Q&A: FedRAMP Director Discusses Cloud Security InnovationMaria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Explain the concept of continuous monitoring after the CSP FedRAMP authorization is secured?
Roat: To receive reauthorization of a FedRAMP provisional authorization from year to year, CSPs must monitor their security controls through monthly, quarterly and annual assessments to demonstrate that the security posture of their service offering is continuously acceptable.
Ongoing assessment of security controls results in greater transparency into the security posture of the CSP system and enables timely risk-management decisions.
Security-related information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing review of security controls enables the security authorization package to remain current, which allows agencies to make informed risk management decisions as they use cloud services.
How does launching of new services/architecture affect existing CSP FedRAMP authorization?
Roat: Changes to the CSP's offerings that are within the scope of their system and their current FedRAMP P-ATO are handled through the continuous monitoring change control process. If the new offering or architectural change represents a significant change in the system, the CSP must determine the security impact of the change, notify their ISSO before implementing the change and complete a Significant Change Security Impact Analysis form.
The planned change is reviewed by the ISSO and then forwarded to the JAB for approval. All plans for significant changes should include rationale for making the change and plans for testing prior to implementation in production.
If any anticipated change adds residual risk, changes a leveraging agency's security posture or creates other risk exposure that the JAB finds unacceptable, the provisional authorization could be revoked. The P-ATO could also be revoked if the change is made without prior approval.
A CSP that launches a new service or a new architecture that is not in the scope of the FedRAMP P-ATO may be required to submit this new service for a separate FedRAMP JAB review.
Explain the role and responsibilities of the 3PAOs.
Roat: Third-party assessment organizations (3PAOs) perform initial and periodic assessment of the cloud service provider's systems according to FedRAMP requirements. They also provide evidence of compliance and play an ongoing role in ensuring CSPs continue to meet requirements. Once engaged with a CSP, 3PAOs develop security assessment plans, perform testing of cloud security controls and develop security assessment reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.
In the security assessment process, FedRAMP requires that CSP services and systems be assessed by an accredited 3PAO. Accredited 3PAOs are required to meet the ISO/IEC 17020:1998 standards for independence and managerial competence and meet FedRAMP requirements for technical FISMA competence through demonstrated expertise in assessing cloud-based solutions.
Are there any publicly available pricing, rating or backlog details available for the existing 3PAOs?
Roat: The pricing for the 3PAO's services is negotiated between the cloud service provider and the 3PAO and is not available through FedRAMP.
3PAOs are not rated; however, any complaints about performance are tracked through the accreditation process, and a lack of performance could result in the loss of the 3PAO's accreditation.
Explain the upcoming privatization and expansion of 3PAOs certification.
Roat: As outlined in the FedRAMP concept of operations and the 3PAO program description, the transition to a privatized accreditation body for 3PAO's was planned from the start of FedRAMP.
A2LA was selected through an open process for selecting accreditation bodies with the experience and knowledge to accredit 3PAOs that perform assessment of cloud systems.
A2LA is a signatory of the International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition Arrangement (MRA). The MRA acts as an internationally recognized "stamp of approval" to demonstrate compliance against agreed standards and requirements.
Having A2LA as the accreditation body will allow for more in-depth analysis of 3PAO applicant's conformance to inspection and information security standards, making the process more rigorous. Having a privatized body also provides a means of costs savings, as the government does not have to provide the resources to perform the accreditation.
The FedRAMP PMO retains oversight and governance for the accreditation process including final approval of 3PAOs.
2 of 3