Just like I did for FISMA, I wanted to review the Federal Risk and Authorization Management Program Security Controls (FedRAMP), and provide you with my view of it. As stated on GSA’s website, FedRAMP is “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.” (1)
You see, the cloud is not an easy place to transition to. There is still a debate with regard to the definition of the cloud, and people are still concerned about what to do with it and where to start. FedRAMP offers a starting point for Federal entities. And this starting point is based on controls. Controls are used to assist with processes in an organization to achieve goals. In this case the goal is to make the audience feel more comfortable about moving to the cloud.
The purpose of that document is also to “list the security controls and corresponding enhancements that Federal Agencies and Cloud Service Providers (CSP) must implement within a cloud computing environment to satisfy FedRAMP requirements”. As stated “the controls were selected to address the unique risks of cloud computing environments, including but not limited to: multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.” (2)
This document is also designed to go with NIST SP 800-53 rev 3 – Recommended Security Controls for Federal Information Systems and Organizations.
Now, compared with FISMA, FedRAMP is addressed via the NIST document and an Excel spreadsheet. I have broken it into the specific categories below but the Excel document also provides the control number and name, control baseline, control parameter requirements, and additional requirements and guidance.
The FISMA document on the other hand, is a single document that provides more of a manual for getting you to the cloud. It offers a different path for getting to the same place. FISMA provides guidance, and FedRAMP provides controls.
If we stick with FISMA as a relationship guideline, we can say that FedRAMP is the “must haves” for any relationships. For instance, my “must haves” for a relationship with a guy could be that he is 5’10″ or taller, has blue eyes, dark hair, and can make me laugh (just to clarify, these aren’t actually my requirements… exactly). Again, with both of these documents we are trying to get to the same place (the cloud), and we are trying to ensure that entities feel good about going there. We want to help them – provide guidance and let them know it will be OK.
The question comes up – what is the best way to help them get there? Would you educate them so they feel better? Or would you educate them by telling them the must have capabilities but not really explaining why? There are multiple ways outside of these options, to make the users feel comfortable about the cloud. A nice option might be to have these entities combined. Personally I believe in educating people and not just telling them how it should be or what you must have. And are there any exceptions to these controls, or is this a “this way or nothing” kind of approach?
An example of such approach is auditable events AU-2(4). This control parameter requirement indicates the following: “the service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts”. My question is – how about other events? Aren’t we missing something? What about configuring the auditing features of the hardware or even the physical access? I’m not saying the original request is not important, but there are circumstances where additional auditing may be needed. I am happy that a baseline was established but is it enough?
Don’t get me wrong, anything that promotes movement into the cloud and anything that helps people with that process is great in my eyes. No matter whether they guide you or tell you exactly where to go, documents like these are necessary. I just question the method by which FedRAMP tries to get people there. I believe in simplicity, and I believe that you need to educate those that are on the journey. And it’s not easy. I mean the NIST document is 237 pages, and it’s very complicated. And instead I would like to see it simplified. How does 237 pages of ONE document can help us? This isn’t a relationship guide, this makes me want to stay single the rest of my life!
Below you can see security control categories listed in the FedRAMP document. And these are just categories, each one of them has a long list of controls that fall under it.
1.1 : Access Control (AC)
1.2 : Awareness and Training (AT)
1.3 : Audit and Accountability (AU)
1.4 : Assessment and Authorization (CA)
1.5 : Configuration Management (CM)
1.6 : Contingency Planning (CP)
1.7 : Identification and Authentication (IA)
1.8 : Incident Response (IR)
1.9 : Maintenance (MA)
1.10 : Media Protection (MP)
1.11 : Physical and Environment Protection (PE)
1.12 : Planning (PL)
1.13 : Personnel Security (PS)
1.14 : Risk Assessment (RA)
1.15 : System and Services Acquisition (SA)
1.16 : System and Communications Protection (SC)
1.17 : System and Information Integrity (SI)
(2) FedRAMP Security Controls Preface, http://www.gsa.gov/graphics/staffoffices/FedRAMP_Security_Controls_Final.zip