What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a

government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services.
https://www.fedramp.gov/faqs/

Why FedRAMP?
• Ability to sell cloud products to US Government Agencies and suppliers to the US Government

• Enhanced credibility with all other types of customers

1
 FedRAMP Terminology

● Authorization to Operate (ATO) – This is the goal of a FedRAMP certification. This is the
formal approval granted by each agency that used our services

● Joint Authorization Board (JAB) – This is a group with representatives from several
agencied that can issue a provisional ATO (P-ATO) that each agency can accept by issuing
an ATO or demanding additional requirements in addition to the P-ATO

● System Security Plan (SSP) – This is a formal, version-controlled document that explains
in detail how the in-scope systems meet the FedRAMP Security Requirements. Typically in
excess of 500 pages.

● Third Party Assessment Organization (3PAO) – This is the FedRAMP Auditor. Clean
audits must be completed before the initial ATO or P-ATO and each year thereafter to
maintain it.

2
 FedRAMP Terminology (2)

● Information Security Continuous Monitoring (ISCM) – The formalized process of

ensuring that the in-scope systems maintain their intended level of security
assurance. (This is the on-going investment of FedRAMP compliance.)

● Plans of Action and Milestones (POA&Ms) – A document that identifies tasks

needing to be accomplished. It details resources required to accomplish the
elements of the plan, any milestones in meeting the tasks, and scheduled
completion dates for the milestones.

● Authorization Boundary Documentation – The set of required documentation that

defines exactly what is and is not in scope of our FedRAMP program

3
 What does ISCM Require? (High Level)

Described in NIST SP 800-137, the goal of continuous monitoring is to provide: (1)

operational visibility, (2) managed change control, and (3) attendance to incident
response duties, over the life or use of a system.
● Maintaining situational awareness of all systems across the organization;

● Maintaining an understanding of threats and threat activities;

● Assessing all security controls to ensure effectiveness;

● Collecting, correlating, and analyzing security-related information;

● Providing actionable communication of security status across all tiers of the organization;
and

● Active management of risk by organizational officials.

4
 What does ISCM Require? (Specifics)

● Frequent updates to security plans (SSP), security assessment reports (SARs),

plans of action and milestones (POA&Ms), hardware and software inventories, etc.

● ISCM is most effective when automated mechanisms are employed where possible
for data collection and reporting.

● Effectiveness is further enhanced when the output is formatted to provide

information that is specific, measurable, actionable, relevant, and timely.

● While the use of automation is encouraged, it is recognized that many aspects of

ISCM programs are not easily automated.

5
 FedRAMP High Level Actions
● Hire a FedRAMP Program Manager – An experienced compliance professional to guide Company
through the initial certification process and oversee the on-going program

● Draft System Security Plan – This document will be driven by the PgM but will require considerable
cross-company collaboration

● Implement Security Controls – After designing the security controls that will be applicable to our
authorization boundary, they will be implemented in a segregated environment

● Staffing, Training & Communication Plan – While not specifically required by FedRAMP, this plan
will ensure that we have organizational alignment and the necessary skilled resources to support the
program.

● Implement Continuous Monitoring – After we implement the security controls, we will need to
maintain them and develop the supporting processes

● Identify Sponsor (Optional) – We may identify a sponsor that could allow us to bypass the JAB

● Engage 3PAO – After we are in a compliant state, a 3PAO will attest to that fact. The PgM will
determine the best time to bring in the 3PAO.
6
 FedRAMP Authorization Process

Stages Key Activities Key Deliverables/Results

Initiation Submission of online application Engagement by the FedRAMP PMO / ISSO or

Submission of initial documents Agency Sponsor
Documentation Development and submission of the details System System Security Plan (SSP)
Security Plan (SSP)
Testing Assessment Planning Security Assessment Plan (SAP)
Controls Testing Security Assessment Report (SAR)
Penetration Testing Plans of Action and Milestone (POAM)
Reporting
Remediation (Planning)
JAP/Agency Technical Reviews
Finalization Package finalization and submission JAP Provisional Authorization (P-ATO) / Agency
ATO
Continuous Monitoring Submission of period scanning and other reports to the Various continuous monitoring deliverables
JAP/Agency Annual audit and penetration test report
Annual assessment and penetration test

Company Responsibility 3PAO Responsibility JAP/Agency Responsibility

7
 Company Transformations

● Level of SDLC Process Rigor Will need to Increase (Arch Reviews, Design
Reviews, Code Reviews, Threat Modeling)

● Increased Rigor in Tooling Management (Jenkins, Git, etc)

● Increased Documentation

● Significant Increase in Security Controls (Implementation & Testing)

● Isolated Environments (Dedicated AWS Accounts, Dedicated Instances of

Tools)

● Operational Staff that are US Citizens

8
 Questions

Will all of Company need to comply with FedRAMP?

● No, just within our Authorization Boundary. Our scope will likely be limited to a few
designated (new) AWS Accounts and the supporting business processes

Will Company still be able to innovate?

● Yes. While it is true that our SSP will need to be updated and approved before we
implement any changes within our Authorization Boundary, we will still be able to
innovate rapidly outside that boundary. This may mean that the services and
products inside the Auth Boundary diverge from our normal portfolio.

What other changes will be required?

● It is still very early and all of that will be flushed out in the SSP

9
 How does the Federal Government Manage Risk?
Step 1: Categorize the information system based on a FIPS
Publication 199 impact assessment;
Step 2: Select the applicable security control baseline based on the
results of the security categorization and apply tailoring guidance;
Step 3: Implement the security controls and document the design,
development, and implementation details for the controls;
Step 4: Assess the security controls to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security
requirements for the system;
Step 5: Authorize information system operation based on a
determination of risk to organizational operations and assets,
individuals, other organizations, and the Nation resulting from the
operation and use of the information system and the decision that this
risk is acceptable; and
Step 6: Monitor the security controls in the information system and
environment of operation on an ongoing basis to determine control
effectiveness, changes to the system/environment, and compliance to
legislation, Executive Orders, directives, policies, regulations, and
standards.

10
 The Assessment & Authorization (A&A) Process
Initiation
In the Initiation Phase, the
policy analyst (OCIO)
analyzes the security
documentation supporting the
information system. The
purpose of the initiation phase
is to ensure that the
Authorizing Official (AO) and
the client's Chief Information
Security Officer (CISO) are in
agreement with the
contents of the System
Security Plan (SSP).
11
Assessment
The assessment is a
comprehensive analysis of
the management, operational,
and technical security controls
in an information system,
made in support of A&A. The
purpose of an assessment is
to determine if the controls
are implemented correctly,
operating as intended and
producing the desired control
described in the System
Security Plan.
Authorization
An ATO is the official
management decision given
by a senior agency official to
authorize operation of an
information system and to
explicitly accept the risk to
agency operations, agency
assets, or individuals based
on the implementation of an
agreed-upon set of security
controls.
 What is an Authority to Operate (ATO) and Provisional
Authority to Operate (P-ATO)?
● There are two types of FedRAMP authorizations for cloud services:
- A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB)
- An Agency Authority to Operate (ATO)
● A FedRAMP P-ATO is an initial approval of the CSP authorization package by the
JAB that an Agency can leverage to grant an ATO for the acquisition and use of the
cloud service within their Agency.

● As part of the Agency authorization process, a CSP works directly with the Agency
sponsor who reviews the cloud service’s security package. After completing a
security assessment, the head of an Agency (or their designee) can grant an ATO.

12
 What is the Joint Authorization Board (JAB)?

● The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and
GSA, supported by designated technical representatives (TRs) from their respective
member organizations.

● A P-ATO means that the JAB has reviewed the cloud service’s authorization
package and provided a provisional approval for Federal Agencies to leverage when
granting an ATO for a cloud system.

● For a cloud service to enter the JAB process, it must first be prioritized through
FedRAMP Connect.
- Priority is given to those cloud service offerings (CSOs) that are likely to be used by multiple
agencies

13
 Does a P-ATO mean that several agencies can use the CSP?

Each agency that uses a CSP with a P-ATO must issue an ATO after
determination that the CSP has meet that agency’s security requirements.

For example, at Centers for Medicare & Medicaid Services (CMS):

● All CSPs must have a CMS ATO. The CMS ATO states that it has met minimum CMS requirements
prior to its implementation, and any known risk is at an acceptable level to operate within a CMS
environment.

● When additional Statutory or Regulatory requirements apply to a particular business process, those
requirements MUST still be met—even when they are not addressed by minimum FedRAMP
requirements.

● For CMS business process, those requirements typically include additional requirements associated
with HIPAA, HITECH, the Privacy Act, the Federal Records Act, and/or Internal Revenue Code (IRC).

14
 What is Continuous Monitoring?

● The NIST Risk Management Framework (RMF) describes a disciplined and

structured process that integrates information security and risk management
activities into the system development life cycle.
- Ongoing monitoring is a critical part of that risk management process.

● Information Security Continuous Monitoring (ISCM) is defined as maintaining

ongoing awareness of information security, vulnerabilities, and threats to support
organizational risk management decisions.
- an organization’s overall security architecture and accompanying security program are monitored to ensure
that organization-wide operations remain within an acceptable level of risk, despite any changes that occur.
- Initial authorization to operate is based on evidence available at one point in time
- Ongoing assessment of security control effectiveness supports a system’s security authorization over time
in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and
missions/business processes.

15
 Continuous Monitoring Reporting

● Once the FedRAMP Authorization is complete, a CSP must provide monthly continuous
monitoring deliverables to the agencies that are using their service.

● These deliverables typically include, but are not limited to an updated POA&M, scan
results/reports, system change information/requests, as agreed upon between the Agency
and the CSP.

● Each Agency using the service reviews the monthly continuous monitoring deliverables.

● Once a CSP has multiple Agencies using their FedRAMP Authorized service, the PMO
recommends that a vendor host monthly continuous monitoring collaboration calls.

● The CSP must employ a 3PAO to complete an annual security assessment to ensure that
the risk posture of the system is maintained at an acceptable level throughout the lifecycle of
the system. Annual security assessments update a system’s penetration testing results and
perform comprehensive assessment of critical controls.

16
 Authorization Boundary

This documentation is a 3PAO-validated network and architecture diagram(s) and

written description of the Authorization Boundary. It must:

● include a clearly defined authorization boundary;

● clearly defines services wholly within the boundary;

● depict all major components or groups within the boundary;

● identify all interconnected systems;

● depict all major software/virtual components (or groups of) within the boundary; and

● be validated against the inventory.

17
 Authorization Boundary Exclusions

The authorization boundary documentation must clearly describe the following:

● all shared corporate services, with explicit rationale of any that are not within the
boundary, such as a corporate Security Operations Center (SOC) or corporate
security awareness training;

● all other external services with explicit rationale of any that are not within the
boundary (for example, services provided by a leveraged system as described in
Table 3-3); and

● all systems related to, but excluded from the boundary.

18
 Data Flow Diagrams

There must be 3PAO-validated data flow diagram(s), and a written description of the
data flows. The diagram(s) must:

● clearly identify anywhere Federal data is to be processed, stored, or transmitted;

● clearly delineate how data comes into and out of the system boundary;

● clearly identify data flows for privileged, non-privileged and customers access; and

● depict how all ports, protocols, and services of all inbound and outbound traffic are
represented and managed.

19
 NIST SP 800-53 Security Control Families

Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by
individuals, or automated mechanisms implemented by information systems or devices.

20
 The NIST SP 800-53
Trustworthiness
Model
Following core security
principles can result in more
trustworthy systems.

These include:
• simplicity,
• modularity,
• layering,
• domain isolation,
• least privilege,
• least functionality,
• resource isolation, and
• encapsulation.

21
 Examples of Assessment Questions (1)

● Does the system uniquely identify and authorize organizational users (or processes acting
on behalf of organizational users) in a manner that cannot be repudiated and which
sufficiently reduces the risk of impersonation? [IA-2, IA-4, IA-4(4)]

● Does the system require multi-factor authentication (MFA) for administrative accounts and
functions? [IA-2, IA-2(1), IA-2(3)]

● Does the system restrict non-authorized personnel’s access to resources? [AC-6(2)]

● Does the system restrict non-privileged users from performing privileged function? [AC-
6(10)]

● Does the system ensure secure separation of customer data? [SC-4]

● Does the system ensure secure separation of customer processing environments? [SC-2,
SC-3]

22
 Examples of Assessment Questions (2)

● Does the system restrict access of administrative personnel in a way that limits the capability
of individuals to compromise the security of the information system? [AC-2(7)]

● Does the remote access capability include CSP-defined and implemented usage restrictions,
configuration guidance, and authorization procedure? [AC-17]

● Does the system have the capability to detect, contain, and eradicate malicious software?
[SI-3, SI-3 (1), SI-3 (2), SI-3 (7), MA-3 (2)]

● Does the system store audit data in a tamper-resistant manner which meets chain of custody
and any e-discovery requirements? [AU-7, AU-9]

● Does the CSP have the capability to detect unauthorized or malicious use of the system,
including insider threat and external intrusions? [SI-4, SI-4 (4), SI-7, SI-7 (7)]

● Does the CSP have an Incident Response Plan and a fully developed Incident Response
test plan? [IR-3, IR-8]
23
 Examples of Assessment Questions (3)

● Does the CSP have a plan and capability to perform security code analysis and assess code
for security flaws, as well as identify, track and remediate security flaws? [SA-11, SA-11 (1),
SA-11 (8)]

● Does the CSP implement automated mechanisms for incident handling and reporting? [IR-4
(1), IR-6 (1)]

● Does the CSP retain online audit records for at least 90 days to provide support for after-
the-fact investigations of security incidents and offline for at least one year to meet
regulatory and organizational information retention requirements? [AU-7, AU-7 (1), AU-11]

● Does the CSP have the capability to notify customers and regulators of confirmed incidents
in a timeframe consistent with all legal, regulatory, or contractual obligations? [FedRAMP
Incident Communications Procedures]

24
 Examples of Assessment Questions (4)

● Does the CSP have the capability to recover the system to a known and functional state following an
outage, breach, DoS attack, or disaster? [CP-2, CP-2 (2), CP-2 (3), CP-9, CP-10]

● Does the CSP have a Contingency Plan and a fully developed Contingency Plan test plan in
accordance with NIST Special Publication 800-34? [CP-2, CP-8]

● Does the CSP maintain a current, complete, and accurate baseline configuration of the information
system? [CM-2]

● Does the CSP maintain a current, complete, and accurate inventory of the information system
software, hardware, and network components? [CM-8]

● Does the CSP have a Configuration Management Plan? [CM-9, CM-11]

● Does the CSP follow a formal change control process that includes a security impact assessment?
[CM-3, CM-4]

25
 Examples of Assessment Questions (5)

● Does the CSP employ automated mechanisms to detect inventory and configuration changes? [CM-
2(2), CM-6(1), CM-8(3)]

● Does the CSP prevent unauthorized changes to the system? [CM-5, CM-5(1), CM-5(5)]

● Does the CSP establish configuration settings for products employed that reflect the most restrictive
mode consistent with operational requirements? [CM-6]

● Does the CSP ensure that checklists for configuration settings are Security Content Automation
Protocol (SCAP)-validated or SCAP-compatible (if validated checklists are not available)? [CM-6]

● Does the CSP perform authenticated operating system/ infrastructure, web, and database
vulnerability scans at least monthly, as applicable? [RA-5, RA-5(5)]

● Does the CSP demonstrate the capability to remediate High vulnerabilities within 30 days and
Moderate vulnerabilities within 90 days? [RA-5, FedRAMP Continuous Monitoring Guide]

26
 Examples of Assessment Questions (6)

● When a High vulnerability is identified as part of ConMon activities, does the CSP consistently check
audit logs for evidence of exploitation? [RA-5(8)]

● Does the CSP’s change management capability include a fully functioning Change Control Board
(CCB)?

● Does the CSP have and use development and/or test environments to verify changes before
implementing them in the production environment?

● Does the system have any dependencies on other vendors such as a leveraged service offering,
hypervisor and operating system patches, physical security and/or software and hardware support?

● Within the system, are all products still actively supported by their respective vendors?

● Does the CSP have a formal agreement with a vendor, such as for maintenance of a leveraged service
offering?

27
 Examples of Assessment Questions (7)

● Does the CSP have a lifecycle management plan that ensures products are updated before they reach
the end of their vendor support period?

● Does the CSP have the ability to scan all hosts in the inventory?

● Does the CSP have the ability to provide scan files in a structure data format, such as CSV, XML, or
.nessus files?

● Is the CSP properly maintaining their Plan of Actions and Milestones (POA&M), including timely,
accurate, and complete information entries for new scan findings, vendor check-ins, and closure of
POA&M items?

28