© Copyright 2023 Constellation GovCloud®. All rights reserved.
In late December 2022, President Biden signed H.R. 7776 into law, which codified the FedRAMP program into law. The law, following an earlier release of Executive Order 14028 on “Improving the Nation’s Cybersecurity” reflect the importance the U.S. government places on the cybersecurity posture of systems processing federal data. The fact is, our IT systems are constantly under attack, with record numbers of cloud service providers facing the reality that the time to ramp up cybersecurity efforts and embrace compliance standards is now. For cloud service providers serving U.S. federal agencies, that means obtaining a FedRAMP Authority to Operate (ATO).
The path to FedRAMP authorization is daunting, further complicated by the recent adoption of FedRAMP Rev. 5 baselines and the requirement for all existing authorized systems to generate and follow a system-specific transition plan to maintain their compliant posture. Those just beginning their FedRAMP journey will have to adopt Rev. 5 baselines right out of the gate. All of this requires experiential compliance knowledge, regulatory research and analysis, program management, cybersecurity savvy, and commitment to adherence to at least 323 separate security controls for a FedRAMP moderate authorization under the new Rev. 5 baselines. This is all on top of existing software design, development, testing, and other pre-production operations. FedRAMP controls span technical, operational and management safeguards and countermeasures. As if that wasn’t enough, a FedRAMP ATO also requires a government sponsor, which can be difficult to obtain – especially for emerging cloud solutions and software-as-a-service (SaaS) companies that don’t yet have a foot in the federal door. Bottom line: it’s a big lift – across many competencies – for any organization and one that likely calls for the support of a trusted partner who can bear some of the burden.
Figure 1 – FedRAMP Efforts Span Numerous Operational Competencies
FedRAMP – 12 Areas of Impact on a SaaS Organization
FedRAMP is a program that governs all cloud solutions consumed by the government, including Infrastructure-, Platform-, and Software-as-a-Service offerings. This Blog is focused primarily on SaaS solutions and the SaaS organizations with purpose-built software meant to be consumed by government end-users to solve any number of critical business needs. As already mentioned, undertaking a FedRAMP ATO effort is a huge investment. How huge? Huge enough that it is not something most SaaS providers will be able to tackle on their own. The breadth and depth of the commitment will almost surely lead you to a place of embracing FedRAMP partner support.
See the following list to better understand the many impacts of a FedRAMP effort on your SaaS organization. Having a good handle on the scope of the effort and organization-wide impacts will help you navigate the journey and better determine what partnerships would be most beneficial to your FedRAMP effort.
Policies and Procedures Covering All In-Scope NIST Control Families
At the foundation of a FedRAMP compliant offering is a complete set of policies and procedures, covering all 18 in-scope NIST 800-53 rev. 5 control families, including a new Supply Chain Risk Management (SR) family that was not included in the recently sunsetted Rev. 4. This is hundreds of pages of compliance policies and procedures that must be analyzed, written and adhered to.
System Security Plan and Additional Documentation
Every system must have a System Security Plan (SSP), which averages 800-1000 pages, and details how the policies and procedures are implemented in support of the cloud offering to maintain compliance. In addition, the SSP includes numerous unique attachments to describe program components such as Contingency Management, Incident Response, and controls implementation statements. Even when leveraging templates, authoring a quality SSP requires a solid understanding of the FedRAMP requirements to get the content right – especially considering the new templates and requirements associated with the Rev. 5 baselines.
- Compliant Infrastructure and Platform Build-outFedRAMP systems cannot be built on just any cloud infrastructure nor can they leverage just any cybersecurity platform. Rather, the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), as well as the people operating those offerings, must adhere to strict FedRAMP security guidelines. This leaves SaaS providers the option of choosing a FedRAMP-compliant IaaS and leveraging a FedRAMP-compliant PaaS general support system OR investing significant time and resources in building and operating their own hosting and cybersecurity management and support environment.
- Mature Operational ProcessesThird-Party Assessment Organizations (3PAOs) are looking for management and operational maturity as well as technical compliance. Roughly 60% of all FedRAMP controls are management and operational controls, meaning your software development lifecycle (SDLC), configuration management (CM), incident response (IR), awareness and training, personnel management, physical environment protection, risk management, and many other areas are on the hook to meet some minimum maturity requirements. This has impacts on human resources (HR), facility security officers (FSO), information technology (IT), and even legal departments. Suffice it to say, FedRAMP is not just about technical controls.
- Security Compliance with 323+ ControlsThe heart of compliance lies in its baseline controls. Four out of five cloud service offerings looking to obtain an ATO require a FedRAMP Moderate level, which with the release of Rev. 5 has 323 baseline controls. Even leveraging a FedRAMP authorized hosting service like AWS GovCloud, where the IaaS controls can be inherited, the SaaS provider is still left fully responsible for over 280 controls.
- Acquisition of Skilled StaffMaintaining compliance requires special skills and roles to be filled such as Information Systems Security Officer (ISSO) and Information Systems Security Manager (ISSM). People in these roles must be committed to staying up-to-date on the latest security standards and pending regulatory changes, establishing appropriate policies and procedures, managing Plan of Action and Milestones (POA&M) activities, addressing cybersecurity risk management, and overseeing all daily, weekly, monthly, quarterly, and yearly continuous monitoring (ConMon) controls. It is unlikely that most organizations have people with these skills in-house, and will find it difficult to build a team with these skills given the shortage of cybersecurity personnel with knowledge and experience adequate to guide a FedRAMP operation.
- Expanded Tasks for Existing StaffAs mentioned in the Mature Operational Processes item above, many departments are impacted by FedRAMP controls, including but not limited to HR, FSO, IT, risk, and legal. People in these existing roles need to be prepared to adjust their operations to accommodate the FedRAMP compliance requirements.
- Ongoing Government Collaboration and ReportingFedRAMP requires close collaboration with the sponsoring government agency, including the sharing of recurring ConMon reports, POA&M updates, incident notifications, and reviews of proposed changes to the SaaS solution. SaaS changes that are determined to be significant will require interim 3PAO assessments as well.
- Security and Continuous Monitoring SystemsIn addition to standing up compliant IaaS, PaaS and SaaS layers of a cloud offering, SaaS providers also must build the systems that will be used for ConMon activities such as scanning, anti-virus protection, privileged access control, multifactor authentication, supply chain management, and incident response capabilities to name a few. Building such a stack from scratch will require multiple tools, licenses, and integrations – in addition to the know-how to wrap the tools with all necessary ConMon processes.
- ConMon OperationsSpeaking of ConMon processes, once a system has been granted a FedRAMP ATO, the work is just beginning. There are daily, weekly, monthly, quarterly, and yearly ConMon activities that must occur, with dedicated team members following compliant processes and procedures. There are multiple roles and teams required to oversee all of the various ConMon activities.
- Expanded Controls RequirementsSaaS providers obtaining a FedRAMP ATO for a particular federal agency may be surprised when they realize that other agencies, such as DoD agencies with their unique Impact Level (IL) baselines, have additional controls requirements that may not be satisfied by an existing FedRAMP ATO. This can cause the SaaS providers significant amounts of extra work if the original offering wasn’t built with such expansion in mind.
- Costs of Consultants and 3PAO AssessorsIn addition to the indirect costs associated with operational/staffing adjustments and technical investments required to bring a solution up to FedRAMP baseline standards, there are some direct costs as well. SaaS providers are required to contract a 3PAO for assessments, including readiness assessments, full assessments, significant change assessments, and yearly re-assessments. Many SaaS providers also choose to hire an advisory partner or advisory 3PAO for consulting to help navigate the complicated waters of the FedRAMP process.
The Right Partners Make All the Difference
Partners for compliance efforts come in many flavors, each providing different value propositions. Finding the right partner – the one that will ease the burden across the largest number of variables – will be key to success for many companies. And while no partner can eliminate the entire burden, a partner like Constellation GovCloud can help significantly reduce the organizational impact and technical investments required to achieve and maintain a FedRAMP ATO.