FedRAMP, or the Federal Risk and Authorization Management Program, is a standardized approach to security assessment, authorization, and monitoring for cloud applications. It was created by the U.S. General Services Administration in response to growing government usage of the cloud, which has obvious benefits at many levels of operation and operational support but produces many challenges from the cybersecurity perspective.
Cloud computers more or less face the same threat vectors posed to traditional IT systems: bypassing firewalls, remote shellcode attacks, social engineering, spear phishing campaigns, and more. In addition, though, the cloud poses numerous other security risks.
Cloud services are often run via Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) providers, which means that numerous clients (or, in this case, agencies) all have their applications running on the same physical server. If cloud applications are not properly isolated, then a hacker can break into agency A’s application and from there break into agency B’s database. One agency’s vulnerability would directly impact that of another; it’s a dangerous effect, particularly as federal agencies increasingly share systems and information.
In the face of these complex risks, FedRAMP aims for cohesion and simplicity. By following the framework, federal agencies can secure their cloud beginning at the policy level and working their way down to the operational, technical and human tiers. And since FedRAMP’s developers also collaborated with the National Institute of Standards and Technology, the U.S. Department of Defense, and the U.S. Department of Homeland Security, the standards can be used in a breadth of federal cloud environments.
Further, the financial savings of this utility are quite considerable, and the cost of the program itself is also going down.
FedRAMP offers four security baselines that agencies can use to approximate risk:
- High security – 421 controls; any system where loss of confidentiality, integrity, or availability could have severe or catastrophic adverse effects on assets, operations, or individuals.
- Moderate security – 325 controls; system where loss would produce serious adverse effects.
- Low security – 125 controls; system where loss would produce limited adverse effects.
- LI-SaaS (Low-Impact SaaS) – 38 controls; system with low security impact, with no personally identifiable information (PII), and hosted within a FedRAMP-authorized PaaS or IaaS.
Specific Policy Steps
For each of these security levels, FedRAMP outlines policy steps to address relevant risks. For instance, here are the policy steps for LI-SaaS cloud systems:
- Categorize Information System
- Select Security Controls
- Implement Security Controls
- Assess Security Controls
- Authorize Information System
- Monitor Security Controls
This framework helps agencies break down their approach to cloud security into clear steps, from the very beginning all the way to the continuous monitoring process.
Although FedRAMP has different security levels for cloud technology, the framework itself isn’t tied to a specific type of cloud. This affords FedRAMP wide applicability across federal systems.
This also means federal clouds, despite the code running on specific servers, should have standardized security protocols. As FedRAMP declares in their mission, they aim to “achieve consistent security authorizations using a baseline set of agreed-upon standards” and “ensure consistent application of existing security practices.”
As with many other compliance frameworks (NIST, ISO, and more), implementing FedRAMP can be a detailed process. Particularly as “hybrid” cloud systems emerge in federal agencies – blending cloud software, cloud hardware, and traditional IT infrastructure – it certainly takes work to ensure security protocols are standardized.
Tripwire’s ability to support hybrid physical and virtual environments provides the means for agencies to use Tripwire for their FedRAMP environments. To find out more, click here.
About the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.