FedRAMP Benefits with the Executive Order on Cyber
The Executive Order by President Trump on Cybersecurity of Federal Networks and Critical Infrastructure has reinforced simultaneously the importance of cybersecurity compliance with the NIST Framework and cloud first. The both the creation of the Office of American Innovation and the Executive Order, the White House has identified the signaled its intention to transition all agencies or a subset of agencies to:
– One or more consolidated network architectures; and
– Shared IT services including email, cloud and cybersecurity services.
In addition, the E.O. also clearly identified not only the federal networks, it identified the importance of our publicly traded companies and the future state of cyber protection including the promotion of an open and reliable internet and the growth and sustainment of the workforce both among the citizens and cyberspace.
The implications of the EO are a greater lean-in and lean-on the private sector for innovation and protection as well as some hints that modernization may be driven by critical infrastructure protection (CIP) and the sharing of cloud systems.
Modernization, data sharing and information protection in the digital economy, translates into a larger focus on the impact and success of FedRAMP. To future-proof the technologies and technology implementations related to Internet of Things (IoT), supply chain protections such as Controlled Unclassified Information (CUI) and ongoing privacy protections, FedRAMP’s ability to aid the speed of adoption and monitoring for securing our resilient communications will become increasingly more critical.
Since 2014, GSA has been looking to accelerate the process, while continually re-configuring how CSPs get ATOs. One of the main criticisms of the program is that it is natively geared towards big providers, leaving small and mid-sized companies struggling to muster the budget and operational resources needed to satisfy the requirements. In this context, staying informed about FedRAMP’s latest templates and the updates to the Readiness Low, Moderate and High Impact Systems is critical. As the program plans for the future, additional templates for IoT systems, drone-reporting systems, artificial intelligence and other futuristic nanotechnology programs may benefit from a standardized –do once, use many approaches. Technology companies entering the Federal marketplace may not realize they are becoming critical infrastructure essential to the protection of our Nation.
As new technologies increase presence and visibility of companies, change customer expectations and marketing norms, and business performance metrics, the companies and developers behind these solutions should use the updated FedRAMP guidance to enhance their efficiency to the marketplace.
Here are some FedRAMP program updates you may want to consider:
#1. The latest FedRAMP High (baseline) Readiness Assessment Report (RAR) Template places emphasis on the use of automated mechanisms for security control implementations. Key elements in the baseline authorization at the high impact level:
– The requirement to include all services of the system to reside within the authorization boundary
– The requirement for authentication mechanisms meeting eAuth Level 4 requirements
– High controls that have been identified as particularly challenging – either in terms of cost or technical complexity
#2. Updates related to the Readiness Assessment Report (RAR) Guide for 3PAOs, outlines how to best utilize the RAR. This guide provides a shared understanding of the RAR’s intent, process, and best practices to improve the likelihood of 3PAOs successfully completing the RAR.
Having accomplished the RAR, EmeSec strongly encourages our customers to use the RAR as a pre-assessment. Through internal auditing, a company trying to enter the market will know they need additional consulting help if:
– The Federal Mandates aren’t met
– The cryptographic modules do not meet the minimum FIPS 140-2 requirement
– Auditing is not fully implemented
#3. A new initiative, called FedRAMP Connect, establishes the opportunity for selected “preferred” providers to work with the JAB. Currently, there are seven providers chosen by the JAB, with the list being available here.
#4. Expect ongoing changes to the Program to facilitate the growth of FedRAMP certified programs. The FedRAMP Tailored Approach will likely grow as low impact and moderate impact cloud solutions expand in the commercial market and OMB and Federal Agencies look to shared services for email, IT and cyber security solutions.
As CUI compliance expands (FedRAMP documentation touts CUI Compliance) further, the NIST Framework for Improving Critical Infrastructure Cybersecurity will also raise the level of solutions. For SMBs planning to win business with the federal government, FedRAMP and CUI compliance documentation may be a benefit and serve as a terrific launch pad.
FedRAMP & CUI Recommendation
During your mid-year review, consider how an experienced 3PAO may assist your team to navigate the current FedRAMP and CUI landscape. Why slow your operations team and compliance projects? Consider:
– Identifying where your company may benefit from the expertise and accelerate the timeline.
– Managing your IT and security compliance budget to include added consultants.
– Prioritizing your internal operations team to implementation activities.
– Outside consultants may deliver a fresh perspective and identify oversights to you.
– Planning and budgeting for more than you need cannot hurt you. Lack of resourcing can.
Contact EmeSec Contact EmeSec to find out how best to keep falling behind or how to prioritize your issues for meeting both your internal deadlines and the external compliance deadlines. We craft custom strategies to help SMBs stay ahead of security and compliance requirements and protect their growth engines (revenue).