If you have a cloud service offering that you are trying to market to the Federal Government, chances are you’ve heard about the FedRAMP program by now. You may also be aware that the path to FedRAMP compliance is a time consuming and resource intensive process. This process can be simplified by making some key strategic decisions up front. The decisions to identify a hosting service that has a wide array of offerings that are FedRAMP compliant as well as selecting the right FedRAMP Third Party Assessment Organization (3PAO) are critical to achieving FedRAMP success.
Selecting a hosting provider such as Amazon Web Services (AWS) to host your cloud service offering will benefit your organization greatly by virtue of control inheritance and off-loading functionality and security features.
The current FedRAMP Rev 5 Moderate control baseline contains well over 323 security controls(xlsx) and enchantments along with and 410 controls for the FedRAMP High(xlsx) control baseline. Leveraging AWS’s infrastructure enables your cloud service offering to inherit a number of these NIST 800-53 security controls. Consider the controls that relate to physical security of a data center; these controls are managed by Amazon, therefore, they do not need to be separately evaluated during your FedRAMP compliance audit for your cloud service offering. Further, AWS’s Shared Security Model allows CSPs to easily distinguish which controls they are able to inherit from AWS; this transparency makes it is easier to build a FedRAMP compliant cloud service offering. Less controls your organization is responsible for means less time and money required to achieve and maintain FedRAMP compliance. The AWS shared security model lightens the load on your resources and provides piece of mind that security is being held to FedRAMP requirements for those controls outside of your purview.
When architecting your cloud service offering it is important to understand which AWS services are FedRAMP compliant and which are not; as this will have a direct impact on which services you can leverage for controls inheritance. At the time of this article, the current AWS services that are FedRAMP moderate compliant include: Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon DynamoDB, Amazon Elastic Block Store (EBS), Amazon Elastic MapReduce (EMR), Amazon Redshift, Amazon RDS (MySQL, Oracle), Amazon Virtual Private Cloud (VPC), AWS Identity & Access Management (IAM), and Elastic Load Balancing are FedRAMP compliant. Note that not all of the services that are noted above are FedRAMP High baseline compliant, also as there are dozens of additional services that Amazon provides, only a small subset of these services can be leveraged for FedRAMP compliant service offerings. Utilizing AWS services that are not yet FedRAMP compliant will require an evaluation of all applicable NIST 800-53 security controls and/or acceptance of the risks associated with the use of non-FedRAMP compliant services. This goes back to start of this article; strategic planning early on in your system development life cycle will greatly impact the road to FedRAMP compliance.
Leveraging AWS’s FedRAMP compliant services, along with the proper implementation of those services and tools, enables inheritance of a sizable portion of the NIST 800-53 security controls. Consider the IAM service; this service enables an organization to securely control access to AWS services and resources for authorized users. It allows for the creation and management of AWS users and groups and uses permissions to allow and deny user access to specific AWS resources. Proper usage of the IAM service can help address a variety of controls such as AC-2(1)(3)(7), AC-3(3), IA-2(1)(2), IA-3, etc. Making use of AWS IAM and other AWS FedRAMP compliant tools and services helps to ensure the service offering you build is FedRAMP compliant and makes the audit process far easier than it would be if you managed your own environment.
Leveraging AWS’s hosting environment is a great first step toward FedRAMP compliance for your service offering. Organizations that are not familiar with the FedRAMP process may wish to consider hiring a partner to assess the current security state of their offering and assist with getting their cloud service offering ready for a FedRAMP compliance audit. See Choosing a 3PAO: FedRAMP, Cybersecurity & Cloud Expertise are Vital for more information regarding 3PAOs and why choosing the best one is a critical step towards becoming FedRAMP compliant.