CMMC. FedRAMP. SP-800-171. FISMA. These are some of the most important alphabet and numerical soup federal contractors must be intimately knowledgeable about to successfully navigate the market.
The focus by agencies over the last five or so years on compliance isn’t a matter of creating more hoops for companies to jump through. It’s a matter of trust, but verifying to protect against cybersecurity vulnerabilities.
And with the latest revision to National Institute of Standards and Technology Special Publication 800-53, Revision 5, new updates to the Federal Risk Authorization and Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA) become even more necessary to grasp.
Martin Rieger, the chief solutions officer and chief information security officer a stackArmor, said FedRAMP, FISMA and many other policy and regulatory compliance requirements are more than just paperwork or technology architecture. He said the caring, feeding, maintenance and continuous development of these activities are what will make companies successful.
While most of these security requirements have been around for more than a decade, Rieger said many times contractors struggle to meet the government’s mandates.
“They tend to budget improperly because they don’t know what they don’t know. There is more than just the paperwork. There is the design and implementation of systems that need to meet the complex architecture requirements,” Rieger said on the discussion, Simplifying Federal Regulatory Security and Compliance Requirements. “One of the biggest mistakes that companies make is to think that it’s all about the product or the solution. It is as much about the organization going through the process, as it is about delivering a cloud solution or cloud service offering to the government.”
Addition of supply chain risk management
The latest revision of NIST 800-53 is a good example of how it’s an organizational change and focus that need to occur.
The FedRAMP cloud security program office released its new version integration revision 5 into its requirements.
Rieger said this means going forward with new FedRAMP authorizations or when companies come up for re-authorization, they will have to demonstrate expanded supply chain risk management (SCRM) efforts. He said SCRM didn’t appear in Revision 4.
“Going forward, companies have to have a policy around it. They’ve got to have procedures to support it, plus a plan that didn’t exist before,” he said. “It is the training of the personnel, the hiring, firing, transferring of background checks, and then the entire process of developing the product, including development and testing. That’s the difficult work, but the preparation that goes into developing policies for 17 different NIST families now 18 with supply chain risk management can be a bit of a culture shock for organizations.”
The same is true for another emerging requirement from FedRAMP, continuous monitoring.
Rieger said this too is more than just a paperwork exercise as it requires daily, weekly, monthly, quarterly and annual obligations of scanning, reporting and the deployments of new services and capabilities.
“The budgeting for this is something that has to be carefully planned for and thought out. It needs to be prepared in a way that organizations have a three-to-five year budget aligned with the requirements of their system, including things like licensing, hosting costs, as well as the initial assessment and the annual assessments which are all a part of continuous monitoring,” he said. “The personnel expertise and knowledge required for this from engineers and architects as well as security analysts, security managers and officers are typically roles that most companies don’t have in place. Sponsorship is another critical piece of this. Agencies are the ones who accept the risk, and regardless of what path a company goes through to achieve FedRAMP, it’s the agencies that are authorizing at the end of the day.”
Costs for FedRAMP coming down
The good news, Rieger said, is costs to meet FedRAMP requirements have come down considerably over the last decade.
The program office in the General Services Administration has initiated new efforts like FedRAMP Tailored and FedRAMP ready to help speed up and reduce costs.
Rieger said other technologies like infrastructure-as-code, cloud formations and terraforming enable changes to infrastructure to happen in days instead of months, which also reduces the preparation timeline.
“The average time it takes a company to figure all this out, do the research and development and then get quotes from a third-party assessment organization is four-to-five months. So if you’re doing that planning before you even started the FedRAMP process, that’s another accelerator,” he said. “Documentation is another big area where acceleration has occurred, which is to say having policies and procedures as what we would call starter templates that no longer take three-to-four months to develop, but can be knocked out in a matter of weeks.”