The U.S. government information technology strategy is out, and it’s clear that cloud-based platforms are now preferred over traditional, on-premise servers. The message is so strong that the strategy is referred to as “Cloud First.” Many businesses are struggling with how to assess and mitigate risks when using cloud service providers—the federal government is no different. It has developed a new methodology to help federal departments in their evaluations of cloud service providers in order to facilitate “a buy once, use many times” strategy.
The Federal Risk and Management Accreditation Program (FedRAMP) is being jointly developed in coordination with multiple government entities and the private sector. It is based on a conglomeration of existing security standards including FISMA, NIST-800 and FIPS-199 in order to keep the cost of developing this new assessment tool under control. The goal is to build a catalog of pre-screened cloud service providers from which government agencies can select while reducing the cost of multiple assessments.
There is a great deal riding on FedRAMP and the joint efforts to build this catalog of accredited cloud service providers. Security professionals tend to believe that compliance regulations alone cannot provide information security. This is sparking healthy skepticism as they watch this process develop from the outside.
Regulating security in the cloud
The assessment of a cloud service provider starts out with detailed documentation about processes and procedures that is then verified by a certified third-party assessment organization (3PAO). Risks that are discovered during this process are evaluated and sent back to the service provider for remediation if they are considered too high. The cloud service provider has to provide self-attestation and data feeds to maintain its FedRAMP status, once it has passed the initial assessment.
Reliable information security audits are still built upon the manual process of reviewing information from logs and various tools looking for weaknesses in the security architecture. FedRAMP starts off in this way with a comprehensive security assessment by qualified human assessors, who are responsible for reviewing technical controls and their associated documentation. All future verification of the cloud service provider’s compliance is then done through self-attestation and automated data feeds. Will this methodology really discover bad security practices or technical risks that develop over several years?
Cloud applications are often built across a number of underlying Infrastructure as a Service (IaaS) components from different cloud service providers. Many cloud-based applications use Amazon Simple Storage Service (Amazon S3) for storage, for example. Connections between FedRAMP accredited IaaS, Platform as a Service (PaaS) and Software as a Service (SaaS) providers could become a weak link and introduce security vulnerabilities. How does FedRAMP compensate for these potential combinations of accredited systems?
3PAOs only part of the review
The best source for answers to these questions about the auditing process is the newly authorized auditors, officially designated—the 3PAOs—under FedRAMP. Only 17 firms have received 3PAO authorization—after an extremely rigorous application process—and that number won’t be increasing anytime soon. The official deadline to apply to become a 3PAO was March 31, 2013.
The 3PAO makes up a part of the overall FedRAMP review process, which consists of multiple organizations. The Joint Authorization Board (JAB) is made up of CIOs from the Department of Defense, Department of Homeland Security and the General Services Administration. This group oversees the process and makes decisions on risk authorization. The FedRAMP Program Management Office (PMO) works with the 3PAOs and provides technical assistance and project oversight.
Insight into the 3PAO application process for this article was provided by eight information security firms that have achieved 3PAO status: BrightLine, DRC, EmeSec Inc., Homeland Security Consultants, Knowledge Consulting Group Inc., Lunarline Inc., SecureInfo, A Kratos Company and Veris Group.
Each of these companies was already well-established and focusing on some aspect of information security auditing (PCI, SSAE-16 or the ISO 27000). Most of these firms already had experience in working with the government. All of them found the application process challenging and incredibly thorough. One executive observed that in comparison becoming a PCI qualified security assessor (QSA) did not have the same rigor.
There are two parts to the 3PAO application process. The first is an ISO standard that doesn’t come up very often when reviewing information security companies. The ISO 17020 standard utilized in the 3PAO application process is focused on quality of the information processes as well as the impartiality and independence of the auditors. The 3PAO applicant has to show that its auditing division is separate from its consulting division, for example. This is a good example of separation of duties in FedRAMP to maintain impartiality. The 3PAO is actually hired by the cloud service provider and not the government. The 3PAO cannot consult with a cloud service provider to assist in FedRAMP accreditation while fulfilling the 3PAO auditing role.
The second part of the FedRAMP application involves a mock audit of a fictitious cloud service provider. The 3PAO applicant provides its technical and procedural analysis of the security posture of the fictitious cloud service provider using NIST-800-53 controls as a baseline. This part of the assessment is scrutinized for thoroughness and technical detail. A 3PAO has to show consistency, and all of the documentation associated with the sample deliverables, because the FedRAMP Program Management Office follows up with questions if it needs clarifications.
Auditor feedback on FedRAMP
NIST-800-53 could have been a controversial choice as the baseline standard on which to base the FedRAMP accreditation. It is a broad standard that is meant to apply to a number of information systems and isn’t cloud-specific. However, FedRAMP is applying NIST-800-53 in new and creative ways. And feedback is occurring between the 3PAOs, according to these firms, and the FedRAMP Program Management Office. There have been additions to the NIST-800-53 standard through this feedback process; it now totals 298 controls with 60 being called out as specific to cloud service providers. The 3PAOs all seem to agree that NIST-800-53 implemented in this way can be an effective measure of a cloud service provider’s security posture.
This NIST-800-53 based FedRAMP accreditation sets a very high bar for cloud service providers to meet. It is a new standard of excellence for information security in the cloud. It also takes a long time to complete and can be cost prohibitive to cloud service providers that didn’t consider FedRAMP accreditation when setting up their business model. This is probably why only two cloud service providers have received accreditation, although dozens more are in the queue, undergoing the authorization process. The process is still maturing, and there may be times when all 298 controls are not required. According to one 3PAO executive, a subset of controls could be used as an indicator of the cloud service provider’s overall security posture to reduce audit complexity. Others noted that there should be more work done on automating the tests in order to reduce costs and total audit time.
Even so, 3PAOs reported a lot of interest from cloud service providers that want to become FedRAMP accredited. The 3PAOs are receiving three types of requests related to FedRAMP—FedRAMP gap assessments, FedRAMP assessments as a 3PAO and general education about FedRAMP. All of the authorized auditors agreed that more education about the program would certainly be helpful.
Many government programs are driving cloud adoption including cloud first strategy, green initiatives and data center consolidation. There is a lot of business opportunity for cloud service providers that do get on the government-approved list. One important side benefit to FedRAMP accreditation is the overlap with other compliance initiatives such as HIPAA or PCI. FedRAMP security controls contain protections for the same types of private information that need to be protected in HIPAA and PCI, such as patient demographics and credit card information. There is no perfect crosswalk between these regulations and areas in each still require additional compliance work. FedRAMP doesn’t provide for Business Associates Agreements (BAAs) specified under HIPAA, for example. However, the basic protections and focus on risk management could dramatically reduce compliance workloads for agencies that fall under multiple regulations. The Department of Health and Human Services has already recognized this overlap and incorporated FedRAMP into an information technology security Standard Operating Procedure (SOP) for the department.
Questions linger about FedRAMP security controls
As the process unfolds, some questions remain about risks associated with FedRAMP accreditation and how the monitoring of authorized cloud service providers will work. One area of concern is the validity and quality of on-going monitoring when the cloud service provider must provide self-attestation and automated security data feeds. The original idea behind this self-attestation was to reduce costs. However, a 3PAO must still assess a minimum of a third of the controls on an annual basis. The 3PAO can also perform unannounced penetration tests throughout the year to verify that controls are still effective and report back to the FedRAMP Program Management Office for any failures. This prevents any degradation of security controls over time while still keeping expenses low.
The potential security vulnerabilities introduced with the combination of accredited IaaS cloud service providers into a single cloud-based application is another major concern. FedRAMP requires that the entire application be assessed together as a whole. The 3PAO would utilize the existing security controls and documentation inherited from the IaaS cloud server providers. The focus would then turn to the documentation on the connection between cloud service providers and their roles for security protections. This process should ensure that combinations of IaaS cloud service providers are secure and still meet FedRAMP security control requirements.
According to the 3PAOs, cloud service providers can also find ways to increase overall information security and prepare for FedRAMP. One suggestion is to create a security SLA that defines items, such as time to patch, disaster-recovery time objectives and authentication-process failures. This reduces the need for voluminous controls to be tested in order to establish trust. Another recommendation is to identify the boundaries of the cloud provider’s services, and describe any shared components between commercial and government services. Document whether the authentication code would be shared between commercial and government sites, for example.
FedRAMP offers a comprehensive and innovative approach to cloud security. It is refreshing to see a government security standard evolve with feedback from those performing the audits. The NIST-800-53 standard provides a strong foundation for a low development cost. The certification process for a 3PAO is stringent and allows only high-quality organizations. The only potential roadblock for the success of this program may be the time and cost required to perform such an in-depth audit. With these issues under control, government agencies should have a long list of FedRAMP accredited cloud service providers from which to choose very soon.
About the author:
Joseph Granneman, CISSP, has more than 20 years in information technology and security, with experience in both health care and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois and the Certification Commission for Health Information Technology Security Working Group, and is an active InfraGard member.