IST. NIST. GSA. DOD. DHS. SAF. OMB. FISMA. GSA. FedRAMP. With all the various acronyms and abbreviations used, the U.S. government, its entities, and its myriad of regulations can seem like an alphabet soup. For companies that want to provide cloud-related services to federal agencies, sorting through the letters is the least of their concerns.
As most IT professionals working in regulated industries know, achieving and maintaining compliance with various regulatory requirements isn’t easy. When those regulations are government-directed, things can get even more complicated. That’s the case with the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP Compliance and Cloud Security
Most cloud providers build security into their cloud services. AWS is one of them and well recognized for its multi-faceted, high-level security approach. Nonetheless, the U.S. government has its own specifications for cloud security.
Among the requirements to achieve compliance with FedRAMP, organizations that wish to provide cloud service offerings (CSO) to federal agencies must:
- Determine their authorization strategy and be granted an Agency Authority to Operate (ATO) by a U.S. federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
- Complete a FIPS PUB 199 worksheet to categorize what types of data are (or can be) contained within the system to determine the impact level for the system.
- Select the FedRAMP security controls baseline that matches the FIPS PUB 199 categorization level.
- Meet the FedRAMP security control requirements as described in the NIST 800-53, Rev. 4 security control baseline for moderate or high impact levels. Moderate-level systems have 325 controls, while high-level systems must comply with 421 controls.
- Document the details of the implementation in a System Security Plan, and show that all its system security packages use the required FedRAMP templates.
- Undergo an independent security assessment conducted by a third-party assessment organization (3PAO).
- Develop a Plan of Action and Milestones (POA&M) that addresses the specific vulnerabilities noted in the Security Assessment Report (SAR).
- Have the completed security assessment package posted in the FedRAMP secure repository.
That’s the abbreviated version. Each of these bullet points can entail numerous steps and decisions. For many companies, it can take 12-18 months just to get through the FedRAMP requirements.
Real-World FedRAMP Compliance Needs
Given the complexity and how time-consuming it can be to achieve compliance with various regulatory requirements such as those of FedRAMP, it’s not surprising that many companies seek the help of third-party companies. Few have the in-house expertise or experience in dealing with specific compliance requirements.
It’s also not surprising that ClearScale frequently helps customers with compliance requirements, including those of FedRAMP. We do have both the experience and expertise in dealing with compliance issues. Often, our solutions involve the use of automation to help accelerate the various processes required to meet compliance requirements. In the case of FedRAMP, that can help drastically reduce the typical 12-18 month timeframe for compliance.
That was the case for one ClearScale customer that was recently preparing for a FedRAMP audit. Among its requirements was to establish a secure configuration posture that required hardening its Amazon Elastic Compute Cloud (Amazon EC2) instances to Center for Internet Security (CIS) Benchmark Standards. Hardening reduces attack surfaces to enhance a system’s security, improving security beyond a system’s default settings.
Specifically, the customer needed custom Ansible playbooks created based on the CIS Benchmarks for the Ubuntu Linux operating systems. Ansible is an open-source tool for automated configuration management, orchestration, provisioning of systems, zero-time rolling updates, and application deployment. Playbooks are Ansible’s configuration, deployment, and orchestration language. They can describe a policy for remote systems to enforce or the steps for a general IT process.
The ClearScale Solution
The ClearScale team developed a custom CIS Benchmarks compliance solution in which Ansible playbooks continually monitor the customer’s system against CIS Benchmarks.
The Ansible playbooks analyze hardened images and keep the hardening up to date on all instances. They are launched automatically at specific frequencies to check for and correct any non-compliant items, such as open port 22 on instances, publicly accessible S3 buckets, and non-encrypted communication channels. Because the solution uses a Python-based script, it can be launched in various environments. After each check, a status report is generated and sent to the customer.
By leveraging CIS Benchmarks and EC2 hardened images to create an “audit ready” AWS environment, ClearScale was able to accelerate the process of obtaining FedRAMP authorization for the customer’s application environment.
Of course, no two customers are alike, so solutions to their compliance needs aren’t either. That’s why at ClearScale we take the time to understand our customers’ environments, business objectives, and short- and long-term goals, as well as their compliance requirements. That enables us to create customized solutions to meet their specific needs. For us, it’s the normal way to do business and an approach that’s as easy as A-B-C.
Learn what ClearScale can do for you. Contact us today.