Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Nitin Pradhan
Nitin Pradhan
Connect Directly

Q&A: FedRAMP Director Discusses Cloud Security Innovation

Maria Roat, FedRAMP director, speaks with former Transportation Department CIO Nitin Pradhan on the federal government's approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Maria Roat
Maria Roat
After leaving the position of CIO for the U.S. Department of Transportation, I co-founded a marketplace called GOVonomy, designed to match government needs and opportunities with emerging technology products from startups and growth companies. Most of these products are cloud-based and may require the government's FedRAMP security assessment. Yet most private companies are not aware of the FedRAMP program and process, or how it can help improve their cloud security. So as part of a new series of discussions with top government leaders for InformationWeek Government, I interviewed Maria Roat, the FedRAMP director at GSA.

The FedRAMP program offers a good opportunity for all enterprise cloud products and service providers, even if they are not immediately planning to market to government, as the rigor will help improve the security of all their products and reduce liability. On areas of improvement for GSA and the FedRAMP to consider, it will help to have the third party assessment organization (3PAOs) located in all major technology hubs in the U.S. Also, a FedRAMP dashboard needs to be created to allow comparison among the various 3PAOs.

Nitin Pradhan: What are the objectives of the FedRAMP program?

Maria Roat: The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This approach uses a "do once, use many times" framework that saves cost, time and staff required to conduct otherwise redundant agency security assessments.

The objectives of FedRAMP are to: 1) Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations, 2) Increase confidence in security of cloud assessment and solutions, 3) Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations, 4) Ensure consistent application of existing security practices and finally. And (5) expand automation and near real-time data for continuous monitoring.

What are the parties in the FedRAMP process and their roles and responsibilities?

Roat: The FedRAMP parties in the FedRAMP process include a joint advisory board, the FedRAMP program management office, the National Institute of Standards and Technology, Federal CIO Council, Department of Homeland Security, agencies, third-party assessment organizations (3PAO), and cloud service providers. Their roles and responsibilities include:

-- Cloud service providers (CSPs) implement the security controls based upon FedRAMP security baseline; create security assessment packages in accordance with FedRAMP requirements; contract with an independent third-party assessment organization to perform an initial and ongoing assessments and authorizations; maintain continuous monitoring programs; and comply with federal requirements for change control and incident reporting.

-- Joint Authorization Board (JAB) performs risk authorizations and grants the provisional authority to operate (P-ATO). JAB's members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense along with their technical representatives.

-- FedRAMP Project Management Office (FedRAMP PMO) is housed within GSA and responsible for operational management for the FedRAMP process.

-- Third-party assessment organizations (3PAO) perform initial and ongoing independent verification and validation of the security controls deployed within the cloud service provider's information system.

Additionally, NIST provides technical assistance to the 3PAO process, maintains FISMA standards and establishes technical standards. Federal CIO Council coordinates cross-agency communications. DHS monitors and reports on security incidents and provides data for continuous monitoring, and finally, government agencies use the FedRAMP process when conducting risk assessments and security authorizations and grant an ATO to a cloud service.

Briefly explain the step-by-step process CSPs follow to get authorized.

Roat: The key steps for a cloud service provider to receive a FedRAMP provisional authority to operate P-ATO are:

Step 1: Initiating a request. Agencies and cloud service providers can both apply to FedRAMP to initiate an assessment of a cloud service provider. After submitting an initiation request form, available on FedRAMP.gov, the program management office will contact the provider to assess its readiness and provide additional information. Once the CSP has demonstrated it can meet the FedRAMP requirements by documenting its security control implementations in a system security plan (SSP), it will be assigned to an information system security officer (ISSO) to complete the assessment process.

Step 2: Performing security testing. The CSP contracts with an accredited FedRAMP third-party assessment organization to independently test the CSP's system to determine the effectiveness of the security control implementation.

Step 3: Finalizing the security assessment. The joint advisory board reviews the security assessment package and makes final risk-based decision on whether or not to grant a provisional operating authorization.

What is the timeframe for product approval in the FedRAMP process? How can CSP shorten it?

Roat: Timeframes for the completion of a FedRAMP P-ATO vary depending on the size of the CSP's systems and their complexity. The FedRAMP's PMO goal is to complete the assessment in a six-month timeframe.

The most effective way for CSPs to shorten the duration is to use the materials provided on FedRAMP.gov and reference documents such as the CONOPS, Guide to Understanding FedRAMP, and FedRAMP webinars to become familiar with the FedRAMP controls, requirements and processes. Additionally, CSPs should be familiar with Federal Information Security Management Act (FISMA) and ensure their SSP provides sufficient detail to meet the depth of the FedRAMP PMO's review.

FedRAMP hosts a monthly FedRAMP document workshop which provides the CSPs a chance to learn about the FedRAMP process, how to complete the FedRAMP documentation and the level of detail expected in documents submitted to FedRAMP.

Compare and contrast FedRAMP and FISMA controls.

Roat: FedRAMP is based on FISMA but includes controls and processes that are specific for assessing cloud systems.

Specifically, FedRAMP is based on the Federal Information Security Management Act of 2002. FISMA requires each federal agency to develop, document and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.

In the case of FedRAMP, the systems are cloud-based. FedRAMP security authorization requirements include a standardized baseline of security controls, privacy controls and controls selected for continuous monitoring from NIST Special Publication 800-53 and according to accompanying NIST publications. NIST develops information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal information systems.

NIST also provides the minimum information security requirements (security controls) for information and information systems in low, moderate and high baselines. In contrast, FedRAMP provides minimum information security requirements (security controls) for cloud-based systems in only low and moderate baselines.

How can Software-as-a-Service providers leverage already-approved Infrastructure-as-a-Service authorizations?

Roat: The SaaS provider will inherit a number of controls and testing procedures from the IaaS cloud service providers and would continue using them through the remainder of the process for their set of controls. If the SaaS is applying for a P-ATO and the underlying IaaS does not have a P-ATO, then the entire stack would require authorization.

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/21/2014 | 8:35:33 PM
FedRAMP is changing the way industry looks at cloud security
Based on our latest report, it's clear FedRAMP is making an impact on cloud service providers. Read:Cloud Providers Align With FedRAMP Security Standards

User Rank: Apprentice
11/1/2013 | 10:07:37 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
One thing not said here is that agencies can also win approval for P-ATO for selected proposals separate from the JAB. The JAB makes it easier for many agencies to adopt an approved cloud service.
User Rank: Apprentice
10/31/2013 | 6:01:41 PM
re: Q&A: FedRAMP Director Discusses Cloud Security Innovation
For anyone trying to understand what FedRAMP is, why it matters, and how it's changing the way security authorizations are getting done in #GovIT, this interview w/ @USGSA's director Maria Roat is a great primer.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...