Government Clouds: What is FedRAMP?

What do Akamai, Lockheed Martin, Microsoft, AWS and the U.S. Department of Agriculture all have in common? They are all are running government clouds – to be exact, they are FedRAMP Compliant cloud service providers (CSPs). These organizations took a few extra steps to become a part of a very small group of data centers meeting very certain requirements. In some cases, these providers are delivering Infrastructure as a Service (IaaS) capabilities, while others are providing services around Platform as a Service (PaaS).

What is FedRAMP?

Let’s begin here: What is the Federal Risk and Authorization Management Program (FedRAMP)? Its website tells us it is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Now for some background and history.

Starting its days in 2012, FedRAMP reached its operational capabilities and began to provide guidance to government and corporate organizations. The core objectives are:

• Reduce duplicative efforts
• Increase efficiencies and remove security inconsistencies
• Reduce cost inefficiencies associated with the current security authorization process

During the creation process, the FedRAMP program collaborated closely with a number of cloud security and industry experts. The great thing here is that this collaboration was done both within the public, private and government industry sectors. This includes those government organizations known by their acronymns – GSA, NIST, DHS, DOD, NSA, OMB – and the Federal CIO Council, and numerous other key cloud and infrastructure professionals.

With that in mind, let’s dive into the program a bit. FedRAMP helps provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. There are three ways to be associated with the FedRAMP program:

• You can be a Federal Agency which utilizes FedRAMP
• You can be a Cloud Service Provider which becomes FedRAMP Security Authorized
• You can become a Third-Party Assessment Organization (3PAO) for the FedRAMP Accredited Assessor Program.

Examples and Requirements Process

In understanding this program – it’s important to look at a couple of examples and understand the requirements process.

Example 1: You would like to become a 3PAO FedRAMP provider.

According to GSA.gov – To become a FedRAMP Independent Third-Party Assessment Organization (3PAO), organizations must undergo a rigorous conformity assessment process before being accredited by FedRAMP. This conformity assessment process qualifies 3PAOs according to the following requirements:

• Independence and quality management in accordance with ISO/IEC 17020: 1998 standards
• Information assurance competence that includes experience with FISMA and testing security controls
• Competence in the security assessment of cloud-based information systems

The FedRAMP program goes on to explain that Third-Party Assessment Organizations (3PAO) will perform initial and periodic assessment of Cloud Service Provider (CSP) systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements. Once engaged with a CSP, 3PAOs develop Security Assessment Plans, perform testing of cloud security controls, and develop Security Assessment Reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Example 2: You would like to become a FedRAMP Authorized Cloud Service Provider

According to the FedRAMP documentation, cloud service providers wishing to provide cloud services to Federal agencies must:

• Use the baseline controls and accompanying FedRAMP requirements
• Directly apply or work with a sponsoring agency to submit an offering for FedRAMP authorization
• Hire a Third-Party Assessment Organization to perform an  independent system assessment
• Create and submit authorization packages
• Provide continuous monitoring reports and updates to FedRAMP

Here’s the great part – guidelines to become a FedRAMP CSP are very straightforward and include a great preparation checklist. Here are some of the core components that are included in the FedRAMP Preparation Checklist:

• You have the ability to process electronic discovery and litigation holds
• You have the ability to clearly define and describe your system boundaries
• You can identify customer responsibilities and what they must do to implement controls
• System provides identification and 2-factor authentication for network access to privileged accounts
• System provides identification and 2-factor authentication for network access to non-privileged accounts
• System provides identification and 2-factor authentication for local access to privileged accounts
• You can perform code analysis scans for code written in-house (non-COTS products)
• You have boundary protections with logical and physical isolation of assets
• You have the ability to remediate high risk issues within 30 days, medium risk within 90 days
• You can provide an inventory and configuration build standards for all devices
• System has safeguards to prevent unauthorized information transfer via shared resources
• Cryptographic safeguards preserve confidentiality and integrity of data during transmission

What FedRAMP Means to You

Cloud computing isn’t going anywhere. More than ever, data center and cloud providers are seeing the direct impact that they can make on both private, public and government verticals. The FedRAMP program is actually a very comprehensive outline of what it takes to be a secure provider. In fact, with only a dozen listed providers – the evaluation process is certainly in depth. Let’s look at a few examples as outlined by the CSP and FedRAMP program.

• Amazon AWS GovCloud. This IaaS platform helps deliver a government community cloud infrastructure. According to FedRAMP, AWS GovCloud (US) is an AWS Region designed to allow US government agencies and customers supporting the US government to move more sensitive workloads into the cloud.  In addition to complying with FedRAMP requirements, the AWS GovCloud (US) framework adheres to U.S. International Traffic in Arms Regulations (ITAR) regulations.
• Windows Azure public cloud solution. As both an IaaS and PaaS solution, Microsoft has created a dynamic offering aimed directly at supporting government IT projects. As the FedRAMP site points out, Microsoft Windows Azure is an open and flexible platform that enables customers to build, deploy, and manage applications across a global network of Microsoft-managed datacenters.  Windows Azure encompasses both IaaS, PaaS and Data cloud services that enable customers to use scalable, on-demand cloud computing services that adhere to and meet federal security compliance regulations in the support of government computing initiatives
• IBM SmartCloud for Government (SCG). Here we see a IaaS model that is capable of supporting a variety of government initiatives. According to the IBM FedRAMP site, SmartCloud for Government (SCG) is a secure multi-tenant Infrastructure as a Service (IaaS) cloud computing environment for U.S. Federal customers. SCG services include provisioning of compute, memory, network, OS, and storage resources to meet client production and development/test computing needs. SCG IaaS services can be bundled with enterprise class, fully managed cloud hosting services, including OS Provisioning and Administration, Enterprise System Management,  Security Operation Center (SOC), Storage Management, and Backup.

Why Cloud?

Organizations of all sizes are jumping on the cloud bandwagon. More and more we are seeing new types of services being delivered from a variety of new systems. As always, security plays a big role in the entire process. Ultimately, the question is this: why sign up for FedRAMP? Well, the GSA site actually lists a number of useful reasons:

• Increases re-use of existing security assessments across agencies
• Saves significant cost, time and resources – “do once, use many times”
• Improves real-time security visibility
• Provides a uniform approach to risk-based management
• Enhances transparency between government and cloud service providers (CSPs)
• Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

As your organization continues on its cloud journey – remember that new services delivery models are always right around the corner. Conversations around data center automation and next-generation technologies drive the interest in cloud computing.

In deploying the right model for your business or organization, remember that the cloud can have a great impact on your environment. However, as with any technology – there are key considerations around infrastructure and security that must never be overlooked. Deploy your environment with security and deployment best practices in mind – and you’ll be able to build a cloud platform which can help push you to the next IT level.