According to a 2020 survey of government IT decision-makers (including 200 federal employees), 91 percent of federal respondents report having “all, most, or some systems and solutions in the cloud.”
The use of cloud solutions will undoubtedly grow as government agencies continue to retire their legacy applications and look to the rapidly growing catalog of cloud solutions to modernize their IT operations. Whether driven by the Office of Management and Budget’s (OMB) current “Cloud Smart” policy, the increasing availability of secure, cloud-based applications like Zoom for Government, or the availability, flexible pricing, resilience, and agility generally afforded by cloud services, cloud-based “as-a-service” solutions play an increasingly essential role in government operations.
FedRAMP Authorization – Required for any Cloud Service used by Federal Agencies
Before a software-as-a-service (SaaS) solution can be used by a federal agency, it must first achieve FedRAMP Authorization. For a system that has a moderate impact level, meaning it handles Controlled Unclassified Information (CUI), or government data that is not publicly available, that involves 325 security baseline controls spanning 17 NIST SP 800-53 (Rev. 4) control families. That number is expected to increase in late-2021 as FedRAMP evolves to meet the latest NIST controls, aligning baselines with SP 800-53 Rev. 5.
FedRAMP Focuses on Operational and Management Maturity
Any way you look at it, 325 security controls is a lot. And if you think that all 325 can be handled by technology implementations and configurations, keep reading. The fact is, FedRAMP controls are as much or more about the management and operational maturity surrounding a SaaS offering as the technology itself. That’s not to say that things like FIPS validated encryption, access control, and user authentication technologies don’t matter – they do! However, nearly two-thirds of the FedRAMP Moderate controls deal directly with Management and Operations.
FedRAMP Controls by Type
Getting your House in Order for FedRAMP
Before jumping head-first into a FedRAMP authorization effort, you must understand what that commitment looks like for your technical, operational, and management teams. Being prepared both technically and operationally will make the authorization process go much smoother (and faster) and pave the way to securing a government agency sponsor. Agency sponsorship is required for the majority of FedRAMP authorization efforts – the exception being the handful of SaaS providers who secure a provisional authorization slot with the Joint Authorization Board – which is a topic for another blog post.
Consider Technical Readiness
It is best to do some research (or engage with a knowledgeable advisor) as a first step to identify showstopping technical issues that would preclude your SaaS solution from obtaining a FedRAMP authorization. Understanding requirements around your offering’s technical boundary, potential reliance on non-compliant libraries, or connections to external systems are just a few areas that must be scrutinized and possibly adjusted to meet FedRAMP’s technical control requirements.
Consider Operational Readiness
Building and maintaining a FedRAMP compliant SaaS offering has implications for software operations teams (architects, developers, testers, configuration managers, change control board, etc.) and deployment schedules, as well as human resources, corporate IT, Facility Security Officers (FSOs), project management, documentation management, facilities management, and even legal counsel. Members of these teams will likely be tagged to satisfy critical roles and be required to take on FedRAMP-specific responsibilities.
Maintaining FedRAMP compliance is also reliant on having people assigned to roles with skillsets that existing members of a software development team or the broader organization may not possess, such as an Information Systems Security Manager (ISSM) and an Information Systems Security Officer (ISSO). These roles require subject matter expertise in security controls and compliance program requirements, as well as an attestable commitment to staying up-to-date on compliance and regulatory changes. For companies taking full ownership over their FedRAMP system, this means an investment in hiring, training, and supervision.
In addition to staffing impacts, operational readiness also means having mature employee and security-management processes and procedures and a framework for managing those processes and procedures that can be readily adapted to incorporate the unique FedRAMP operational requirements. With hundreds of pages of documented policies, procedures, and plans required for FedRAMP, implementation oversight can be overwhelming.
Consider Management Readiness
Finally, organizations that aspire to obtain FedRAMP Authorization need to have strong in-house product and program management skills. With many moving parts including multiple purpose-defined teams and related issue identification and resolution processes, strong management skills are imperative. Ongoing close and often prescribed collaboration with the sponsor Agency and the FedRAMP PMO are fundamental to the compliance and continuous monitoring process. FedRAMP systems don’t run and maintain compliance on their own, so it’s important to invest in the right product and program management personnel.
In another blog post, I’ll go into the different approaches to getting FedRAMPed and how to choose the right one for your organization. For now, I’ll just mention Constellation GovCloud, a Merlin Cyber managed service offering that provides a pre-built platform-as-a-service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO. CGC’s goal is to absorb a bulk of the underlying technical, operational, and management burden, limiting the impact to partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments.