What Private Industry Needs to Know About Federal Security Programs

Blogs

Mar 1, 2016 | 2:39 pm

The Federal government is the leading creator, collector, consumer, and communicator of information in the United States. If there are changes to its regulatory requirements, it is entirely possible those changes will eventually spread into the commercial sector. Such is the case with two related risk management programs developed by the Federal government that now enforce commercial organizations working contractually with the Federal government to employ Federal security standards[1].

The Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA) work together to provide Authority to Operate (ATO) to information systems utilized by Federal agencies. However, it is important to note that the perspectives and approaches are different. FISMA defines a framework to protect all Federal data, and FedRAMP is designed to assist agencies in meeting FISMA requirements for cloud systems[2]. Though not required for non-Federal affiliated organizations, commercial cloud service providers and private-sector businesses (like banks) have begun thinking about their cloud security standards and have looked to the Federal requirements for guidance[3]. Security organizations, such as the SANS Institute, have recommended private industry businesses reference the FedRAMP program when looking to implement security requirements around cloud services[4]. The reality of our current cyber risk climate is that it’s laden with danger, and the threats are only expected to worsen.

For this reason, it’s essential for cloud-computing companies and commercial businesses to protect information by scrutinizing security — especially if they want to compete for business from Federal agencies. Service providers or private-sector businesses interested in implementing an information security program can review the FISMA and FedRAMP guidance and reference materials at http://csrc.nist.gov/groups/SMA/fisma/ and http://www.fedramp.gov/resources/documents/. Organizations interested in providing services to the Federal government will need to implement the FISMA and FedRAMP requirements and work with Federal agencies to apply for a FISMA or FedRAMP (for cloud service providers) ATO. Here’s what you need to know about both authorization processes.

Federal Information Security Management Act

FISMA was enacted in 2002 and requires all Federal agencies, departments and contractors to secure their information systems and assets to a reasonable and adequate degree whether or not they are cloud service providers. The National Institute of Standards and Technology (NIST) aids in developing the standards and principles for FISMA via specialized publications, and Federal agencies and departments are mandated to report annually on their information security status. NIST Special Publication (SP) 800-37 Revision 1 defines guidelines to apply the Risk Management Framework to Federal information systems[5]. It involves six steps:

Step 1 – Categorize: The information system owner categorizes the information system based on Federal Information Processing Standard (FIPS) Publication 199 and documents the system categorization and system boundaries in the System Security Plan (SSP).
Step 2 – Select: Identify the security controls of the information system based on FIPS 200 and NIST SP 800-53 Revision 4 and document the security control descriptions in the SSP.
Step 3 – Implement: Implement the security controls and document the security control implementation descriptions in the SSP.
Step 4 – Assess: Assess the security controls against the security control implementation description. Security control assessments in support of initial and subsequent security authorizations must be conducted by independent assessors. The assessor documents issues, findings, and recommendations for the organization to put into a remediation plan.
Step 5 – Authorize: Provide the SSP and assessment results to the authorizing official to perform a risk-based decision whether to grant the system an ATO.
Step 6 – Monitor: Continually update the SSP, remediation plan, and other system documentation as a result of information system and environment changes, ongoing security assessments, ongoing remediation actions, key updates, security status reporting, and risk determination and acceptance.

FISMA’s authorization process allows for an individual agency’s senior officials to authorize the information system. Agencies can require vendors to meet specific demands that are unique to the agency, and requirements for one agency may not be the same for another. That’s why some vendors carry many ATOs. Authorization end dates are influenced by Federal and organizational policies and by the requirements of authorizing officials that may establish maximum authorization periods.

Federal Risk and Authorization Management Program

FedRAMP launched in 2011 and requires that all Federal agencies that currently use or plan to use a cloud-based solution implement the FedRAMP program to assess the security risks associated with using a cloud environment. It involves four process areas modified from the NIST SP 800-37 Risk Management Framework[6]:

Document: The cloud service provider (CSP) must categorize the information system, select, implement, and document system security controls in the SSP and additional required documentation. The security controls requirements are based on NIST SP 800-53 Revision 4 and build on those required for FISMA authorization.
Assess: The CSP must contract an independent assessor to perform an assessment of the security controls. If pursuing a provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or utilizing the CSP-supplied path, the organization must hire a third-party assessment organization (3PAO) to perform an independent assessment.
Authorize: Authorizing officials review the CSP’s SSP, associated documentation, and the completed independent assessment, otherwise known as the FedRAMP assessment package, and make a risk-based decision whether or not to authorize the information system. There are three “paths” a cloud service provider (CSP) can pursue to achieve an authorization:

The Agency Sponsor path involves a Federal agency and the FedRAMP Project Management Office (PMO) reviewing the assessment package and the agency determining whether to provide the CSP with an ATO.
The JAB path involves the JAB and FedRAMP PMO reviewing the assessment package and determining whether to provide the CSP with a P-ATO. Federal agencies can then decide whether to grant the CSP an ATO.
The CSP-supplied path allows the CSP to provide their assessment package to the FedRAMP PMO for review and then allowing Federal agencies to review the package to determine if they want to grant the ATO.

Once a CSP receives an ATO, it can be leveraged by other Federal agencies who want to utilize the cloud service.

Monitor: Once the JAB or agency grants the CSP a FedRAMP authorization, the CSP must implement continuous monitoring activities via ongoing assessment and authorization to ensure the cloud system maintains an acceptable risk posture.

The FedRAMP authorization process is the more rigorous of the two because it was designed to act as a one-stop shop for all agencies to get services from authorized cloud providers that fulfill the FedRAMP requirements. Generally speaking, for a moderate impact system, a FedRAMP assessor is mandated to assess 297 NIST SP 800-53 rev.4 security controls required by FedRAMP compared to the 261 NIST SP 800-53 rev.4 security controls required by FISMA. The FedRAMP-required security controls also include additional FedRAMP requirements and guidance, and FedRAMP assessors are required to follow specific guidance issued by the FedRAMP PMO for particular testing, such as penetration testing.

About the Author

Christina McGhee is a Manager at Schellman & Company, Inc. where she performs FedRAMP 3PAO assessments as well as and integrated with SOC 1 and 2 examinations. Christina has experience in performing SOC, Federal Information Security Management Act of 2002 (FISMA), and Financial Statement audits and assessments for civilian agencies and departments. Christina also has supported multiple large cloud service providers as they were preparing for and going through the FedRAMP authorization process.

[1] http://deloitte.wsj.com/cio/2013/06/03/fisma-takes-private-sector-by-surprise/

[2] https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx

[3] http://www.informationweek.com/government/cybersecurity/cloud-providers-align-with-fedramp-security-standards/d/d-id/1113499

[4] http://www.federaltimes.com/story/government/omr/cybercon/2015/11/19/coop-fedramp-baselines/76052718/

[5] http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

[6] https://www.fedramp.gov/files/2015/06/FedRAMP-Security-Assessment-Framework-v1.0-2.docx

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Archives