Securing Your Cloud Solutions for Government Adoption FedRAMP Program Research and Analysis
2019 edition
1
TABLE OF CONTENTS Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Background and research approach . . . . . . . . . . . . . . . . . . .
8
FedRAMP program overview and outlook . . . . . . . . . . . . . . . . 10 What FedRAMP does . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
FedRAMP authorization trends . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2019 to 2020 outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 FedRAMP: time, cost, and best practices . . . . . . . . . . . . . . . .
22
Estimating time to authorization . . . . . . . . . . . . . . . . . . . . . 22 Preparing for FedRAMP . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Estimating the cost of FedRAMP . . . . . . . . . . . . . . . . . . . . . 28 “Greenfield” automation and leveraged authorizations . . . . . . . . 29 Additional best practices and recommendations . . . . . . . . . . . . 32 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2 | COALFIRE.COM
CLOUD GROWS IN THE FEDERAL MARKET.
Public cloud services spending is expected to reach
$370B in 2022.
*
In FY2018, federal agencies procured approximately
$6.5 billion in cloud services, up almost 32% year over year.
SaaS IS THE NEXT FRONTIER. SaaS applications now make up more than
84% of cloud service providers publicly preparing or undergoing FedRAMP authorization.
INNOVATION SMOOTHS THE WAY. Automation helps companies achieve audit-ready status in
as little as 6 months, versus more than 12.
Organizations may be able to
inherit 20 to 30% (by Coalfire’s internal estimates), or more of required controls.
FEDRAMP GETS FASTER, EASIER. The fastest path to FedRAMP, from initial preparation to assessment and authorization,
reduced by approximately 25%.
*IDC, “Worldwide Semiannual Public Cloud Services Spending Guide,” February 2019. https://www.idc.com/getdoc.jsp?containerId=prUS44891519
3
Executive summary The move to the cloud continues unabated. While the federal government has traditionally lagged the private sector in cloud adoption, agencies are picking up the pace, increasingly using their considerable purchasing power in favor of secure cloud solutions. Agencies not only have federal incentives to modernize approaches and improve IT efficiency and costs, but they also must do so securely and within federal guidelines. For government agencies wishing to consume cloud services, the Federal Risk and Authorization Management Program (FedRAMP) is at the center of governmental IT modernization because the cloud is a big part of IT evolution today. FedRAMP drives the convergence of cloud computing, cybersecurity, and government technology needs; the government’s “Cloud Smart” policy requires federal agencies to use FedRAMP-authorized solutions whenever possible to reduce costs and streamline IT procurement. FedRAMP establishes cybersecurity requirements for cloud service providers (CSPs) that deliver solutions to the federal market and utilizes independent experts to advise organizations and assess their compliance. Coalfire is the largest provider of FedRAMP services to the CSP market, and our extensive history, deep industry relationships, and technical expertise all factored into this research. This report analyzes the FedRAMP program, federal cloud market landscape, and changes since the last edition of our report in 2017,
as well as assesses market and industry dynamics that affect both FedRAMP and cloud adoption in the federal government. Key findings include six key points: The federal cloud market is large and still expanding rapidly. • Cloud adoption is underway in the federal government. Given federal mandates and the desire for greater efficiency, some agencies have well-established cloud capabilities, while other agencies are just beginning adoption. ––Federal agencies spent $6.5B in cloud services in FY2018, up 32% year over year.1 ––Fifty percent of federal agencies are in the early stages of cloud maturity, with the vast majority of migration yet to come – providing opportunity for CSPs.2 • FedRAMP and the Office of Management and Budget (OMB) Cloud Smart objectives are beginning to more obviously complement and align with other federal initiatives, including Internet of Things (IoT), mobility, and productivity initiatives, providing new opportunities for Software-as-a-Service (SaaS) providers to address these needs.
1. Frank Konkel. “Federal Cloud Spending Trends Toward All-Time High.” Nextgov, September 12, 2018. 2. “Federal IT leaders report advances in cloud adoption for critical services.” FedScoop, December 5, 2018. 4 | COALFIRE.COM
• Authorization support provided by the FedRAMP program makes an Authority to Operate (ATO) more worthwhile than ever for CSPs – irrespective of size – presenting an opportunity for relevant SaaS providers to more readily receive prioritization for FedRAMP authorization in response to these converging federal objectives; we expect this trend to become the new status quo for the FedRAMP program. Structural changes in FedRAMP enable federal market access to CSPs of all sizes, with tailored paths and opportunities based on service type. • There are significant areas of opportunity for CSPs as department sub-agencies explore cloud information systems that are not necessarily department-wide or weren’t initially considered due to the perceived complexity or “legacy-nature” of the IT implementation. • The new FedRAMP Tailored baseline is ideal for low-risk cloud offerings that do not handle personally identifiable information (PII), enabling greater CSP participation in smaller agencies. • While the Department of Defense’s (DoD) approach to enterprise cloud acquisition (such as Joint Enterprise Defense Infrastructure [JEDI] and Defense Enterprise Office Solutions [DEOS]) is anticipated to narrow the federal market in
some respects, we expect it to be more than offset by the increase in cloud adoption among the broader agency community, and at least partially offset within the DoD itself by the anticipated increase in demand for classified cloud ATOs to impact Level 6 of the DoD Cloud Computing Security Requirements Guide (SRG). Taking the right approach to the FedRAMP process minimizes required effort and the risk of organizational audit fatigue. • CSPs should strongly consider leveraging underlying Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud providers that have already achieved FedRAMP authorization instead of tackling FedRAMP on their own and uplifting their current cloud environment to meet federal standards. By leveraging “external service providers,” organizations may be able to inherit 20 to 30% (by Coalfire’s internal estimates) or more of required controls. • By assessing multiple cloud services within one overarching compliance boundary, many CSPs have reduced the per-service cost of FedRAMP and decreased the risk of organizational audit fatigue.
5
• CSPs are also increasingly coordinating their assessment efforts across multiple compliance obligations, not just FedRAMP, dramatically reducing the need to duplicate preparation and participation efforts for their overall compliance portfolio. This can result in savings of up to 33% in internal resource time (from Coalfire assessment data). From a review of FedRAMP-qualified vendors’ public data, the majority (approximately 70%) are also meeting between 1 to 15 additional regulatory/compliance frameworks. Automation accelerates CSPs’ ability to implement security controls, shortening time to compliance. • CSPs should proactively implement a security automation strategy to get ahead of FedRAMP requirements and reduce the overall time required to gain authorization – not to mention reduce the cost to maintain compliance with FedRAMP and agency-specific cybersecurity requirements. • FedRAMP preparation efforts leveraging the Security Orchestration, Automation, and Response (SOAR) approach show great promise in reducing time to compliance and improving security as preconfigured, cloud-based, compliant security stacks; they are becoming more widely deployed. As an example, a leading SaaS provider reduced their time to ATO by 50% by leveraging SOAR techniques. • As SOAR techniques mature, we expect to see greater expectations for automation in the FedRAMP high-impact security controls baseline. 6 | COALFIRE.COM
Given these factors (among others), both time and cost to FedRAMP ATO are declining. • Time to FedRAMP authorization (from the time of assessment initiation by a CSP) decreased from 12 to 16 months in early 2016, to as little as six months in late 2018/ early 2019, with the average time taking 9 to 12 months as of early 2019. • The fastest path to FedRAMP from initial preparation to assessment and authorization was reduced by approximately 25% due to program improvements made by the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB), as well as CSPs relying more heavily on security automation when deploying their cloud services – a trend we expect will accelerate in the coming year. And volume is increasing: FedRAMP authorizations continue to climb. • The number of FedRAMP authorizations granted between 2016 and 2018 increased roughly 33% year over year, and burgeoning agency demand for SaaS applications is expected to ensure that trend continues. • More than 1,100 ATOs (unique and leveraged) have been granted under the FedRAMP program. • SaaS applications now make up more than 84% of CSPs publicly preparing or undergoing FedRAMP authorization.
As the federal cloud services market continues to grow and government CIOs face IT prioritization challenges, tighter security requirements, and the need to modernize technology, FedRAMP will see increased participation. For CSPs interested in entering the market or expanding their presence, this report provides guidance on common pitfalls, successful strategies, and typical resourcing and budgeting approaches.
7
Background and research approach Since the publication of Coalfire’s last FedRAMP Securealities Report in early 2017, several major changes have occurred that affect the discussion, projected outlook, and guidance shared in this edition. Yet, much has stayed the same: Chiefly, the cloud services market continues to show robust growth. Although IDC notes that annual spending growth is expected to slow slightly over the 2017-2022 forecast period, public cloud services spending is still expected to reach $370 billion in 2022 and forecast to achieve a five-year compound annual growth rate (CAGR) of 22.5%.3 Consumers increasingly rely on the convenience, speed, and availability of information that the cloud provides, while businesses continue to realize operational efficiencies and financial savings from migration. The federal cloud market is no exception to the persistent cloud adoption trend. The U.S. federal government fully recognizes
the benefits of scale, innovation, and cost reduction that cloud adoption delivers; indeed, it was one of the first entities in the country to publish a formal Cloud Computing Strategy, the OMB’s “Cloud First” policy, back in 2011.4 The latest iteration of this policy, the OMB’s “Cloud Smart” policy,5 directs departments and agencies to utilize cloud-based computing solutions whenever possible. Adoption rates reflect broad implementation of this directive, with annual cloud adoption rates expected to be slightly higher in the public sector than overall growth rates across the industry. In FY2018, federal agencies procured approximately $6.5 billion in cloud services, up almost 32% year over year.6,7,8 Of course, the government’s path to a mature cloud adoption strategy has not been without some hiccups – foremost among them the associated cybersecurity concerns. These concerns were primary catalysts for the creation of FedRAMP, which is intended to provide agency CIOs with a tool to gain visibility into CSP cybersecurity posture and help them maintain compliance with their own legal obligations. In today’s federal
3. IDC, “Worldwide Semiannual Public Cloud Services Spending Guide,” February 2019. https://www.idc.com/getdoc. jsp?containerId=prUS44891519 4. Vivek Kundra, U.S. Chief Information Officer. “Federal Cloud Computing Strategy.” Executive Office of the President of the United States, February 14, 2011. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/egov_docs/vivek-kundrafederal-cloud-computing-strategy-02142011.pdf 5. Office of the Federal Chief Information Officer, Office of Management and Budget. “From Cloud First to Cloud Smart.” https:// cloud.cio.gov/strategy/ 6. Rob van der Meulen. “Understanding Cloud Adoption in Government.” Gartner, April 11, 2018. https://www.gartner.com/ smarterwithgartner/understanding-cloud-adoption-in-government/ 7. “Federal IT leaders report advances in cloud adoption for critical services.” FedScoop, December 5, 2018. 8. Chris Cornillie. “The Federal IT Market Grew by 10 Percent in Fiscal 2018.” Bloomberg Government, January 25, 2019. https:// about.bgov.com/news/federal-market-grew-10-percent-fiscal-2018/ 8 | COALFIRE.COM
The cloud market is vast and growing
$370B
22.5%
by 2022
per year
Public cloud services spending is estimated to grow to $370 billion by 2022.
Cloud usage is projected to exhibit a 22.5% compound annual growth r ate to 2022.
cloud market, FedRAMP is key to reducing federal agency concerns about security when adopting cloud services. Its value has been demonstrated time and time again, primarily through metrics demonstrating a dramatic decrease in time to compliance with federal cybersecurity requirements and an increase in cloud adoption within the federal agency community.9 Coalfire is a top provider of cybersecurity advisory, assessment, and engineering services to the CSP market as well as the leading FedRAMP Third Party Assessment Organization (3PAO). Our extensive history, deep industry relationships, and technical expertise have contributed to the insights in this publication. For our initial edition of this report, we reviewed more than 500 applicable FedRAMP advisory and assessment projects performed by our firm over the previous five years – emphasizing 2016 results and identifying
common findings that were considered topical at the time. We have updated these findings for 2019 with the results of our latest project reviews and insights to indicate how the federal cloud landscape has changed. Additionally, we surveyed information security executives with FedRAMP experience to better understand how firms prepare for – and progress through – the various FedRAMP paths to authorization. This report provides information about the benefits of FedRAMP, adoption trends, outlook for cloud adoption in the federal government, strategies that have worked for CSPs, and examples of agencies that have successfully navigated federal security requirements for cloud adoption. We also review best practices for business strategy, resource allocation, and development roadmap for CSPs entering the federal cloud market.
9. “FedRAMP Reaches 100 Authorizations.” FedRAMP, May 1, 2018. https://www.fedramp.gov/fedramp-reaches-100-authorizations/ 9
FedRAMP program overview and outlook WHAT FedRAMP DOES In 2011, the OMB published the first Federal Cloud Computing Strategy, colloquially known as the “Cloud First Policy.” This document directed federal agencies to use cloud-based IT services whenever a secure, reliable, and cost-effective option exists. In concert with several interested agencies, OMB created FedRAMP later that year to help drive cloud adoption by standardizing cloud security requirements, assessment expectations, and authorization approach across all federal departments and agencies. In this capacity, FedRAMP acts as a central management point for standards and guidance related to continuous monitoring of cloud cybersecurity posture across the federal government. OMB monitors and enforces agency adoption of FedRAMPauthorized cloud services across the federal government. To become eligible to provide services to federal government customers, CSPs must obtain FedRAMP authorization by successfully completing an independent security assessment conducted by an accredited FedRAMP 3PAO. Depending on the security categorization of a CSP’s cloud service offering, the 3PAO security assessment is conducted using one of three different sets of FedRAMP security control baselines (intended for low-, moderate-, and high-risk systems), with additional agency-specific requirements
evaluated during the assessment process on an as-needed basis. These security controls are defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.10 FedRAMP has made federal cloud adoption more efficient, standardized security assessments, and eliminated redundant systems and assessments, saving the federal government time, staffing, and money. One of FedRAMP’s principles is “do once, use many,” allowing government agencies to successfully leverage and reciprocate a FedRAMP authorization (also called an ATO), eliminating redundancy and inefficiency. When the “do once, use many” principle was first introduced at the onset of the FedRAMP program, it represented a dramatic change in approach from the traditional Federal Information Security Management Act (FISMA) certification and accreditation process pursued by individual federal agencies at the time. The “do once, use many” principle has in part contributed to the success of FedRAMP, both from the perspective of agency cloud adoption – the core mission of the program – and CSP participation in FedRAMP, which was arguably even more important to the program’s success in its early years. Even as early as 2016, each of the 15 federal-cabinet-
10. Note that NIST is expected to release a substantial update to 800-53, revision 5 sometime later in 2019, impacting current CSP FedRAMP cybersecurity programs managed with revision 4.
10 | COALFIRE.COM
level departments and many independent agencies and government-owned corporations had already authorized and procured a wide array of cloud services for mission-critical functions, attesting to the effectiveness of this approach to cloud authorization.11 FedRAMP is managed by the JAB and PMO. The JAB, which consists of cybersecurity representatives from the DoD, Department of Homeland Security (DHS), and General Services Administration (GSA), issues joint FedRAMP authorization decisions for CSPs. Due to the oversight role the JAB plays within FedRAMP and the lack of its statutory ability to directly enter into contract with most CSPs, these Provisional ATOs (P-ATOs) are not an agency commitment to contract award and are granted on a strictly provisional basis – hence the “P-ATO” term. P-ATOs can then be leveraged under the “do once, use many” principle by any agency within the federal government, if that agency then issues their own agency ATO that references the JAB P-ATO decision as the basis for the agency’s action. Agencies can, of course, also award their own FedRAMP ATOs independent of any FedRAMP JAB review or approval. During the initial years of the FedRAMP program in 2012 and 2013, many CSPs elected to engage the JAB for P-ATO due to the reputational benefit of their cloud service offerings receiving joint authorization from the three most prominent federal agencies involved in cybersecurity, an aspect often heavily marketed by those CSPs awarded a P-ATO.
11. FedRAMP. https://marketplace.FedRAMP.gov, accessed March 2019.
11
As the program matured in 2014 and 2015, however, more CSPs elected to directly engage with a federal agency sponsor to achieve an agency ATO – a sponsor ostensibly interested in entering into contract with the CSP once an ATO was awarded, incentivizing quick turnarounds. Coupled with the long lead times required to achieve JAB P-ATO versus agency ATO, many stakeholders were inspired to voice questions in 2014 and 2015 about the JAB’s role in the authorization process moving forward. FedRAMP responded in 2016 by releasing the FedRAMP Accelerated package of process improvements, which greatly reduced the disparity between JAB and agency authorization times. In addition, in 2017, FedRAMP released the FedRAMP Connect prioritization process, which provided greater clarity around the roles the JAB and specific agency sponsors were expected to play in the authorization process.
Modernizing Government Technology Act (MGT Act) of 2017.12 With the elimination of any major disparities between JAB and agency authorization times, CSPs now effectively self-sort into the JAB or agency authorization process based on the demand they anticipate for their cloud service offering. From 2013 to 2016, even with acknowledged lead times when undertaking JAB authorization, 47% of unique FedRAMP authorizations were granted as P-ATOs; while from 2017 to March 2019, only 16% of FedRAMP authorizations were granted as P-ATOs, clearly indicating a shift toward CSPs self-selecting agency authorization, ostensibly due to specific agency use cases.
In the aftermath of these changes, CSPs exploring FedRAMP in 2018 still often chose the JAB authorization path for the prestige and differentiation associated with receiving a P-ATO. But after the release of FedRAMP Connect, such CSPs are now prioritized by the PMO and JAB based primarily on the level of current and anticipated demand for their cloud service offering within the federal government. This effectively limits eligibility for JAB P-ATO to CSPs with highdemand services and broadly applicable capabilities, a neat tie-in to provisions in the original OMB Cloud First policy and the
2. The relative disparity in agency adoption between hyperscale cloud providers and smaller, more tailored, CSPs
FedRAMP AUTHORIZATION TRENDS In our review of CSP participation in FedRAMP, three data points stood out: 1. The steadily increasing number of authorized cloud services
3. The gradual shift to SaaS solutions as the most common type of authorization Notwithstanding changes in the prevalence of the JAB P-ATO versus agency ATO, FedRAMP has continued to scale and grow, with a progressively larger number of ATOs granted year over year from 2016 to 2018. 2016 saw more than 80% growth in the number of ATOs from the original batch of ATOs granted by the JAB and federal
12. “Summary: H.R.2227 – 115th Congress (2017-2018).” https://www.congress.gov/bill/115th-congress/house-bill/2227 12 | COALFIRE.COM
agencies between 2013 and 2015.13 Further, 2016 saw the addition of new requirements for the high-control baseline and a reduction in the overall time to obtain authorization. In 2017, FedRAMP: • Released a pilot program for low-impact SaaS offerings, implementing efficiencies in the continuous monitoring process (FedRAMP Tailored). • Created a new process to prioritize CSPs with cloud services in high demand (FedRAMP Connect). • Provided ongoing evangelization to federal government agencies still reticent to aggressively embrace cloud adoption. FedRAMP ATOs granted between 2016 and 201714 grew an additional 33%, roughly in line with the growth experienced in the previous two years. 2017 also saw the FedRAMP program hit 100 unique FedRAMP ATOs for the first time (many federal agencies leverage previously granted FedRAMP ATOs when procuring a cloud service, so the total number of ATOs is much higher – more than 1,100 at the time of this writing).15
2017 saw the FedRAMP program hit 100 unique FedRAMP ATOs for the first time.
Lastly, 2018 saw several publications and programs issued, including a significant update to FedRAMP’s time-to-authorization”
13. FedRAMP. “2016: A look back.” FedRAMP.gov/2016-alook-back 14. FedRAMP. https://marketplace.FedRAMP.gov, accessed March 2019 15. “FedRAMP Reaches 100 Authorizations.” FedRAMP, May 1, 2018. https://www.fedramp.gov/fedramp-reaches-100authorizations/. Note: Some CSPs have obtained additional ATOs for services that are uniquely tailored to agency environments, but those “one-off” ATOs are not accounted for in publicly released statistics about the FedRAMP program. 13
metrics;16 formal boundary guidance; the formal expansion of the FedRAMP Tailored17 and FedRAMP Connect programs; and the announcement of several different pilots and partnerships, including a Cloud Security Alliance (CSA) partnership to meld the CSA STAR certification with the FedRAMP authorization process, pairing two of the most prominent security certifications adopted within the CSP community. Most CSPs that participate in FedRAMP provide a single FedRAMP-authorized cloud service offering to a limited set of federal customers. But several – in particular, hyperscale providers – have grown relationships with more agencies as they build depth in their government expertise. A small number of CSPs, including Google, Amazon, Microsoft, IBM, Oracle, Salesforce, and Cisco, offer expanded portfolios of authorized cloud services, delivering a wide variety of solutions throughout the federal government under massive, multipurpose ATOs that cover a wide variety of features and sub-services. Although these industry giants command a substantial amount of attention when discussing the program’s success, the authorization support provided by the FedRAMP program makes an ATO more worthwhile than ever for
CSPs – irrespective of size – if their cloud service can respond to a federal need. Although CSPs offering services across the technology stack participate in FedRAMP, infrastructure and platform providers were the early participants – many entreated by the JAB and PMO to obtain ATOs in the first few years of the FedRAMP program. This led to a relative slew of authorizations among cloud service models in 2013 through 2016; only 47% of ATOs granted in the first years of the FedRAMP program were issued to CSPs with SaaS applications. In recent years, however, this ratio shifted dramatically. From 2017 to 2019, 77% of ATOs granted under the FedRAMP program were issued to CSPs with SaaS applications. As of this writing, if the dataset is expanded to include CSPs that are publicly preparing or undergoing FedRAMP authorization, SaaS applications now comprise more than 84% of CSP cloud services on target to achieve FedRAMP authorization in 2019. We expect this prevalence to become more pronounced over the year with the PMO’s continued promotion of the FedRAMP Tailored baseline and the increasing focus within the federal government on several IT initiatives that are best addressed by deploying relevant SaaS applications.
16. “How FedRAMP Transformed JAB Authorizations to take 75% Less Time.” FedRAMP, March 28, 2018. https://www.fedramp. gov/how-fedramp-transformed-jab-authorizations-to-take-less-time/ 17. “FedRAMP Tailored Lessons Learned.” FedRAMP, April 18, 2018. https://www.fedramp.gov/FedRAMP-Tailored-Lessons-Learned/
14 | COALFIRE.COM
Number of cabinet-level agency customers
Authorized cloud services and agency use*
Number of Authority to Operate (ATO) designations *Due to space constraints, CSPs with fewer than five publicly issued cabinet-level agency customers or fewer than 10 ATOs were not included. Note: These estimates were created based on publicly available data and select corrections, noting that many CSPs do not submit ATOs to FedRAMP, and many agencies do not notify FedRAMP of an ATO issuance. Therefore, FedRAMP’s publicly released numbers do not represent a complete picture of FedRAMP ATOs issued by the federal government.
Percentage of FedRAMP ATOs by cloud service model 100
Percentage (%)
80 60 40 20
84%
77% 53%
47% 23%
16%
0 2013-2016
2017-2019
2020 (projection)
IaaS/PaaS
SaaS
15
2019 TO 2020 OUTLOOK
50% of federal agencies are in the first stages of cloud maturity, with the vast majority of migration yet to come.
Previous growth and progress metrics do not, however, mean that the federal cloud market is now saturated or managed with optimal efficiency. We expect the rate of cloud authorizations to continue apace with 2016 through 2018 numbers in 2019, anticipating – barring more government shutdowns – more than 150 new ATOs (a minority of which are expected to be unique) to be documented in the FedRAMP marketplace. The PMO set forth goals in early 2018 related to cloud adoption growth and efficiency improvements and is expected to do the same sometime in Q3 2019.18 Although many of those goals were successfully achieved, some are certain to continue to be on the radar of the PMO and JAB in 2019. Looking forward, as FedRAMP continues to mature in 2019 and 2020, we also foresee the following future trends. More ambitious agency migration initiatives We expect a variety of federal agencies to announce more ambitious cloud migration initiatives, targeting major agency applications and agency-shared services. We anticipate this trend will manifest particularly in agencies that haven’t traditionally implemented cloud service offerings due to continuing efforts to drive efficiency and innovation in the federal cloud portfolio and the maturation of the FedRAMP high-control baseline. To give an idea of how nascent cloud is in many parts of the federal government, one recent study estimated that almost 50% of agencies
18. “FedRAMP’s 2018 Goals.” FedRAMP, February 12, 2018. https://www.fedramp.gov/fedramps-2018-goals/ 16 | COALFIRE.COM
could be considered immature when it comes to cloud adoption.19 Federal agencies have tremendous opportunity as they strive to achieve the objectives set within the OMB “Cloud First” and now “Cloud Smart” policies; specifically, driving efficiency and innovation in their remaining on-premise IT systems and infrastructure (which still represent most information systems within the federal government IT portfolio). The 2017 passage of the MGT Act has given legislative teeth to past efforts to subsidize high-priority agency IT modernization strategies at agencies that are historically strapped for cash. A subsequent OMB memorandum published in 2018 directed agencies to prioritize modernization initiatives that improve cybersecurity and migrate legacy information systems to cloud computing platforms and other factors.20 We expect this effort to continue gaining steam as agencies review the results of 2018’s prioritization efforts and undergo their first few rounds of prioritization and budgeting in 2019. CSPs have significant areas of opportunity in the federal cloud market to focus on as department sub-agencies explore cloud adoption for information systems that are not necessarily department-wide or weren’t initially considered due to IT implementations considered highly complex or too “legacy” to prioritize. The new FedRAMP Tailored security controls baseline is ideal for low-risk SaaS applications that do not handle PII, enabling even greater CSP participation and adoption in smaller
agencies. In addition, the introduction of the FedRAMP high-control baseline in 2016 also provides CSPs an avenue to attract business from federal agencies with information systems previously considered too high risk to migrate to the cloud. Even though the high baseline is now more than two years old, many CSPs are only now beginning to see the benefit of their authorization efforts due to the time and rigor required to meet the baseline’s requirements and the time it has taken the federal agency community to fully vet eligible, authorized cloud services to which they would be comfortable migrating systems. Tapering of growth in new DoD ATOs We expect a substantial tapering of growth in new authorizations for the DoD – a large market for CSP products and services – due to the onset of several major contract awards expected in 2019. The rapid growth of the IaaS and PaaS federal markets illustrates the ready availability of cloud development and deployment services. Indeed, FedRAMPfocused initial authorization efforts during the program’s early years on CSPs offering IaaS and PaaS ensure federal agencies had a strong cloud foundation upon which to build their cloud migration strategies. The DoD is considered a huge market for cloud services, and IT procurement estimates by agency place the DoD above any other agency in total spend on IT products and services. This makes the DoD an extremely attractive federal customer to engage.
19. “Federal IT leaders report advances in cloud adoption for critical services.” FedScoop, December 5, 2018. 20. Mick Mulvaney, Director. “Implementation of the Modernizing Government Technology Act.” Executive Office of the President, Office of Management and Budget, February 27, 2018. https://www.whitehouse.gov/wp-content/uploads/2017/11/M-18-12.pdf 17
The DoD has also moved forward with an aggressive cloud adoption strategy, including a well-defined authorization process that helps CSPs navigate the DoD’s stringent and oftentimes byzantine cybersecurity programs. As part of this strategy, however, in recent years the DoD announced two major contract vehicles: the IaaS- and PaaSoriented JEDI and the SaaS-oriented DEOS. Both are massive (measured in billions of dollars) and represent a fundamental shift not only in how CSPs engage the DoD but also how they prepare for future contract vehicles. The awards of both are expected to be announced in 2019 and will dramatically reshape the opportunity landscape for CSPs that provide equivalent services to the DoD today. They could also change the landscape for CSPs beginning to explore opportunities with the DoD and other large, IT-intensive federal agencies that may be inclined to follow the DoD’s example with large, comprehensive contract vehicles of their own. Although this trend will likely be a suppressing force in the federal cloud market, we expect it to be more than offset by the previously discussed increase in cloud adoption among the broader agency community, and at least partially offset within the DoD by the anticipated increase in demand for classified cloud ATOs to impact Level 6 of the DoD Cloud Computing SRG.21
FedRAMP reform legislation We expect to see consideration of legislation that formally ties the FedRAMP program and OMB cloud adoption objectives to FISMA, Federal Information Technology Acquisition Reform Act (FITARA), and the MGT Act, above and beyond current OMB policy and memo underpinnings for the FedRAMP program. The PMO is responsible for driving adoption by the cabinet-level departments and nine key independent agencies, including GSA and the Environmental Protection Agency. Almost all organizations under the PMO’s purview have issued ATOs, but adoption in small and medium-sized agencies has lagged well behind – a point that has held true since the onset of the FedRAMP program. Since agencies do not regularly report their level of participation in the FedRAMP program or overall cloud adoption progress as part of their OMB FISMA reporting, it is difficult to identify conclusive findings. Our best estimate indicates more than 50% of federal agencies do not yet participate in FedRAMP.22 This provides an opportunity for the OMB to strengthen its oversight of FedRAMP requirements and for CSPs to continue to pursue new markets for their cloud solutions. Congress keeps a close eye on the performance of the FedRAMP program
21. Department of Defense. “Cloud Computing Security Requirements Guide.” March 6, 2017. https://iasecontent.disa.mil/cloud/ SRG/index.html 22. Estimated with agency listing data from catalog.data.gov/dataset/federal-agency-list compared to authorizations from marketplace.FedRAMP.gov, data accessed March 2019 18 | COALFIRE.COM
and appears committed to legislation that would formalize the legal underpinnings of FedRAMP to fully cement the program in the federal IT landscape. Legislation known as the FedRAMP Reform Act of 2018 was introduced in Congress by Reps. Gerry Connolly (D-VA) and Mark Meadows (R-NC) and is expected to be reintroduced in 2019. The bill was drafted in a consultative manner, including representatives of the executive branch and several members of the CSP and 3PAO community (including Coalfire). The legislation, first and foremost, establishes the FedRAMP program in statute, ensuring that CSPs that have already invested in FedRAMP will have their investments protected. The bill requires the PMO to adopt standardized metrics regarding the time, cost, and quality of the assessments necessary for completion of the FedRAMP authorization process in a manner that can be consistently tracked over time. The OMB and GSA are required to submit an annual report to Congress on the status and performance of the PMO and the description of, and progress toward meeting, metrics adopted by the OMB. The proposed law would require agencies to document why the JAB P-ATO won’t work for their agency and takes important steps to eliminate redundant assessments. We anticipate Congress passing the legislation this year. Federal agency alignment We also expect revisions to FedRAMP requirements and standard procurement contract clauses, improving alignment between the government-wide FedRAMP baseline and agency-specific cloud
security requirements. Differences between FedRAMP and agency requirements and processes continue to stymie efforts to drive efficiency in the FedRAMP authorization process, even five years after the onset of the program. For many agencies that have issued FedRAMP ATOs, FedRAMP authorization is not considered the “endall, be-all” of the cybersecurity contract obligations they impose on their CSP vendors. Although FedRAMP’s “do once, use many” strategy has paid off by dramatically reducing the anticipated number of security assessments required for individual agencies to issue FedRAMP ATOs, and thus has saved a quarter of a billion dollars in federal audit expenses,23 CSPs often still face additional cybersecurity directives from agencies after they have achieved FedRAMP authorization – look no further than the DOD’s own Cloud Computing SRG as an example. The FedRAMP PMO has recognized the need to work with federal agencies and 3PAOs to reduce the number of confusing or conflicting requirements CSPs face after an agency authorizes their cloud services but before the cloud services are procured. The PMO has already begun to discuss potential ways to synthesize existing agencyspecific requirements into future FedRAMP baselines, easing processes for CSPs struggling to navigate the complexity of the federal agency cybersecurity landscape. Convergence of FedRAMP, IoT, mobility, and productivity We expect further convergence between FedRAMP and federal IoT, mobility, and
23. “FedRAMP Reaches 100 Authorizations.” FedRAMP, May 1, 2018. https://www.fedramp.gov/fedramp-reaches-100authorizations/ 19
productivity initiatives. As FedRAMP shifts focus from IaaS and PaaS authorization efforts to SaaS solutions, industry commentators have expressed desire for the PMO to align authorization priorities for SaaS solutions with nascent and existing federal IoT, mobility, and productivity initiatives, which are driven by stakeholders not necessarily directly associated with the FedRAMP program. Although no formal partnership or strategy has been announced among the different initiative owners at the GSA, OMB, and other agencies, FedRAMP’s authorization practices reflect a recognition of the importance of quickly authorizing SaaS solutions that meet demand in these areas, including the heavy promotion of the FedRAMP Tailored baseline for low-risk SaaS applications. In 2018 alone, several major IoT, mobility, and productivity platforms were announced as FedRAMP-authorized – representing a significant chunk of the unique ATOs granted by the JAB or federal agencies that year.24 As the federal government continues to pursue a broader strategy of digital transformation and these initiatives gain steam in 2019 and 2020, we expect continued emphasis across the federal government on SaaS applications that provide services for IoT, mobility, and productivity needs.
place increased emphasis on CSP continuous monitoring performance, accompanied by a gradual shift of the FedRAMP program’s continuous monitoring requirements to DHS Continuous Diagnostics and Mitigation (CDM) standards. DHS has long been a cybersecurity strategy driver for the federal civilian agency community. Their CDM program is considered the unclassified benchmark for effective system compliance monitoring, allowing DHS and participating agencies to manage their overall cybersecurity risk posture and compliance with FISMA in near-real-time across a massive IT portfolio. Although DHS is a member of the JAB, FedRAMP continuous monitoring requirements imposed on CSPs have taken a more traditional, cadence-based approach to compliance monitoring – one that expects CSPs to review their systems’ security and compliance posture on a monthly cadence even though toolsets are widely available to increase the frequency of such monitoring (and therefore increase the efficacy of “continuous” monitoring requirements). Numerous technical and procedural obstacles exist in putting such a program in place overnight, but we expect to see a concerted effort to close the gap between FedRAMP expectations and the DHS program in 2019 – largely attributable to the fact that FedRAMP identified alignment with DHS CDM as a key program goal in early 2018.25
Emphasis on continuous monitoring performance
Focus on automation
Over the next 24 months, we suspect the PMO and broader agency community will
In 2019, we expect FedRAMP to emphasize improving CSP adoption of automated toolsets and configurations within CSP
24. FedRAMP. https://marketplace.FedRAMP.gov, accessed March 2019 25. “FedRAMP’s 2018 Goals.” FedRAMP, February 12, 2018. https://www.fedramp.gov/fedramps-2018-goals/ 20 | COALFIRE.COM
cybersecurity programs to offset the impact of new requirements, improve CSP cybersecurity posture and continuous monitoring performance, and align CSP cybersecurity programs with the impending shift of the FedRAMP security controls baselines from NIST SP 800-53 revision 4 to 5 – an update that heavily emphasizes continuous security monitoring and cybersecurity automation. FedRAMP listed automation as a key expectation for CSPs adopting the FedRAMP highimpact security controls baseline when that baseline was first published in 2016, but the technical limitations of available toolsets and infrastructure at the time meant the JAB was initially required to accept a wide variety of alternative implementations for automation-focused security controls. The introduction of SOAR concepts, DevSecOps organizational shifts, the maturation of cybersecurity automation toolsets and infrastructure, and feasibility considerations – cost, effort to implement, personnel competency – have become more realistic in the time since. As more CSPs undertake the FedRAMP high-impact baseline and FedRAMP begins to emphasize greater automation at the moderate-impact level, CSPs should incorporate automation and scalability into their procurement process, development roadmap, and cybersecurity strategy to a much greater degree than at times past, when many CSPs adopted an “ends justify
the means” approach to implementation to achieve FedRAMP authorization in the shortest amount of time feasible. CSPs new to FedRAMP are not expected to create their automation strategies from scratch. Prominent CSPs have deployed FedRAMP-authorized services that provide underlying “fabric-level” security automation technologies and capabilities that they can leverage to determine how to manage their cloud services’ security with minimal manual effort and development time. These capabilities tend to be welldocumented and well-supported by the providers themselves, allowing CSPs to ease into adoption of the technologies. In addition, some cybersecurity firms – including Coalfire – provide services for organizations exploring security automation as part of the cloud strategy in place of more traditional security management processes. In Coalfire’s experience, CSPs that receive security automation and orchestration support and proactively develop a security automation strategy experience significantly quicker time-to-market for their FedRAMP authorization efforts and fewer issues and findings during the FedRAMP assessment process due to the highly repeatable nature of their security posture.
21
FedRAMP: time, cost, and best practices ESTIMATING TIME TO AUTHORIZATION The upcoming changes and trends we discussed, coupled with the FedRAMP security controls baseline’s stringent requirements, represent a potentially daunting task for any CSP or startup exploring FedRAMP authorization or the broader federal cloud market. However, with the strong precedents set by the more than 130 unique FedRAMP-authorized cloud services that have successfully completed the FedRAMP authorization process, and the dramatic improvements the PMO and JAB have made to FedRAMP, navigating the authorization process is easier today than in 2016. Over the past five years, the advertised average time to achieve a FedRAMP ATO has dramatically decreased, although much of this drop can be attributed to changes the PMO and JAB made in 2016 and 2017. JAB P-ATO decisions that initially took CSPs 18 to 24 months to achieve26 (measured from the time they initiated the FedRAMP authorization process with the JAB to the time they were granted a P-ATO), and which took 12 to 16 months as recently as 2017, are now expected to take only six months27 – a similar amount of time for agency ATO decisions.28 Several factors have contributed (including some previously discussed):
• Increased agency support and commitment to cloud adoption • Improved CSP preparation and internal processes, including security automation, a factor that will likely play an increasing role in FedRAMP times going forward • Standardization of 3PAO reporting formats and testing interpretations • The proliferation of personnel from CSPs, 3PAOs, and agencies with FedRAMP skillsets and experience throughout the broader cloud industry and agency community • FedRAMP Accelerated, which simplified the FedRAMP JAB authorization process and introduced the FedRAMP Ready designation • FedRAMP Connect, which introduced prioritization criteria for CSPs exploring JAB P-ATO While FedRAMP’s efforts to streamline and clarify the authorization experience for CSPs are admirable and have led to measurable improvements, they only tell half the story for CSPs that are beginning to explore what FedRAMP authorization means for them. The expected six-month timeline is only in
26. “How FedRAMP Transformed JAB Authorizations to take 75% Less Time.” FedRAMP, March 28, 2018. https://www.fedramp. gov/how-fedramp-transformed-jab-authorizations-to-take-less-time/ 27. “FedRAMP Accelerated: A Case Study for Change with Government Reflections from Spring 2017.” FedRAMP. https://www. fedramp.gov/assets/resources/documents/FedRAMP_Accelerated_A_Case_Study_For_Change_Within_Government.pdf 28. “Agency Authorization Playbook.” FedRAMP. https://www.fedramp.gov/assets/resources/documents/Agency_Authorization_ Playbook.pdf
22 | COALFIRE.COM
Average time to FedRAMP authorization 24
20
Months
16 12 8 4 0 2014 Agency*
2015 JAB*
2016
2017
2018
2019
Combined agency and JAB routes including preparation time
*Time measured from in-process date to authorization following FedRAMP Accelerated process. Often months have been spent before the official start of authorization, and time required is typically significantly greater for hyperscale service providers.
23
Moving through FedRAMP
PREPARATION (CSP controlled)
Business plan generation (CSP | Advisor) Ensure the anticipated costs, time, and effort required to achieve FedRAMP authorization are proportional to the expected benefits of entering the federal market.
Evaluation of FedRAMP preparedness (CSP | Advisor) Conduct a gap analysis between the current state of the CSP’s cloud service and FedRAMP requirements, and prioritize high-risk issues and high-complexity changes.
FedRAMP preparation (CSP | Advisor) Develop compliance documentation and remediate issues identified during the gap analysis.
DIRECT ASSESSMENT
FEDRAMP READY PROCESS OR FedRAMP Ready is required by the JAB and recommended for agencies.
YES
Fe
dR
A
M
P
R
ea
dy
)
FedRAMP Ready
FedRAMP PMO
CSP | Advisor | 3PAO* Readiness assessment report (RAR)
Approves RAR
ASSESSMENT (2-3 months)
A ge
nc
y
(w
it
h
F ED RAMP READY (4-6 weeks)
NO
CSP | 3PAO | Agency • Security assessment plan (SAP) • Agency approves SAP • 3PAO testing and security assessment report (SAR) • Agency approves SAR
CONTINUOUS MONITORING (Annual)
Agency ATO
CSP | 3PAO | JAB • Security assessment plan (SAP) • JAB approves SAP • 3PAO testing and security assessment report (SAR) • JAB approves SAR
JAB P-ATO
CSP | 3PAO
CSP | 3PAO
Continuous monitoring efforts
Continuous monitoring efforts
*Coalfire can act as an assessor or an advisor, but a 3PAO is not allowed to play both roles for a client. 24 | COALFIRE.COM
relation to the authorization decision, not the time required for a CSP to adequately prepare for a P-ATO or an agency ATO. Although the PMO’s efforts to improve guidance and direction for CSPs preparing for FedRAMP authorization have provided much needed clarity, the time and effort required to do so can vary widely and are ultimately almost entirely up to the specific CSP. With the improvements FedRAMP has made to the authorization process for the JAB, the time and effort required to prepare for FedRAMP are now the primary determining factors in identifying how long it will take a CSP to achieve authorization.
PREPARING FOR FedRAMP When FedRAMP was first declared operational, many industry observers initially anticipated that overall organization cybersecurity maturity and experience with federal government security requirements would be key determining factors in estimating the time required by a CSP to prepare for and achieve FedRAMP authorization. Coalfire’s experience with the FedRAMP program over the past five years tells a slightly different story. Based on Coalfire’s deep experience assessing CSPs and helping them prepare for FedRAMP authorization, we found the time to effectively prepare for FedRAMP is driven by four main factors (all of which substantially impact the level of overall financial commitment required): • Overall CSP financial commitment to its FedRAMP initiative • CSP resource allocation • Whether the CSP chooses to implement 25
an entirely new information system deployment or “uplift” an existing information system to comply with FedRAMP requirements • The overall information system scope of the CSP’s cloud service offering While not nearly as important as these four factors, a mature cybersecurity posture and experience with the federal government’s security requirements are definite pluses but will continue to become less important each year as the overall cloud industry cybersecurity posture continues to mature. Although the preparation time and effort required varies, the recommended steps to ensure a cloud service offering achieves FedRAMP ATO remain consistent from CSP to CSP. All timelines associated with these steps should be accounted for when developing an estimate of time to authorization: • Federal business plan generation: Ultimately, FedRAMP is a business decision that should be treated as any other strategic business initiative within a CSP’s overall business strategy. Unlike some industry-specific cybersecurity standards and compliance programs that are mandatory in a regulated industry (e.g., PCI obligations for retailers and other payment processors), FedRAMP is entirely voluntary for the broader CSP community and is only required for those that wish to do business with the federal government – effectively making it a business “obstacle” to doing business with any federal customer. Thus, any CSP exploring entrance to the federal market must weigh the cost of achieving and maintaining FedRAMP authorization with 26 | COALFIRE.COM
the estimated market opportunity within the federal government. Only then can a CSP determine whether the overall level of financial commitment and resource allocation to FedRAMP efforts will be feasible for its business. Any business plan created should also identify the CSP’s anticipated target customer base within the federal government, as certain agencies have more stringent security requirements and may impose sovereignty or segregation requirements on CSPs that are far more onerous than FedRAMP requirements. • Evaluation of current FedRAMP preparedness: CSPs should conduct a gap assessment of the cloud service offerings they wish to undergo FedRAMP, identifying critical engineering, compliance, and process issues that will need to be remediated before engaging a 3PAO for a FedRAMP security assessment. Note the PMO and JAB encourage CSPs to engage a third-party advisor to assist with preparation, both for the benefits of having an impartial perspective and for the FedRAMP experience many advisors – especially 3PAOs – will provide. Comprehensive evaluations may take cautious CSPs two to three months; cursory preparedness reviews can be accomplished in a matter of weeks. • FedRAMP preparation efforts: In addition to remediating issues identified during evaluation of their cloud service offerings, CSPs are expected to prepare a comprehensive set of compliance documentation and other collateral in advance of any serious interaction with the PMO or the initiation of any FedRAMP
security assessment. Note the PMO and JAB heavily encourage CSPs new to federal government security requirements to engage a third-party advisor to assist with documentation and compliance program implementation efforts as well, as such assistance reduces the overall difficulty of preparing for FedRAMP. Most CSPs successfully complete preparation within 9 to 12 months of undertaking FedRAMP, although outliers do exist. Early adopters anticipated two- to three-year preparation timelines as the norm, while more recent examples can be found of CSPs entering the FedRAMP authorization process after only three to six months of preparation. In Coalfire’s recent experience, this decrease isn’t just a factor of better gap analysis and documentation efforts on the part of CSPs; it is also influenced by heavily leveraging the security posture of underlying IaaS/PaaS providers with existing FedRAMP authorizations and proactively using FedRAMP requirements to drive security automation efforts within the CSP’s cloud service.
Most CSPs successfully complete preparation within 9 to 12 months of undertaking FedRAMP.
• Undergoing the FedRAMP authorization process: Once a CSP has effectively prepared, it must go through the FedRAMP authorization process, interfacing with the PMO and the JAB or its federal agency sponsor to initiate the process and then work with an independent 3PAO to conduct a security assessment against FedRAMP requirements. As noted in the “Estimating time to authorization” section, this is expected to take roughly six months.
27
ESTIMATING THE COST OF FedRAMP Public information regarding the cost of preparing for and achieving FedRAMP authorization is limited due to wide variability in how spending and expenses are accounted for by private sector industry, as well as the multitude of ancillary or complementary investments required to bring a cloud service offering to market – not to mention the entirely voluntary nature of public disclosure about the cost of achieving FedRAMP authorization. Even though no comprehensive dataset is available to determine the average CSP financial commitment required, our experience shows that CSPs find FedRAMP costs and spending are concentrated in several areas: • Allocation of internal resources to manage and maintain FedRAMP efforts and any required cybersecurity activities that were previously unaccounted for • Technical remediation of information system issues • Procurement of new or improved cybersecurity tooling and infrastructure • Third-party advisory and preparation services • The cost of an independent 3PAO security assessment Most experienced third-party advisory firms and 3PAO assessors will offer similar pricing for their advisory and assessment services, and CSPs are encouraged to reach out early and often to such organizations during the generation of their business
28 | COALFIRE.COM
case for FedRAMP to identify associated costs. Due to this similarity in vendor pricing, CSPs often use qualitative criteria for determining which advisor and assessor to select, evaluating vendor experience with FedRAMP, technical capabilities and cybersecurity expertise, and vendor compliance services that may complement FedRAMP efforts, such as SSAE18 attestation or ISO certifying body work. When calculating the overall cost of FedRAMP, CSPs must evaluate the costs of the necessary cybersecurity tooling and technical remediation required for FedRAMP, which can vary widely. Obvious factors such as the overall size of the cloud service offering (hyperscale versus startup) or the complexity of system design (communications and teleconferencing offerings versus simple IaaS, for example), precluding any simple technical remediation, play a definite role in this variance and are easily incorporated into any internal CSP financial assessment of the overall costs of FedRAMP. But three other factors have a large impact on this variance as well, regardless of size and complexity: • Deciding whether to build a new production environment for FedRAMP or uplift current deployment • Deciding whether to leverage an underlying IaaS/PaaS provider or maintain control over the entire technical “stack” of the cloud production environment • Determining how much security automation to proactively invest in when preparing for FedRAMP
Another aspect of FedRAMP that is often forgotten is the cost to maintain the authorization after achieving an initial ATO. In addition to the required 3PAO security assessment costs, myriad other costs come into play when budgeting for ongoing authorization: • Employing resources to report monthly on identified vulnerabilities and findings • Updating and managing the plan of action and milestones (POA&M) on a continual basis to accurately reflect due dates • Conducting monthly vulnerability scans on all operating systems, web applications, and databases • Updating the system security plan (SSP) to reflect any implementation changes to security controls • Performing regular reviews against the associated control parameters required for the identified baseline to ensure an appropriate security posture remains in place within the information system FedRAMP should not be considered a point-in-time cost, but rather an ongoing operational investment. Depending on some of the factors discussed in this section, the cost of maintaining authorization can add quite a bit to initial cost estimates for undertaking FedRAMP.
“GREENFIELD” AUTOMATION AND LEVERAGED AUTHORIZATIONS When preparing for FedRAMP, CSPs will undoubtedly discover numerous cybersecurity tooling, configuration, and/ or technical remediation issues present in their system architecture – if for nothing 29
else due to the specific nature of the FedRAMP security control baseline. This reality, coupled with strict segregation or sovereignty expectations imposed by specific federal agency customers, often leaves CSPs with design questions they must answer early in their preparation efforts: • Does the CSP try to uplift its current information system to the FedRAMP baseline (which often contains private sector customers and may have numerous legacy dependencies)? • Or do they take a greenfield approach and deploy a brand-new, cloud-native, segregated production environment specifically for public sector or federal customers that meets FedRAMP requirements by design, instead of by revision? Unfortunately, there are no easy answers to these questions. The current FedRAMP authorization portfolio includes examples of CSPs that have successfully taken each path or a combination of several. The financial feasibility of either approach varies widely by CSP, and their target federal customer profile impacts which design approach will be most pertinent to the CSP’s overall federal business strategy. As CSPs undertake this discussion, we recommend accounting for several additional variables as part of the decision to uplift a current production environment to federal standards or build a new greenfield environment: • Infrastructure: CSPs electing to leverage an authorized FedRAMP IaaS/PaaS provider instead of building their own colocation or dedicated infrastructure should account for the concept of 30 | COALFIRE.COM
“inherited controls” as they work through provider selection. This may have a dramatic effect on the amount of responsibility shouldered by the CSP for FedRAMP compliance. Leveraging an authorized FedRAMP IaaS/PaaS provider often leads to reduced timelines for authorization due to 3PAO assessor and federal familiarity with previously authorized CSPs. This reduced time to compliance may be offset by the different cost structures associated with procuring infrastructure and platform services from an external provider. • Application design and “cloud-native” benefits: When deploying a new information system, CSPs can incorporate security-by-design principles that may not be feasible to implement in an existing production environment due to operational impact or modification costs. Formalizing features – including account design, security control automation, auditing, and encryption – into the requirements can be less expensive and time consuming than retrofitting. Taking the time to explore cloud-native concepts as diverse as workload containerization, serverless application design, and “infrastructure as code” paradigms always yields additional opportunities to optimize a cloud application’s footprint and build a strong design foundation for more involved automation and scalability initiatives within the organization. • Operational segregation: Some federal customers will expect implementation of a dedicated, segregated government cloud service offering – whether due to legal concerns or sovereignty requirements.
Implementing the required technical controls for an existing information system may turn out to be much more difficult than deploying a new production environment with different underlying segregation protections. Although the right approach to FedRAMP is different for each CSP, Coalfire has encountered more CSPs undertaking greenfield efforts between 2017 and 2019 than in previous years and continues to speak with many more CSPs exploring a greenfield approach to FedRAMP. CSPs are increasingly moving to greenfield production environments to take advantage of existing security controls and FedRAMP authorization posture of an underlying IaaS/PaaS provider, decreasing the amount of responsibility the CSP must shoulder on its own. Often, CSPs elect to do so despite strict segregation or sovereignty expectations, selecting IaaS/PaaS providers that support such requirements. Beyond the dramatic decrease in scope of FedRAMP authorization due to the inheritance of the underlying IaaS/PaaS provider’s security posture, this trend appears to also be driven by a common desire among CSPs to implement robust information system and cybersecurity automation technologies. FedRAMP preparation efforts leveraging SOAR concepts to decrease the amount of manual process required to manage the cloud service are showing great promise in reducing time to compliance and improving security in comparison to traditional efforts that seek to minimize the upfront impact of FedRAMP on an organization’s processes and technology. CSPs with cloud service offerings deployed in a partially or heavily automated production environment that leverages best practices 31
for SOAR have an easier time remediating issues and maintaining compliance in their existing cloud services – regardless of scale – than CSPs that have built cloud applications that do not use underlying IaaS/PaaS native cloud services and are not optimized for infrastructure as code. This approach also reduces time to compliance due to the inherent replicability and scalability of relying on automated systems and processes to manage system resource deployment and security controls implementation. In one recent example, relying heavily on security automation allowed one CSP to deploy a new cloud production environment and successfully complete a FedRAMP assessment in under six months.29 Finally, CSPs that have implemented heavy security automation generally see reduced cost and effort to maintain compliance due to the smaller administrator footprint required to maintain their cloud services in a compliant manner, even at scale. Based on all of these factors, we recommend CSPs seriously consider adopting a greenfield approach as they conduct their financial analysis of the overall cost of FedRAMP, exploring the use of IaaS/ PaaS providers with existing FedRAMP authorizations, developing a security automation strategy for their cloud service offerings, and accounting for any existing use of automation to support cybersecurity or cloud-native design, as such factors have shown to dramatically affect the ease of preparation for FedRAMP and the cost of maintaining a compliant posture once a CSP achieves FedRAMP authorization.
ADDITIONAL BEST PRACTICES AND RECOMMENDATIONS Accounting for timelines, cost, and required resources to achieve FedRAMP authorization is an essential step for any CSP working to turn federal business into a reality. Of course, understanding what it will take to achieve FedRAMP authorization is only the beginning, as preparation, assessment, and authorization require a tremendous amount of tactical effort from internal stakeholders. As CSPs begin to narrow down what they need to prepare the tactical details of their FedRAMP roadmap, they should keep a few additional best practices in mind – gleaned from hundreds of authorizations and years of process improvement efforts by Coalfire, the 3PAO community, and the PMO and JAB. One company, Granicus, wrote a high-level blog on their FedRAMP process steps, working with Coalfire; it provides readers with one view into the end-to-end effort involved.
Design for the future CSPs that are beginning to build an information system deployment targeted at federal customers should ensure their development roadmap includes a serious investment in information system and cybersecurity automation, not simply to ease the path to FedRAMP authorization but also to “future-proof” their cloud service offerings against cybersecurity requirements expected to be imposed by FedRAMP and interested federal agencies in the 2019-2020 timeframe – and by future
29. “Coalfire Helps Customers Accelerate FedRAMP Compliance Using AWS.” AWS. https://aws.amazon.com/partners/apnjournal/all/innovest-systems-coalfire/ 32 | COALFIRE.COM
Best practices for preparing for FedRAMP authorization
Design for the future When preparing the cloud service for FedRAMP, leverage IaaS/PaaS solutions that have already been FedRAMP authorized as well as automation in your approach.
Understand dependencies
Take an organizational lens
The cloud service’s vendor and service dependencies must be clearly understood, documented, and controlled.
To ensure there are no weaknesses or blind spots during the assessment, the overall organizational compliance posture should be reviewed.
Minimize audit fatigue If feasible, assessment efforts should be coordinated across multiple cloud services and compliance obligations.
Select the right advisor and assessor
Craft effective documentation
Experience matters with FedRAMP and can dramatically impact a CSP’s timeline and required effort.
High-quality, comprehensive, and informative compliance documentation is often a make or break for CSPs undergoing FedRAMP authorization.
Orient to the agency customer By communicating early and often with the agency customer, agency needs and requirements can be effectively addressed by the cloud service and its security posture. 33
private industry regulations. The following technologies are some of the best practice implementations that CSPs should consider when developing their FedRAMP roadmap: • SOAR • Software-defined networking (SDN) • Real-time network and infrastructure vulnerability analysis • Component-based availability and security monitoring • Fleet configuration and deployment automation tooling
We expect to see less flexibility provided to CSPs that come unprepared to discuss their vendor risk management and technical data flow control.
• Dynamic network and infrastructure reconfiguration, resiliency, and failover tooling • Real-time and just-enough access designs • Strong customer self-service administration tooling • Automated code testing, integration, and deployment tooling • Advanced threat analytics capabilities
Understand dependencies CSPs often augment or support the functionality of their cloud service offerings by establishing dependencies on internal company subsystems or external vendors, services, components, interfaces, and other devices, often including other cloud services. With FedRAMP’s 2018 emphasis on authorization boundary definition, we expect to see less flexibility provided to CSPs that come unprepared to discuss their vendor risk management and technical data flow control. The PMO has demonstrated a willingness to table or delay authorization efforts due to 34 | COALFIRE.COM
poorly defined authorization boundaries and service dependencies; and they show no signs of relaxing their oversight in the near future. To proactively account for all dependencies that may affect their authorization boundary, CSPs should conduct an in-depth data flow, network management, and data infrastructure review, identifying and triaging external data flows and interconnections that may not have been accounted for during initial FedRAMP preparation efforts. CSPs should also explore their overall vendor portfolio, as there may be vendors supporting their organization that – while not directly providing support to the in-scope information system for authorization – may be impacted by FedRAMP requirements for vendor oversight, personnel management, corporate control, and overall organization risk management.
Take an organizational lens Every CSP that undergoes FedRAMP makes changes, revisions, or completely overhauls their existing information system and processes. Due to the scope of such an undertaking, FedRAMP also often provides organizations the ability to step back and identify organization-wide issues that could present obstacles to success with FedRAMP and the organization’s overall cyber risk posture. Best-of-breed preparation for FedRAMP works to address organizational cybersecurity governance as well, lightening the long-term effort required to maintain FedRAMP authorization by allowing an organization to ensure organizational risk management, reporting, testing, training, and accountability receive proper attention from executive management and the broader corporate workforce. 35
Minimize audit fatigue CSPs should proactively craft a compliance strategy that addresses the threat of organizational audit fatigue before it negatively affects their organizations. The concept of audit fatigue is a relatively recent phenomenon for the CSP community, which is increasingly expected to comply with myriad regulations and compliance obligations to enter any number of regulated industries – healthcare, financial services, payment processing, EU market work – and FedRAMP and federal agency-specific cloud security requirements. CSPs complying with multiple regulations at scale tax engineering, operations, and management resources at a level that can lead to audit fatigue. What accentuates this issue is that many CSPs haven’t traditionally accounted for compliance as a cost of doing business in product and business development plans. This leads to two issues: 1. The CSP gradually accumulates compliance debt across the organization, much the same as developers often accumulate technical debt in certain components or systems within their cloud service. 2. The CSP creates an approach to regulation and compliance obligations that lacks optimization and scalability at best and is haphazard, risk heavy, or noncompliant at worst. In the context of FedRAMP, several concepts discussed in this paper can help alleviate the risk of audit fatigue: heavily automating security posture, proactively incorporating future-proofing architectural 36 | COALFIRE.COM
concepts and technologies into the design of a cloud service, and ensuring that organizational changes affecting compliance are appropriately prioritized and planned for. At a certain scale or complexity, however, CSPs still encounter issues with audit fatigue. For organizations with five to six FedRAMP ATOs and/or multiple compliance obligations across different regulated industries (an assessment of FedRAMP-qualified vendors’ public data shows the majority [approximately 70%] are also meeting between 1-15 additional regulatory/compliance frameworks), no amount of automation will entirely prevent the impact of managing so many compliance assessments. This does not make audit fatigue an insurmountable challenge, however. Two strategies Coalfire has vetted with CSPs work effectively to minimize audit fatigue and permit their organizations to more easily scale their compliance and security programs: • CSPs should design their cloud services’ compliance boundary to encompass multiple supporting services or multiple “sub-services” that would otherwise have been treated as separate compliance boundaries. This approach will reduce the cost and effort to maintain compliance across multiple regulations, simplify branding and messaging, and help increase product “stickiness” and crosssell opportunities. Although there are many nuances to undertaking such a shift in compliance strategy, this is not an untested approach – we only have to look as far as existing hyperscale CSPs, which bundle dozens or hundreds of services into one overarching cloud brand,
Coordination of assessments across multiple cloud services and compliance obligations drives significant internal savings – typically 33% or more.
37
encompassed by a unified compliance boundary that provides coverage across multiple compliance frameworks and geographic regions.
When selecting a 3PAO, consider: accreditations experience required advisor capabilities
• Coalfire encourages CSPs struggling to manage multiple regulatory requirements or compliance obligations to work with their assessors to coordinate assessment activities across their compliance portfolio, leveraging preparation efforts, artifacts, evidence collected, and reporting results to streamline the cost of compliance. Multiple 3PAO assessors, including Coalfire, offer services intended to coordinate assessment efforts, dramatically reducing the time and effort required by internal CSP stakeholders to respond to assessment requests and maintain compliance. Although such coordinated assessment programs require effort for initial setup to tailor to a CSP’s specific needs, so many Coalfire CSP clients have seen results from this approach that more than 25% of our FedRAMP clients now request some level of coordination among different compliance obligations – a dramatic increase from the last time we published this report, when only a few of our CSP clients were requesting such services. Coordination of assessment efforts across multiple cloud services and compliance obligations drives significant internal savings – typically 33% or more according to Coalfire estimates.
Select the right advisor and assessor The PMO encourages CSPs to engage a third-party advisor to ease the difficulty of preparation, assessment, and 38 | COALFIRE.COM
authorization. If a CSP chooses to engage an advisor (the PMO does not place restrictions on the types of vendors a CSP is eligible to engage for advisory support), we strongly recommend they select an organization with proven FedRAMP experience in supporting providers through the authorization process. CSPs should consider whether they expect their advisor to act as an usher through the entire FedRAMP process or provide gap analysis and documentation development support during initial preparation efforts. They should also consider whether they need an advisor with deep engineering and cloud deployment expertise to complement their FedRAMP experience or if they need the services of an advisor with general compliance expertise. In addition, CSPs should consider whether their chosen advisor or assessor can coordinate their efforts across multiple compliance obligations in addition to FedRAMP, as doing so allows the CSP to proactively address concerns about audit fatigue. FedRAMP publishes public information on 3PAO accreditations and experience on its website, and CSPs are encouraged to use that information as a resource when undertaking vendor selection. Evaluating vendors with proven FedRAMP experience helps alleviate the difficulty of navigating the authorization process. When selecting a 3PAO, using accreditations, experience, and required advisor capabilities as selection criteria allows CSPs to take advantage of the depth and breadth of expertise provided by the relevant 3PAO vendors.
Craft effective documentation As a compliance framework, FedRAMP assessment and 39
authorization is ultimately driven, at least in part, by the quality of the documentation and evidence a CSP provides to its 3PAO assessor and to the PMO, JAB, and/or federal agency sponsor. Due to the scope, stringency, and comprehensiveness of the FedRAMP security requirements, CSP documentation packages often balloon to multiple hundreds, if not thousands, of pages. Ensuring that documentation is developed in accordance with FedRAMP instructions and guidance goes a long way to streamlining the review and approval process required to successfully achieve authorization. Conversely, poor documentation has been known to delay authorization by months (or in a few egregious cases, years). Having an experienced third-party advisor available to support or drive documentation development helps ease the risk of drafting poorly constructed documentation, but there are a few additional tips and tricks to keep in mind regardless of who is ultimately tasked with developing the documentation package: • Ensure CSP documentation clearly defines and identifies the authorization boundary of the cloud service offering. It is safe to assume that all data used or created by a CSP’s federal customers will be in scope for the FedRAMP authorization, which imposes stringent requirements for data handling. Making sure all third-party dependencies, data flows, and shared services that cross the authorization boundary are clearly documented will limit the number of revisions or redrafting required due to 3PAO or federal government feedback. • Due to the size of most CSP 40 | COALFIRE.COM
documentation packages, creating draft documentation as early in the preparation process as possible – even before technical remediation has been completed – is almost essential to ensuring authorization can be achieved in a timely manner. Compliance experience is useful in understanding the level of detail and comprehensiveness required, but FedRAMP requires a more rigorous, granular approach to documentation than other compliance frameworks like PCI DSS or ISO 27001, and enterprises should have proportional time allocated to it. • Ensure documentation narratives speak to federal customer responsibilities. Due to the nature of most cloud service offerings, customer users often have control over a portion of the overall cybersecurity posture of the information system. Providing clear guidance on cybersecurity configurations and practices directed at end users simplifies discussion with federal agency customers once authorization has been achieved and contract award occurs.
Orient to the endagency customer As discussed, many agencies that have issued FedRAMP ATOs do not consider FedRAMP authorization to be the “end-all, be-all” of the cybersecurity contract obligations they impose on their CSP vendors. CSPs often still face additional cybersecurity directives from agencies after they have achieved FedRAMP authorization, which can often be confusing or conflict with expectations set by other agency customers. Identifying these
additional directives early and proactively engaging potential federal agency customers about their cybersecurity needs, contract obligations, and authorization expectations will mitigate much of the confusion, conflict, and delay CSPs often encounter when juggling requirements from multiple federal agency customers.
Poor documentation has been known to delay authorization by months (or in a few egregious cases, years).
41
Conclusions Secure cloud computing is essential for the federal government to move beyond its costly legacy infrastructure, computing operations, and applications. This is true in 2019 more so than ever, with incredible pressure being brought to bear on federal agency budgets to minimize capital expenditures and streamline operational overhead. However, now – eight years after the first publication of the OMB Cloud Computing Strategy – cloud still presents a relatively new challenge for federal agency customers. For cloud computing to become a central part of the government IT portfolio and not just a buzzword or a forwardfacing strategy, federal agencies must become comfortable with the security, resiliency, and compliance capabilities of the private sector cloud industry to an even greater degree than is prevalent today. To achieve this, the cloud industry must continue to work toward a future where the cloud is secured continuously, comprehensively, and effectively. This is no small task in the ever-changing cyber-threat ecosystem we live in today, which has only accelerated since the creation of the FedRAMP program and even since the last edition of this paper. At the same time, the FedRAMP PMO, JAB, and the federal agency community must continue to iterate and improve the cloud authorization process as a critical component of the Federal Cloud Computing Strategy and the government’s overarching technology enablement strategy – allowing federal agencies to take full advantage of the private sector’s fast-moving technology cycles and innovative IT advancements. For all enabling technologies, including cloud, any efforts to manage cyber risk will only be as effective as the timeliness and efficiency of the review and approval process required. FedRAMP is no exception. Proactively addressing some of the preparation best practices and lessons learned described in this paper, as well as readily shared by the PMO, JAB, and 3PAO community, will alleviate much of the pain historically attributed to FedRAMP. Used wisely, they can be a conduit for a quicker, more complete, and more successful path to FedRAMP authorization, expanding enterprise business opportunities with the federal government.
42 | COALFIRE.COM
THE AUTHORS
ABOUT COALFIRE
Michael Carter Vice President, FedRAMP Assurance Services
Coalfire is the trusted cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout the United States and Europe. For more information, visit Coalfire.com.
Tom McAndrew CEO Andrew Williams Product Director, Public Sector Tom Bolger Senior Director, Marketing Lindsay Smith Senior Director, Public Relations
43
Copyright Š 2014-2019 Coalfire. All rights reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI DSS, et.al). notice. While Coalfire has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. All product names, trademarks, and registered trademarks are the property of their respective owners.
Reduce risk and simplify compliance with trusted insight from the cybersecurity experts. 877.224.8077 | Coalfire.com 44 | COALFIRE.COM
RR_Q2_060619
Consequently, any forward-looking statements are not predictions and are subject to change without