What Private Industry Needs to Know About Federal Security Programs

The Federal government is the leading creator, collector, consumer, and communicator of information in the United States. If there are changes to its regulatory requirements, it is entirely possible those changes will eventually spread into the commercial sector.  Such is the case with two related risk management programs developed by the Federal government that now enforce commercial organizations working contractually with the Federal government to employ Federal security standards[1].

The Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA) work together to provide Authority to Operate (ATO) to information systems utilized by Federal agencies. However, it is important to note that the perspectives and approaches are different.  FISMA defines a framework to protect all Federal data, and FedRAMP is designed to assist agencies in meeting FISMA requirements for cloud systems[2]. Though not required for non-Federal affiliated organizations, commercial cloud service providers and private-sector businesses (like banks) have begun thinking about their cloud security standards and have looked to the Federal requirements for guidance[3].  Security organizations, such as the SANS Institute, have recommended private industry businesses reference the FedRAMP program when looking to implement security requirements around cloud services[4].  The reality of our current cyber risk climate is that it’s laden with danger, and the threats are only expected to worsen.

For this reason, it’s essential for cloud-computing companies and commercial businesses to protect information by scrutinizing security — especially if they want to compete for business from Federal agencies.  Service providers or private-sector businesses interested in implementing an information security program can review the FISMA and FedRAMP guidance and reference materials at http://csrc.nist.gov/groups/SMA/fisma/ and http://www.fedramp.gov/resources/documents/.  Organizations interested in providing services to the Federal government will need to implement the FISMA and FedRAMP requirements and work with Federal agencies to apply for a FISMA or FedRAMP (for cloud service providers) ATO.  Here’s what you need to know about both authorization processes.

Federal Information Security Management Act

FISMA was enacted in 2002 and requires all Federal agencies, departments and contractors to secure their information systems and assets to a reasonable and adequate degree whether or not they are cloud service providers.  The National Institute of Standards and Technology (NIST) aids in developing the standards and principles for FISMA via specialized publications, and Federal agencies and departments are mandated to report annually on their information security status. NIST Special Publication (SP) 800-37 Revision 1 defines guidelines to apply the Risk Management Framework to Federal information systems[5]. It involves six steps:

  • Step 1 – Categorize: The information system owner categorizes the information system based on Federal Information Processing Standard (FIPS) Publication 199 and documents the system categorization and system boundaries in the System Security Plan (SSP).
  • Step 2 – Select: Identify the security controls of the information system based on FIPS 200 and NIST SP 800-53 Revision 4 and document the security control descriptions in the SSP.
  • Step 3 – Implement: Implement the security controls and document the security control implementation descriptions in the SSP.
  • Step 4 – Assess: Assess the security controls against the security control implementation description. Security control assessments in support of initial and subsequent security authorizations must be conducted by independent assessors.  The assessor documents issues, findings, and recommendations for the organization to put into a remediation plan.
  • Step 5 – Authorize: Provide the SSP and assessment results to the authorizing official to perform a risk-based decision whether to grant the system an ATO.
  • Step 6 – Monitor: Continually update the SSP, remediation plan, and other system documentation as a result of information system and environment changes, ongoing security assessments, ongoing remediation actions, key updates, security status reporting, and risk determination and acceptance.

FISMA’s authorization process allows for an individual agency’s senior officials to authorize the information system. Agencies can require vendors to meet specific demands that are unique to the agency, and requirements for one agency may not be the same for another.  That’s why some vendors carry many ATOs. Authorization end dates are influenced by Federal and organizational policies and by the requirements of authorizing officials that may establish maximum authorization periods.

Federal Risk and Authorization Management Program

FedRAMP launched in 2011 and requires that all Federal agencies that currently use or plan to use a cloud-based solution implement the FedRAMP program to assess the security risks associated with using a cloud environment. It involves four process areas modified from the NIST SP 800-37 Risk Management Framework[6]:

  • Document: The cloud service provider (CSP) must categorize the information system, select, implement, and document system security controls in the SSP and additional required documentation. The security controls requirements are based on NIST SP 800-53 Revision 4 and build on those required for FISMA authorization.
  • Assess: The CSP must contract an independent assessor to perform an assessment of the security controls. If pursuing a provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or utilizing the CSP-supplied path, the organization must hire a third-party assessment organization (3PAO) to perform an independent assessment.
  • Authorize: Authorizing officials review the CSP’s SSP, associated documentation, and the completed independent assessment, otherwise known as the FedRAMP assessment package, and make a risk-based decision whether or not to authorize the information system. There are three “paths” a cloud service provider (CSP) can pursue to achieve an authorization:
  1. The Agency Sponsor path involves a Federal agency and the FedRAMP Project Management Office (PMO) reviewing the assessment package and the agency determining whether to provide the CSP with an ATO.
  2. The JAB path involves the JAB and FedRAMP PMO reviewing the assessment package and determining whether to provide the CSP with a P-ATO. Federal agencies can then decide whether to grant the CSP an ATO.
  3. The CSP-supplied path allows the CSP to provide their assessment package to the FedRAMP PMO for review and then allowing Federal agencies to review the package to determine if they want to grant the ATO.

Once a CSP receives an ATO, it can be leveraged by other Federal agencies who want to utilize the cloud service.

  • Monitor: Once the JAB or agency grants the CSP a FedRAMP authorization, the CSP must implement continuous monitoring activities via ongoing assessment and authorization to ensure the cloud system maintains an acceptable risk posture.

The FedRAMP authorization process is the more rigorous of the two because it was designed to act as a one-stop shop for all agencies to get services from authorized cloud providers that fulfill the FedRAMP requirements.  Generally speaking, for a moderate impact system, a FedRAMP assessor is mandated to assess 297 NIST SP 800-53 rev.4 security controls required by FedRAMP compared to the 261 NIST SP 800-53 rev.4 security controls required by FISMA. The FedRAMP-required security controls also include additional FedRAMP requirements and guidance, and FedRAMP assessors are required to follow specific guidance issued by the FedRAMP PMO for particular testing, such as penetration testing.


About the Author

Christina McGheeChristina McGhee is a Manager at Schellman & Company, Inc. where she performs FedRAMP 3PAO assessments as well as and integrated with SOC 1 and 2 examinations. Christina has experience in performing SOC, Federal Information Security Management Act of 2002 (FISMA), and Financial Statement audits and assessments for civilian agencies and departments. Christina also has supported multiple large cloud service providers as they were preparing for and going through the FedRAMP authorization process.

[1] http://deloitte.wsj.com/cio/2013/06/03/fisma-takes-private-sector-by-surprise/

[2] https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx

[3] http://www.informationweek.com/government/cybersecurity/cloud-providers-align-with-fedramp-security-standards/d/d-id/1113499

[4] http://www.federaltimes.com/story/government/omr/cybercon/2015/11/19/coop-fedramp-baselines/76052718/

[5] http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

[6] https://www.fedramp.gov/files/2015/06/FedRAMP-Security-Assessment-Framework-v1.0-2.docx