FedRAMP Continuous Monitoring Requirements Remain Vague, Says CSA

Released Tuesday, the 47-page document defines the process by which cloud service providers may acquire broad provisional authorization to sell secure cloud services to federal agencies. The guidance represents the government’s most recent step to accelerate the adoption of cloud technologies by federal agencies as mandated by the federal CIO’s “Cloud First” policy.

One element of the guidance requires cloud service providers to conduct ongoing assessments of their security controls in order to maintain their provisional authorization, the document said. Such monitoring creates more transparency of the service providers’ security posture and enables timely risk management decisions, it said.

But the amount, depth and quantity of the information that must be collected could impose an “undue burden” on cloud service providers, Fillpott told us Wednesday. “There needs to be some work done to ensure there is a balanced approach that marriages both the need for federal information security stewardship of the federal information systems while allowing cloud service providers to operate without undue burden.”

BSA Technology Policy Counsel Chris Hopfensperger focused on the positive implications of the GSA’s “slimmed down” approach to continuous monitoring. “The initial FedRAMP proposal back in 2010 called for 14 different types of reports and plans due at intervals ranging from once-a-month to once-a-year,” Hopfensperger said Wednesday. “That’s the old world of computing. The new proposal slims that down and adds in real-time data feeds. That is cloud computing.”

There are three processes involved in the continuous monitoring requirement: operational visibility, change control and incident response, said David McClure, an associate administrator at the General Services Administration (GSA). The operational visibility process implements a “real time data feed” of security controls which agencies will periodically review, he said Wednesday during a media briefing. The change control process will review any changes to a cloud service provider’s operations that might affect the security of a cloud environment.

The incident response process looks at security vulnerabilities from a “holistic scale” across the government that could result in a determination of whether a provisional authorization should remain, McClure said. “This is where we are coordinating heavily with DHS and US-CERT,” he said. The Department of Homeland Security, U.S. Computer Emergency Readiness Team and other federal organizations will conduct ongoing security assessments to ensure that the controls continue to be effective over time, the document said. If there is a security incident the cloud service provider must initiate an incident response plan and notify US-CERT and the appropriate federal agency security operation centers (SOCs).

DHS needs to better communicate and interact with the private sector to ensure a more common approach over the continuous monitoring requirements, Fillpott said. “DHS hasn’t been as forthcoming about how to create new guidelines, where GSA has tried to get everyone together and come up with a common approach,” he said. “DHS comes from a security background and is more conservative in its outreach.”

The concept of operations document also detailed the way in which cloud service providers acquire provisional authorization in the first place. Providers must first implement and document their security controls, which are then independently verified by a third-party assessment operator. The third-party assessment is then measured by the joint authorization board which will either offer or deny provisional authorization to the service. Cloud service providers are limited to two resubmissions of each security assessment, the document said.

As FedRAMP evolves and matures the joint authorization board will approve and publish compliance timelines for any program updates on www.FedRAMP.gov. “This is a phased and calibrated implementation that is designed to learn and correct as we go,” McClure said.

Third-party assessment operators must meet ISO/IEC 17020:1998 standards and be approved by a review board containing National Institute of Standards and Technology and FedRAMP representatives to ensure both the accessors’ technical capabilities and independence, the guidance said. Once approved, third-party assessment operators are required to maintain their accreditation and notify FedRAMP officials of any material changes to their ability to perform independent assessments. The document said the third party assessment approval process will eventually be managed by a private sector accreditation board.

The FedRAMP program management office will keep a repository of existing provisional authorizations so other agencies can make their own risk based decisions, the document said. “The repository is key to the do once, use many times approach,” said Matthew Goodrich, a FedRAMP program manager with the GSA, during a webinar briefing hosted Wednesday by TechAmerica.

The repository will contain assessment packages in four different categories ranked from lowest to highest clearance: cloud service provider supplied; federal agency authority to operate; federal agency authority to operate verified by a third party assessment operator; and FedRAMP provisional authorization. Agencies can use existing provisional authorizations to grant their own authority to operate or add additional controls to meet their agency-specific security profile, the document said.