The Federal Risk and Authorization Management Program, or FedRAMP, is a government program designed to provide, as they put it in their FedRAMP Security Assessment Framework document, “a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services.”
While FedRAMP is meant for cloud service providers (CSPs) and government agencies, other organizations can still benefit from maintaining FedRAMP compliance—especially if they plan to work with a government agency at some point.
The scope for devices needing FedRAMP is vast, including large-scale, elastic, cloud computing in multi-tenant data centers. Ensuring your Mac endpoints are FedRAMP compliant requires you to adopt the latest CIS Benchmark. Luckily, CIS for macOS is the most updated, and active (community) guideline published to date.
What is FedRAMP compliance? How can your organization achieve FedRAMP compliance for macOS devices? How can you ensure the service providers you work with are also FedRAMP compliant?
Some Basic FedRAMP Compliance Information
In the text of the FedRAMP Security Assessment Framework (SAF) document, there are 14 different applicable laws and regulations as well as 19 different standards and guidance documents connected to FedRAMP (as of Version 2.4 of FedRAMP’s SAF).
Some of the key laws/regulations related to FedRAMP include:
- The Federal Information Security Management Act (FISMA). Much of FedRAMP’s SAF is concerned with standardizing how FISMA “applies to cloud computing services.” As such, FISMA forms much of the basis for FedRAMP compliance.
- E-Authentication Guidance for Federal Agencies. The Office of Management and Budget (OMB) published the E-Authentication Guidance for Federal Agencies in 2003. This document “establishes and describes four levels of identity assurance for electronic transactions requiring authentication.” These “assurance levels” transition from Level 1 (little to no assurance) to Level 4 (very high confidence in identity).
- OMB Circular A-130. OMB Circular A-130 is a memo for the management of “Federal Information Resources” detailing the responsibilities federal agencies have when maintaining records about individuals, the implementation of the Government Paperwork Elimination Act, and the security of federal automated information resources.
These regulations all helped to inform the creation of FedRAMP’s security assessment framework in one way or another. So, they can be considered key to understanding FedRAMP security requirements.
There are two paths to achieving FedRAMP authorization:
- Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)
- FedRAMP Agency Authority to Operate (ATO)
The first option involves submitting an initiate request to the FedRAMP.gov website. The JAB “will provide the risk review of all documentation provided by the CSP in the security authorization package” to determine if the cloud service provider meets FedRAMP compliance requirements.
The second option is for CSPs that are working directly with a federal agency. Here, “the Federal Agency will provide the risk review of all documentation provided by the CSP.” Both approaches require filing a security assessment package, but have different groups reviewing them.
Achieving FedRAMP Compliance: The FedRAMP Risk Management Framework
FedRAMP’s risk management framework consists of four distinct phases, each of which is subdivided into specific steps:
1. Document Phase. The document phase covers the first three steps of the framework, which are:
- Categorize the Information System. A determination of the types of information the CSP will hold/process in their systems.
- Select Security Controls. Security controls should be selected based on the types of information identified in the previous step.
- Implement Security Controls. After setting the security control baseline, the CSP implements security controls appropriate to reach that security benchmark.
2. Assess Phase. The assess phase has three more steps, though the assessor used will vary depending on whether the CSP is filing for a JAB P-ATO or a FedRAMP Agency ATO. JAB P-ATO applicants “must use a 3PAO [third party assessment organization] to perform the testing phase of the process.” Agency ATO applicants also need 3PAO testing, but “they are not required to use a FedRAMP accredited 3PAO.” The three steps of this phase are:
- Complete the Security Assessment Plan (SAP). Here, the 3PAO or non-accredited independent assessor (IA) creates a testing plan based on the FedRAMP compliance template.
- Use Test Case Procedures. When assessing a company’s security, 3PAOs and IAs must use FedRAMP’s baseline security test cases.
- Perform the Security Testing. The assessor follows the procedures outlined in the security assessment plan.
3. Authorize Phase. After the testing of the Assess Phase, the authorizing officials (AOs) make an authorization decision. This involves:
- Analysis of Risks. The results of the security control assessment are presented in a security assessment report (SAR) which is analyzed by the AO.
- Plan of Action and Milestones (POA&M). The company being assessed creates a plan of action with milestones meant to address any specific vulnerabilities revealed in the SAR document.
- Submission of Security Package for Authorization. The company being assessed assembles a package of documents for review, including the SAR, POA&M, and any test plans and results.
- Authorization Letter. The AO formalizes their decision to authorize a company’ production environment as being sufficiently FedRAMP compliant in an ATO letter.
4. Monitor Phase. Achieving approval from an AO isn’t the end of a FedRAMP compliance process. Ongoing assessment and authorization is needed to maintain compliance with FedRAMP. There are several key elements in this phase, including:
- Operational Visibility. The company has to provide two types of information: periodically-submitted “control artifacts” and annual reassessments. This information helps assessors verify the status of the company’s compliance with FedRAMP security requirements.
- Change Control. As cyber threats evolve, so too must the security controls that organizations use. FedRAMP’s framework allows for “periodic changes to the system” but it is necessary to “notify the AO of any impending change to the system that falls outside of the CSP’s Configuration Management Plan.”
- Incident Response. All companies working to maintain FedRAMP compliance need to have an incident response plan (IRP) in place to manage their response to security incidents—and that IRP has to be documented.
That is a lot of steps, but there are ways to achieve compliance with FedRAMP for macOS and other operating systems on cloud infrastructures. What’s important is that companies have a well-documented set of procedures, policies, and tools for keeping their cloud infrastructure secure from attacks.
Taking a risk-based approach to selecting security configurations for your IT assets that shores up your biggest vulnerabilities with minimal effort and expense is the first step.
How to Evaluate Service Providers for FedRAMP Compliance
When you partner with a cloud service provider (CSP), it’s important to know that they will keep the data and apps you use secure. Cloud security remains a top concern for businesses that use cloud services—especially since the use of cloud platforms for sensitive information is on the rise.
According to a survey by the SANS Institute, the percentage of corporations storing customers’ personal information on a cloud platform rose from 35.4% in 2016 to 40.4% in 2017. Likewise, the rate of storing health records rose from 18.9% to 21.3% and the rate of storing business intelligence information rose from 40.9% to 42.6% in that same timeframe. In the same survey, it was noted that the number of organizations claiming to have experienced breaches in cloud applications and data “went up significantly in 2017—in fact, it almost doubled [20% from 10% in 2016].”
Considering that more cybercriminals are targeting CSPs and companies using cloud services, it’s important for companies to partner with cloud service providers that have strong security. One measure of a CSP’s cloud security is their level of compliance with the Federal Risk and Authorization Management Program (FedRAMP).
Assessing FedRAMP Compliance with IBM’s Ten-Step Method
How can you evaluate cloud service providers for FedRAMP compliance? IBM’s Security Intelligence blog outlines a ten-step process for doing this:
- Cloud Risk Assessment. The first step in IBM’s FedRAMP compliance assessment framework is to analyze what data and resources you plan on putting in the cloud, and what your acceptable level of risk is for these assets. This helps you put the CSP’s security measures into context so you can determine if they’re appropriate to your needs.
- Security Policies. Create a document detailing the controls and risks that are part and parcel to the cloud service. It may be necessary to engage with an attorney specializing in data security compliance standards to verify that the CSP’s controls meet your needs.
- Encryption. Encryption is a basic requirement of many cybersecurity standards. However, IBM notes that “it’s crucial to consider the security of the encryption keys provided by the CSP” in addition to the strength of the encryption itself. After all, if anyone can grab the encryption key, the encryption won’t do much good.
- Data Backup. The ability to back up data in case of a catastrophic event is another basic requirement of FedRAMP compliance. Cloud services need to have a disaster recovery and/or business continuity plan in place to restore lost data in case something happens to the cloud servers.
- Authentication. Strong authentication controls are not only a major requirement for FedRAMP compliance—they’re a good cloud security control in general. Strong multifactor authentication that requires at least two of the following factors is a good starting point: Something the user knows (password), something the user has (physical authentication token), and/or something the user is (biometric identification). Multifactor authentication makes it much harder to hijack user accounts to breach cloud security.
- Determine CSP Capabilities. IBM calls on companies to assess the types of cloud services the CSP offers to evaluate them “according to the organization’s cloud security policy and risk assessment.” The types of services delivered may affect how data is used and accessed, which impacts data security.
- CSP Security Policies and Procedures. The policies and procedures used by the service provider need to be assessed to determine their strength and suitability for FedRAMP. This will involve using an independent third-party assessment organization—which the FedRAMP Security Assessment Framework document refers to as a 3PAO.
- Legal Implications. How will the cloud service provider’s business model and security practices affect your organization’s compliance with data security and privacy laws from around the globe? For example, will the CSP’s method of storing data allow you to comply with the EU’s General Data Protection Regulation (GDPR) if you process the personal data of European Union citizens? It’s important to have an attorney assess the legal implications of cloud services before you use them.
- Data Ownership. At the end of the day, who owns the data stored on the CSP’s servers? It is crucial that the ownership of the data stored on the cloud service’s servers is clearly established before entering into a contract. In fact, IBM recommends that you “establish a comprehensive data governance program and reflect it in the CSP’s contract.”
- Data Deletion. How does the CSP handle data deletion (and the verification that data was deleted)? This can be important not only for complying with FedRAMP data security requirements, but for other international data privacy laws—such as GDPR, which requires that people have the right to be “forgotten” upon request (meaning you have to delete their data if they ask). It’s important to ask the CSP what controls they have in place for deleting data and assess how unrecoverable deleted data would be.
Following these steps, which were paraphrased from IBM’s article, provide companies with a frame of reference for assessing a cloud service provider’s overall FedRAMP compliance.
Another Method for Checking a CSP’s FedRAMP Compliance
Aside from IBM’s ten compliance check criteria, are there any other ways to assess an organization’s FedRAMP compliance?
One fast method is to look for the FedRAMP logo in a CSP’s marketing materials—and then check with the FedRAMP.gov website to see if they’re actually authorized. As noted in the FedRAMP website’s FAQ page, “Accredited 3PAOs and CSPs who have successfully achieved FedRAMP Ready or FedRAMP Authorized may use the FedRAMP logo.” If the CSP isn’t authorized to display the logo, then they haven’t passed the FedRAMP assessment from a 3PAO or government agency.
You may find that a company is listed by FedRAMP as being “in process.” This means that the organization hasn’t cleared the FedRAMP compliance authorization process yet, but is working with authorities to earn the “authorized” designation.
This is the “quick” method of checking if a CSP is FedRAMP compliant. However, the ten-step method outlined by IBM will provide a clearer picture of the service provider’s security controls and how well they’ll mesh with your needs and goals.
Need more information about macOS security and compliance? Subscribe to the Kandji blog for more updates and information.
Looking for a device management solution to help you achieve FedRAMP compliance? As the only MDM with a pre-built library of security controls (over 150 and growing), Kandji makes it simple to implement specific compliance mandates, such as CIS or FedRAMP, using pre-built, one-click templates.