Between President Biden’s cybersecurity Executive Order and the daily headlines proving our IT systems are constantly under attack, record numbers of cloud service providers face the reality that the time to ramp up cybersecurity efforts and embrace compliance standards is now. For cloud service providers serving U.S. federal agencies, that means obtaining a FedRAMP Authorization to Operate (ATO).
The path to FedRAMP authorization is daunting, requiring knowledge, ability, and commitment to adherence to at least 325 separate security controls for a FedRAMP moderate authorization – on top of your existing software development operations. Those controls span technical, operational, and management safeguards and countermeasures. In addition, a FedRAMP ATO requires a government sponsor, which can be difficult to obtain – especially for emerging cloud solutions and software-as-a-service (SaaS) companies that don’t yet have a foot in the federal door. Bottom line: it’s a big lift for any organization and one that likely calls for the support of a trusted partner who can bear some of the burden.
FedRAMP – 12 Areas of Impact on Your Organization
As mentioned in previous blog posts, undertaking a FedRAMP ATO effort is a huge investment. How huge? See the following list to better understand the impacts of a FedRAMP effort on your SaaS organization. Understanding these impacts can help you navigate your approach and determine what partnerships would be most beneficial to your FedRAMP journey.
- Policies and Procedures Covering All In-Scope NIST Control Families
At the foundation of a FedRAMP compliant offering is a complete set of policies and procedures, covering all 17 in-scope NIST 800-53 v4 controls families. The number of included families will get bigger when FedRAMP officially adopts NIST 800-53 v5. This is hundreds of pages of compliance policies and procedures that must be written and adhered to.
- System Security Plan and Additional Documentation
Every system must have a System Security Plan (SSP), which averages 800-1,000 pages, and details how the policies and procedures are implemented in support of the SaaS offering to maintain compliance. In addition, the SSP includes 15 unique attachments. Even when leveraging templates, authoring a quality SSP requires a solid understanding of the FedRAMP requirements to get the content right.
- Compliant Infrastructure and Platform Build-out
FedRAMP systems cannot be built on just any infrastructure and platform. Rather, the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), as well as the people operating those offerings, must adhere to strict FedRAMP security guidelines. This leaves SaaS providers the option of choosing a FedRAMP-compliant IaaS and PaaS onto which their SaaS can be hosted or investing significant resources into building and operating their own.
- Mature Operational Processes
Third-Party Assessment Organizations (3PAOs) are looking for management and operational maturity as well as technical compliance. Roughly 63 percent of all FedRAMP controls are management and operational controls, meaning your software development lifecycle (SDLC), configuration management (CM), incident response (IR), awareness and training, personnel management, physical environment protection, risk management, and many other areas are on the hook to meet some minimum maturity requirements. This has impacts on human resources (HR), facility security officers (FSO), information technology (IT), and even legal departments. Suffice it to say, FedRAMP is not just about technical controls.
- Security Compliance with 325+ Controls
The heart of compliance lies in its baseline controls. Four out of five cloud service offerings looking to obtain an ATO require a FedRAMP Moderate level, which has 325 baseline controls. Even leveraging a FedRAMP authorized hosting service like AWS GovCloud, where the IaaS controls can be inherited, the SaaS provider is still left fully responsible for 282 controls.
- Acquisition of Skilled Staff
Maintaining compliance requires special skills and roles to be filled such as Information Systems Security Officer (ISSO) and Information Systems Security Manager (ISSM). People in these roles must stay up-to-date on the latest security standards and pending regulatory changes, establish appropriate policies and procedures, manage Plan of Action and Milestones (POA&M) activities, address cybersecurity risk management, and oversee all the daily, weekly, monthly, quarterly, and yearly continuous monitoring (ConMon) controls. It is unlikely that most organizations have people with these skills in-house.
- Expanded Tasks for Existing Staff
As mentioned in the Mature Operational Processes item above, many departments are impacted by FedRAMP controls, including but not limited to HR, FSO, IT, risk, and legal. People in these existing roles need to be prepared to adjust their operations to accommodate the FedRAMP compliance requirements.
- Ongoing Government Collaboration and Reporting
FedRAMP requires close collaboration with the sponsoring government agency, including the sharing of recurring ConMon reports, POA&M updates, incident notifications, and reviews of proposed changes to the SaaS solution. SaaS changes that are determined to be significant will require interim 3PAO assessments as well.
- Security and Continuous Monitoring Systems
In addition to standing up compliant IaaS, PaaS and SaaS layers of a cloud offering, SaaS providers also must build the systems that will be used for ConMon activities such as scanning, anti-virus protection, privileged access control, multifactor authentication, and incident response capabilities to name a few. Building such a stack from scratch will require multiple tools, licenses, and integrations.
- ConMon Operations
Once a system has been granted a FedRAMP ATO, the work is just beginning. There are daily, weekly, monthly, quarterly, and yearly ConMon activities that must occur, with dedicated team members following compliant processes and procedures.
- Expanded Controls Requirements
SaaS providers obtaining a FedRAMP ATO for a particular federal agency may be surprised when they realize that other agencies, such as the DoD agencies with their unique Impact Level (IL) baselines, have additional controls requirements that aren’t satisfied by the existing ATO. This can cause the SaaS providers significant amounts of extra work if the original offering wasn’t built with such expansion in mind.
- Costs of Consultants and 3PAO Assessors
In addition to the indirect costs associated with operational/staffing adjustments and technical investments required to bring a solution up to FedRAMP baseline standards, there are some direct costs as well. SaaS providers are required to contract a 3PAO for assessments, including readiness assessments, full assessments, significant change assessments, and yearly re-assessments. Many SaaS providers also choose to hire a separate 3PAO or agency for consulting to help navigate the complicated waters of the FedRAMP process.
The Right Partner Makes All the Difference
Partners for compliance efforts come in many flavors, each providing different value propositions. Finding the right partner – the one that will ease the burden across the largest number of variables – will be key to success for many companies. And while no partner can eliminate the entire burden, a partner like Constellation GovCloud can help significantly reduce the organizational impact and technical investments required to achieve and maintain a FedRAMP ATO.
About Constellation GovCloud
Constellation GovCloud (CGC), a Merlin Cyber offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.