FedRAMP: The Journey to Secure Cloud Operations

Credit: Pixabay

For many years, the U.S. government was hesitant about moving data and applications to the public cloud. Concerns around security were prevalent. Today, cloud has become a central proposition of IT spend in government institutions. With the government urging federal agencies to move to the cloud for its agility, scalability, and cost efficiency, those agencies need access to FedRAMP-authorized vendors.

FedRAMP – the Federal Risk and Authorization Management Program – provides the standards and controls vendors must meet to gain authorization to provide cloud services to government agencies. If a single vendor gets breached, it can put all of an agency’s data at risk. The federal government created the program to ensure cloud service providers meet certain security requirements.

Agency cloud adoption is accelerating

Author: George Gerchow, Sumo Logic
 Author: George Gerchow, chief security officer and senior vice president of IT, Sumo Logic.

Migrating to the cloud today offers government agencies benefits, including access to world-class computing capacity, artificial intelligence (AI)-powered applications, and the ability to access data-driven insights in real-time. These technologies will give government agencies new opportunities to innovate and enhance their capability to serve fulfil their missions while creating new efficiencies.

Spencer Chin, manager of Sales Engineering, North America, at HackerOne, explained that his FedRAMP-authorized company is seeing increasing cloud adoption at a faster rate in government, which is similar to what’s happening in the private sector. However, cloud adoption comes with challenges, including:

  • More potential vulnerabilities due to the cloud’s expansiveness
  • Misconfigurations from new technologies and applications re-architected for the cloud

George Gerchow, Sumo Logic’s chief security officer and senior vice president of IT, gave more insights into why cloud migration is more challenging for federal agencies.

“All the customers that we've had and the prospects in the federal space are so far behind and really overwhelmed in three areas,” Gerchow said.

The three areas where they’re lagging are technology, trained talent, and policy and regulation.

The good news, Chin added, is that even if agencies are behind in their cloud adoption efforts, SaaS offerings allow them to catch up quickly because you can procure a solution instead of building it from scratch.

HackerOne, for example, finds vulnerabilities that agencies may not have found otherwise, according to Chin. “We have a huge, talented community of security researchers that provides a really diverse perspective to help companies improve their security. These researchers uncover vulnerabilities so companies can fix them before they are exploited.”

With the right kind of automation, government agencies can supplement their limited cybersecurity workforce to catch issues like cloud misconfigurations, yet, security researchers are still necessary. “Security automation just can't replace human ingenuity, creativity, and persistence right now,” he added.

Work closely with your sponsor

FedRAMP experiences vary depending on the organization, the route they choose, and the level of authorization they’re seeking. Sumo Logic worked to receive Moderate authorization, while HackerOne pursued tailored Low-Impact SaaS authorization. Chin added that his organization is considering Moderate authorization.

Regardless of level, vendors can apply via the Joint Authorization Board (JAB), or a government agency can serve as their sponsor. The United States General Services Administration (GSA) was HackerOne’s sponsor, and Chin said that through the process his organization learned:

  • It’s critical to work closely with your sponsor to identify the right approach and ensure documentation is in order.
  • You should use software engineering tools your sponsor trusts and recommends.

Applicants must use a Third-Party Assessment Organization (3PAO) to assess their cloud systems based on FedRAMP requirements. This is only one of many procedural requirements vendors face. Depending on the level of authorization – high, moderate, or low – there are 125 to 421 controls to meet.

Regardless of your approach, authorization can be a long and challenging process. FedRAMP is specific to the U.S., but the process can be simplified by using compliance crosswalks that reveal overlaps with other certifications, so you’re not duplicating work.

Follow advice from experienced vendors

Chin’s advice for those considering the process is to ensure your internal teams are communicating well as authorization is an “extremely cross-functional project.” He added that it’s also important to “talk to somebody who's been there and done that.”

First, this means enlisting the support of an experienced advisor. Having a team of people who have helped other companies through this process is essential. HackerOne employs a two-pronged auditor approach, bringing in an "internal auditor" to act as a sanity check before the assessments by “external auditors."

Vendors who have gone through the process can also provide support and information. In fact, Sumo Logic created a Slack channel for vendors to discuss their FedRAMP experiences and challenges. It even includes its competitors as a vendor-agnostic resource for those going through the authorization process.

FedRAMP authorization standards will continue to evolve

FedRAMP recently added software supply chain security to its latest revision based on the National Institute of Standards and Technology’s (NIST) updated guidelines. FedRAMP will likely continue to evolve, as there have been several revisions since its 2011 debut. It will also need to adapt to the ways the cloud, its users, and cybercriminals are changing.

Organizations need industry solutions that can support FedRAMP-compliant environments, learn how Sumo Logic and HackerONE support the cloud journey:

Learn more about becoming a Sumo Logic Partner

Guest blog courtesy of Sumo Logic. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship programRead more Sumo Logic guest blogs here