5 Common Pitfalls to Avoid During FedRAMP Authorization
You’ve heard of the Bermuda Triangle, right? It’s that mysterious region in North Atlantic Ocean where it’s said that more than 50 ships and 20 airplanes have disappeared without a trace. Fascinating and discomforting as that may be, the real trouble with the Triangle is that its boundaries are only loosely defined, which no doubt leads to uncertain pilots steering into a bad situation.
Everyone would always rather avoid problems when they can—that includes those organizations seeking FedRAMP Authority to Operate (ATO)—but what would help is understanding where the challenging areas are within the endeavor so you can avoid them (or at least better prepare for them).
FedRAMP is one of the most complex compliance programs around, and so it’s no shock when organizations get stuck a different points—as a Third Party Assessment Organization (3PAO) that has performed the second-most FedRAMP assessments on the marketplace, we see it a lot.
But that’s also why we wanted to share some of the insight we’ve gleaned—in this article, we’ve put together a concise list of five of the most common pitfalls noted throughout our experience, as well as ways to avoid them.
With these clearly defined, possible problems, you’ll be able to avoid FedRAMP’s own “Bermuda Triangles” and keep your ATO on track.
5 Obstacles to Avoid During FedRAMP Authorization
1. Stagnant Agency Relationship
Though you do have Joint Authorization Board (JAB) endorsement as an option, almost all CSPs pursue the agency sponsor/authorization path for their initial authorization.
(If you do not work with the JAB or cannot find an agency, FedRAMP Ready is your primary recourse to move forward.)
But once you do find one, the key is to create and maintain an open and active line of communication with your agency sponsor in order to understand the risk tolerance of the agency and the risks that they’re willing to accept. Not having an engaged agency sponsor can hamper your ability to get off the ground, much less achieve authorization.
So what can you do to kickstart this and avoid slowdowns?
- Keep the agency informed about overall FedRAMP plans and timeline – especially the FedRAMP assessment timeline.
- Include the agency along the way by engaging them for key milestones such as the FedRAMP Program Management Office (PMO) kick off meeting and eventual FedRAMP PMO SAR debrief meeting.
As an added note, communication between the CSP and FedRAMP PMO is also important—they’re a great resource for answering specific questions and getting ahead of other potential roadblocks related to the FedRAMP process:
- You can reach out to the PMO directly via firstname.lastname@example.org.
- Set up a kickoff meeting before formal assessment activities are conducted so the PMO can understand your CSO’s architecture and the personnel involved.
2. Too Late in Engaging Consulting / Advisory Partner
If you move forward in building a system and/or undergoing an assessment without the appropriate expertise in building and launching a FedRAMP environment, it can become a problem.
That’s why it’s important to engage early in the process with a partner who has significant experience in the FedRAMP space, especially ahead of the system design phase.
If you’re a larger organization, you may already have in-house experience, but it still might benefit you to rely on additional consulting partners who can assist you in several ways, including:
- Helping you proactively avoid delays for re-architecture or retesting because, on your own, you may misinterpret or even miss certain controls.
- Providing assistance in the time-consuming yet critical process of creating and documenting your System Security Plan (SSP) and its required attachments.
- Lending expertise on the nuances of FedRAMP, which often includes the latest and greatest guidance from the FedRAMP PMO—information that might not even be formally published yet.
Though it may seem like an extra, unnecessary investment on its face, engaging an advisor early can—in the end—also save you time and money throughout your process.
*Note: Schellman is a Type A, assessment-only, 3PAO that does not perform consulting or advisory services.
3. Incorrect FedRAMP Authorization Boundary
In some cases, CSPs will design a system without fully understanding and incorporating the FedRAMP Authorization Boundary Guidance.
Here are some helpful tips so you draw the right “lines:”
- During the system design phase, review every external dependency and system interconnection.
- Each of these should be documented, including details like:
- A description of your service;
- Where it’s hosted;
- Compliance status (FedRAMP ATO, ISO certified, etc.);
- What data is transmitted/stored/processed;
- How the data is secured in transmission;
- Any risks to Confidentiality, Integrity, and Availability (CIA); and
- Any mitigating factors you have in place.
- (External services and interconnections to systems that are not FedRAMP authorized can cause issues with wider FedRAMP authorization at the higher impact levels.)
- Each of these should be documented, including details like:
- Create a standalone FedRAMP system or segregate a separate FedRAMP zone.
- Difficulties arise with the authorization boundary when attempting to bring minimally modified commercial systems through the FedRAMP process, and either of the above options can help avoid that.
- No matter what you choose, your goal should be to limit the scope of the FedRAMP environment to make it easier to secure, manage, and meet the FedRAMP guidance.
- Document and secure all dataflows both inside the boundary and crossing the boundary with FedRAMP requirements.
- For each dataflow or access path, consider FIPS 140-2 validated encryption, multi-factor authentication, auditing, and relevant access controls.
4. Incorrect Vulnerability Scanning Procedures
You likely already know that vulnerability scanning needs to be performed at four layers—operating system/infrastructure, container, web application, and database.
But you may be surprised to learn the importance of vulnerability scanning and timely remediation required by FedRAMP. Specifically, that:
- Scans must be performed in an authenticated manner, with all plugins enabled, for all hosts in the authorization boundary.
- The results also need to be available in an acceptable format (e.g., nessus, csv, xml).
- Database vulnerability scans must authenticate to and scan the database itself, not the underlying OS that the database runs on, as the OS is already captured in the environment-wide OS vulnerability scans.
- Based on architecture, these can sometimes be difficult to implement, but understand that FedRAMP is looking for “compliance scans” performed on databases against CIS L1 benchmarks (or DISA STIGs).
- Container vulnerability scanning against all unique container images can be incorporated as a pre-production step in your continuous integration/continuous delivery (CI/CD) pipeline or it can be performed against containers running in production using security sensors.
- While low vulnerability counts are always the goal, you may notice higher than normal counts resulting from your container scans. This is primarily the result of how container scanning tools track vulnerabilities.
- Every open vulnerability discovered in scans at the end of the FedRAMP assessment (whether overdue or not) must be reported in the Security Assessment Report (SAR).
- Deviation requests for potential operational requirements (ORs), false positives (FPs), or risk reductions must be formally documented in the Plan of Action and Milestones (POA&M) and the FedRAMP Vulnerability Deviation Request Form.
5. Penetration Testing Pushback
FedRAMP penetration testing involves six different attack vectors, and oftentimes organizations will either push back on certain ones or they may not be content with the language of an authorization letter.
However, it’s actually important to conduct a penetration test in accordance with the FedRAMP guidance and without any delays—a late, incomplete, unsatisfactory, or penetration test with high-severity findings can significantly impact your SAR and the ultimate FedRAMP ATO decision.
To avoid this:
- Begin coordinating with and informing your IT and legal personnel regarding the overall penetration test:
- Legal Team: Typically involved in reviewing the penetration test authorization letter,
- IT: Assists with certain attack vectors where your systems are leveraged to gain access to the FedRAMP environment.
- Ensuring all parties are aware of their roles and the penetration test activities that will be conducted can help prevent delays to the overall assessment timeline.
- Correct findings during and before the completion of the assessment.
- Because agencies typically will not accept a package with an open high penetration test finding, this will be beneficial when it comes to those findings that are of high severity or are easily fixed.
Next Steps for FedRAMP Compliance
Unlike an encounter with the Bermuda Triangle, you won’t be disappearing into a mysterious void should you still get hung up somewhere on your FedRAMP journey. But these five problematic areas represent common stumbling blocks for many—now you understand how and why to avoid them, which will help you achieve ATO as quickly as possible.
To help further prepare for the complications of FedRAMP, read our other articles that can help deconstruct different aspects of your journey:
About STEPHEN HALBROOK
Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.