time. Today’s post image was pulled from a GovInfoSecurity.com article published almost two (2) years ago!

Related posts:

1. Thoughts on Amazon’s GovCloud
2. Stop Freaking Adding New NIST Controls – They Are Not Needed
3. Feds and Amazon Web Services
4. One NoVA Bloggers Take on NIST SP 800-128

Tags: cloud, dhs, fedramp, fisma, gsa, nist, omb