With Valentine’s Day here, we think it is important to reach out and give a virtual hug to those that need it most. We want to hug FedRAMP – who had a very rough year – and it has not been for a lack of trying.
To recap, the Federal Risk and Authorization Management Program, or FedRAMP, was developed as a program for cloud service providers (CSPs) to receive an independent security assessment, conducted by a third party assessment organization. These assessments are based on the security controls defined in the National Institute of Standards and Technology (NIST) – a complex auditing process required of public sector CSPs that by its nature is very lengthy and resource-intensive. Preparing for a FedRAMP assessment is typically where most of the time is spent.
Over the last year, vendors have come out of the woodwork to complain that FedRAMP does not work and that the Feds hate FedRAMP while offering up their expensive professional services solutions. They complain about how the controls that are audited as part of the assessments are not technical which is why the assessments can take upwards of a year in some cases.
The anger towards FedRAMP is misguided and there is an opportunity for improvement. The problem, or opportunity, lies in a gap in how these assessments are performed which makes them very complex and, as a result, much more time consuming than necessary.
We hope FedRAMP will consider our recommendation to establish a sound digital risk management (DRM) and mitigation process that would fill this gap between the controls and security framework defined by NIST that would greatly reduce complexity and significantly shorten time for assessments.
Key to an effective DRM program is the ability to define risk failure scenarios that help to identify risks to systems associated with these failure scenarios. As it stands today, identifying risks at the system level is based upon vulnerability scans making it difficult to prioritize risks from those vulnerabilities.
By prioritizing failure scenarios, organizations can easily select the controls that best apply to preventing the failures from occurring. It can also help to define and prioritize the implementation of the controls that have been identified thereby making the job easier for the auditor.
When it comes to continuous monitoring (a key step in the risk management process), having an enterprise digital risk management program that sets policy and guidance and priorities for all systems (critical and non-critical) greatly enhances the ability of an organization to easily work with the auditors as there is an overarching process and guidance already established within the CSP.
Success is already being demonstrated by large organizations such as NASA who deployed an innovative digital risk framing program that greatly streamlined security systems and processes.
Waverley Labs is currently initiating discussion with FedRAMP and the Cloud Security Alliance (CSA) to come up with and recommend a list of controls that would be monitored and assessed “automatically.” We are also developing outcome-based monitoring solutions that enable the quantification of failure scenarios that enable the creation of digital risk scorecards….the next step in the evolution of digital risk management solutions.
Below is a diagram that shows where and how digital risk management closes the gap related to current FedRAMP auditing process.
To learn more about digital risk, see our post on The Emergence of Digital Risk. Watch this space for more info.