New Steps in the FedRAMP Process & 4 Lessons We've Recently Learned
Discover one CSP’s story in navigating a FedRAMP and Security Level 4 DISA certification
The last update on our FedRAMP story was shortly after we achieved our FedRAMP Ready designation. Since then, we have started moving toward the most difficult stage of all – the review.
Let us share with you how we got here.
What Came Before
We initially began this FedRAMP journey with the agency sponsorship route in mind--with one umbrella agency (and many Government customers) who depended on and wanted our solution delivered in the Cloud, we believed (and were told by the FedRAMP team) this would be the best and fastest way to achieve an Authority to Operate (ATO). We created our first SSP with this in view; nevertheless, we soon had to pivot upon learning that the agency sponsorship route was not an option for us.
Side note, but important for the industry to consider: interestingly, based on our conversations throughout this journey, it’s beginning to sound like many (most?) agencies are hesitant about the risk and cost involved in the agency sponsorship route, and as such it might be time for FedRAMP re-evaluate this method of authorization. If the only realistic route for most CSPs to achieve FedRAMP authorization, particularly authorization of IL4 or more, is through the JAB – it will necessitate change to ensure the process can become more efficient (cost and time-wise), and achievable for small business.
Where We Are Now
Now for the last 6 months we have been working to get accepted into FedRAMP Connect – FedRAMP’s process for reviewing & prioritizing CSPs (and their Cloud Service Offerings) to undergo review by the JAB. FedRAMP clearly states on its website that in order to be evaluated by FedRAMP Connect, a CSP must submit a “Business Case,” giving the FedRAMP PMO a standardized way to compare different Cloud Service Offerings (CSOs).
Let’s briefly summarize the criteria that contribute to prioritization by the FedRAMP PMO for a CSP’s Cloud Service Offering (CSO):
- Government-wide demand
- FedRAMP Ready designation
- Preferred characteristics including designated for the Federal Government, a proven track record of security, heightened security protocols, and meeting Federal Government needs
New (Unwritten) Steps in the FedRAMP Process
In June, Synergetics presented our business case to the FedRAMP PMO. In July, we had a call with the FedRAMP PMO team to discuss next steps. Essentially, they had questions for us to address before they would be able to make a final decision.
The first thing they explained was the purpose of the call – to identify any roadblocks in our security before recommending and moving us to the JAB review round.
⇒ Note: this process is a new step and ensures the FedRAMP team (and CSPs) have a higher success rate when undergoing the JAB review.
The team shared with us that the JAB review process is lengthy and rigorous (more difficult than an agency sponsored authorization), they’ve seen many CSPs fail their first time through (even becoming so discouraged as to give up on certification altogether) and for this reason, the call helps them screen CSPs that aren’t quite ready for prioritization.
In other words, the worst thing that can happen for both a CSP and FedRAMP is for the CSP to be selected for prioritization only to not be ready for it, wasting time for all parties involved in the process: their own, FedRAMP’s, the JAB’s, and the other CSPs who now have to wait for the next round.
Thankfully, on our call we understood that while the PMO had some questions about our business case, the questions were minor and easily answered. We were told that the final FedRAMP Connect review would be coming soon, and that our chances for JAB review prioritization were good (nothing promised, of course!).
Here were some of the questions the PMO team had—we share them here because as the PMO explained to, they are areas that CSPs commonly get asked or stuck on during the JAB review process:
- Metadata Sensitivity: While most CSPs are aware of the importance of security protocols regarding 3rd party systems and services accessing the CSO, most are unaware of the importance of securing data that is shared externally. For example, a CSO uses a 3rd party texting service to send data to the customer, the data sent by that texting service must be either non-sensitive data or encrypted.
- DNS Resolution: If your CSO uses DNS to resolve domains inside your offering, the domain must be an approved/secured URL; if your CSO does not use DNS for domain resolution, your team needs to know and understand how it is resolved and how it is secured.
- Encryption and Labeling: It is important to understand and clearly communicate the type of encryption that is being used for data-in-motion AND for data-at-rest. We were strongly encouraged by the FedRAMP PMO to make the reviewer’s job easier by clearly labeling the types of encryption being used directly on authorization boundary and architecture diagrams. Finally, it is imperative that data transmitted between internal servers (i.e., application server and database server located on the same internal network) must also be encrypted, notwithstanding the inevitable performance consequences.
4 Lessons Agencies & CSPs Can Learn From Our Experience
- A FedRAMP JAB P-ATO is a far more time consuming, rigorous, and costly method of certification. When bidding on a cloud project, this time and expense should be factored in by a CSP. When putting out an RFP for a cloud-hosted solution, an agency should strongly consider offering agency sponsorship or a willingness to pay for a more expensive solution that won’t be delivered quickly.
- The issues that represent common pitfalls for a CSP’s security plan, and how they can be addressed (in advance) before the FedRAMP PMO screening call (Metadata sensitivity, DNS resolution, and Encryption / encryption labeling)
- The importance of the criteria outlined by FedRAMP to be prioritized for a JAB review, particularly Government demand and FedRAMP Ready designation.
- The necessary financial, personnel, and time commitment required of CSPs to pursue certification through the JAB (many CSPs have gone as far as being selected for JAB review and given up when they failed their first review).
In our next article, we will report back the results from the next round of FedRAMP Connect prioritization, and regardless of our status, share with you the next steps we will take on our FedRAMP journey.
Thanks for taking this journey with us!