FedRAMP and its Importance to the Commercial Sector

In today’s world of SaaS solutions, security is a big concern. Companies implementing SaaS apps want to be certain their data is safe and that security risks aren’t introduced into their IT infrastructure. Security breaches not only expose critical company data, they also impact a company’s reputation and brand. No company wants to see their name associated with a major data breach.

Current industry cloud security standards provide many and differing recommendations regarding what should be considered as the security controls you should implement. NIST Special publication 800-144 provides guidelines and you will find many companies that provide consulting services to help define and implement cloud security. Here is recommended guidance for Cloud Solution Providers (CSP) to consider when deciding which controls to implement and how to implement them.

Fortunately, there’s FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It created and manages a core set of processes to ensure effective, repeatable cloud security for the government.

FedRAMP does the work for you

To create the FedRAMP standard, a group of CIOs and CISOs across the federal government defined the necessary security controls, processes, and methods for implementing them. FedRAMP started with the 350+ controls defined in the NIST 800-53 standards and guidelines for securing federal systems and then went a step further. As they reviewed each control, they established the guidelines for implementing the controls for cloud systems.

Using passwords as an example, FedRAMP provides the following guidance to ensure implementation of complex passwords. When processing requests to establish and change memorized secrets (passwords), verifiers will need to compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised.

For example, the list may include, but isnt limited to:

  • Passwords obtained from previous breach corpuses
  • Dictionary words
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
  • Context-specific words, such as the name of the service, the username, and derivatives thereof

If the chosen secret is found in the list, the CSP or verifier will advise that the subscriber select a different secret, provide the reason for rejection, and will require the subscriber to choose a different value.

Can federal standards be applied to commercial companies?

The short answer? Absolutely. The FedRAMP is a defined set of security controls for cloud systems that commercial companies would benefit from leveraging. By understanding how FedRAMP has defined the security controls, companies will understand how to properly leverage it as a solution to measure cloud security. To obtain FedRAMP Authorization a CSP must demonstrate that they have implemented the defined controls following the guidance through an audit by a FedRAMP certified independent third party and pass a review by the FedRAMP Joint Authorization Board. This is no easy task and is a high standard to achieve.

The bottom line

Companies researching cloud solutions can leverage the FedRAMP security control baseline as a standard to measure the CSP against. A CSP that has taken the time to implement the NIST 800-53 family of security controls, following FedRAMP guidance, and achieved FedRAMP Authorization status has a proven level of security across the infrastructure, platform, and application levels of the solution. It also demonstrates a level of competence across the CSP’s Operations and Security teams.