FedRAMP, or the Federal Risk and Authorization Management Program, is a standardized approach to security assessment, authorization, and monitoring for cloud applications. It was created by the U.S. General Services Administration in response to growing government usage of the cloud, which has obvious benefits at many levels of operation and operational support but produces many challenges from the cybersecurity perspective. Cloud computers more or less face the same threat vectors posed to traditional IT systems: bypassing firewalls, remote shellcode attacks, social engineering, spear phishing campaigns, and more. In addition, though, the cloud poses numerous other security risks. Cloud services are often run via Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) providers, which means that numerous clients (or, in this case, agencies) all have their applications running on the same physical server. If cloud applications are not properly isolated, then a hacker can break into agency A’s application and from there break into agency B’s database. One agency’s vulnerability would directly impact that of another; it’s a dangerous effect, particularly as federal agencies increasingly share systems and information. In the face of these complex risks, FedRAMP aims for cohesion and simplicity. By following the framework, federal agencies can secure their cloud beginning at the policy level and working their way down to the operational, technical and human tiers. And since FedRAMP’s developers also collaborated with the National Institute of Standards and Technology, the U.S. Department of Defense, and the U.S. Department of Homeland Security, the standards can be used in a breadth of federal cloud environments. Further, the financial savings of this utility are quite considerable, and the cost of the program itself is also going down.
Security Baselines
FedRAMP offers four security baselines that agencies can use to approximate risk:
- High security – 421 controls; any system where loss of confidentiality, integrity, or availability could have severe or catastrophic adverse effects on assets, operations, or individuals.
- Moderate security – 325 controls; system where loss would produce serious adverse effects.
- Low security – 125 controls; system where loss would produce limited adverse effects.
- LI-SaaS (Low-Impact SaaS) – 38 controls; system with low security impact, with no personally identifiable information (PII), and hosted within a FedRAMP-authorized PaaS or IaaS.
Specific Policy Steps
For each of these security levels, FedRAMP outlines policy steps to address relevant risks. For instance, here are the policy steps for LI-SaaS cloud systems:
- Categorize Information System
- Select Security Controls
- Implement Security Controls
- Assess Security Controls
- Authorize Information System
- Monitor Security Controls
This framework helps agencies break down their approach to cloud security into clear steps, from the very beginning all the way to the continuous monitoring process.
Wide Applicability
Although FedRAMP has different security levels for cloud technology, the framework itself isn’t tied to a specific type of cloud. This affords FedRAMP wide applicability across federal systems. This also means federal clouds, despite the code running on specific servers, should have standardized security protocols. As FedRAMP declares in their mission, they aim to “achieve consistent security authorizations using a baseline set of agreed-upon standards” and “ensure consistent application of existing security practices.”
Implementing FedRAMP
As with many other compliance frameworks (NIST, ISO, and more), implementing FedRAMP can be a detailed process. Particularly as “hybrid” cloud systems emerge in federal agencies – blending cloud software, cloud hardware, and traditional IT infrastructure – it certainly takes work to ensure security protocols are standardized. Tripwire’s ability to support hybrid physical and virtual environments provides the means for agencies to use Tripwire for their FedRAMP environments. To find out more, click here. Tripwire understands the security demands faced by federal government agencies. Security decision makers at these agencies aren’t only tasked with securing operations in a complex threat landscape—they also have to prove regulatory compliance at the same time. You can read three Tripwire use cases that higlight the following in federal agencies: #1: Ensuring compliance and minimizing risk #2: Automating manual tasks and enhancing breach detection #3: Monitoring critical assets in the public cloud Read more here: https://tripwire.me/2LdbfAR
About the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
