FedRAMP R5 represents a lot of change. So much change that we can’t track it all in this one blog, though we gave it the Old College Try:
- In Part One of this series on the R5 transition we focused on the heavy lift that may be required in the move to DISA STIGs for tracking FedRAMP baselines
- In Part Two of the series we focused on changes that stem from supply chain risk management needs, on tightened privacy controls, and on the impacts of more stringent encryption requirements.
In this last installment of the series we’ll serve up recommendations and tips from Anitian’s on-staff security and compliance experts about how to navigate the R4-to-R5 transition. Then we’ll cover the critical timelines put forth by the FedRAMP PMO. Lastly, we’ll link you to a new white paper resource that encapsulates all these changes and lays out the actions CSPs need to take.
What Our Experts Advise
Anitian security and compliance experts focus on one thing and one thing only: achieving FedRAMP success. That success can be defined as just getting our customers’ CSOs to ATO Ready, to helping them achieve ATO and get listed in the marketplace, to winning new business, or to leveraging our scalable platform to bring an entire SaaS portfolio into the federal market. No matter how it’s defined, our focus is on FedRAMP Success alone: not on PCI, not on HIPAA, not SOC2.
With that as a foundation, here are some top recommendations from our uniquely FedRAMP perspective:
1. Begin scoping and testing for the transition to STIGs
Using DISA STIGs to capture and record baseline configurations is new for most practitioners. And notwithstanding the debate still raging about PMO’s intent or direction, here’s what it says in SSP requirements for CM-6:
- “Requirement 1: The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.” (Highlights added by Anitian.)
For the majority of our CSP customers this is new territory using new tools and a new language. Practitioners will be well served to evaluate STIG tools. These typically use Security Content Automation Protocol (SCAP) which is the protocol used in scanners like the traditional SCAP Compliance Checker or the SCC tool from NIWC Atlantic. CSPs should familiarize themselves with the new tools and run some test evaluations on their application stack. If they’re coming from a background of using Center for Internet Security (CIS) scans, the CSP will find marked differences in workflows, annotation and exception handling.
Our advice on the noise and back-and-forth on this topic: don’t delay. Some have a sense that there are paths to ATO in the future that avoid STIGs, but we think these are temporary reprieves at best.
2. Scope solutions for data exfiltration
If you’ve been fielding one of the 51 FedRAMP High solutions in the marketplace you’re already scoping and reporting on your system’s data exfiltration risks. You have a leg up. But for the 230 Moderate solutions in the marketplace, those systems will also require risk analysis for data exfiltration. This requires analysis of outbound communications at the external system boundary and any subnetworks or systems to detect covert exfiltration of information as defined in SI-04. This will require organizations to analyze large amounts of traffic that are leaving the environment, and to do so at a level of inspection that may outstrip the capabilities of their current tools.
Apart from the tooling, there’s also a question of practice: if a CSP is not already using pen testing or red team exercises to evaluate their ability to detect data exfiltration, it’s time to start.
3. Create a Supply Chain Risk Management program
SCRM has been a weak spot in many cloud-based offerings for years, and recent exploits have taken advantage of these gaps. If this is a new area for your organization, we suggest studying the NIST plan codified in NIST SP 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” This 300+ page artifact takes a holistic look at the intersection of modern risks and the modern digital-first organization. It provides guidance on evaluating threats, impacts and consequences, as well as how to structure an SCRM unit within an organization.
4. Research tools for automating data identification within the system
As long as FedRAMP has been around it has required the use of FIPS-validated or NSA-approved cryptography, but with Rev 5 FedRAMP has extended its cryptography requirements. Now, data-at-rest (including backups) and data in-transit, through, and out of defined boundaries – must document cryptographic processes and principles. Every System Security Plan (SSP) for FedRAMP applications and services must include the new “Appendix Q: Cryptographic Modules Table” that details every cryptographic mechanism used in delivering the product.
To do this, CSPs will need to avail themselves of new discovery tools. If other parts of their organization are already using tools like Thales, Imperva or Varonis to do data discovery and classification they can perhaps leverage existing licenses. Amundesen, CKAN, and Magda make open-source data cataloguing tools. A recent article in Computer Weekly provides a useful rundown of some – but not all – of the available tools.
FedRAMP is an ongoing process that requires organizations to closely document their environments and pass annual audits in order to maintain their ATO. For these organizations, the move to Rev 5 will be based on the date of the next and/or most recent audit date.
- For CSPs with an ATO: If the most recent assessment was between January 2nd and July 3, 2023: CSPs that completed an annual assessment in the six months prior to the release of FedRAMP Rev 5, will need to implement Rev 5 controls at their next annual assessment. Officially, this is one year from the organization’s last audit. For example, if a CSP’s last audit was in January of 2023, they will need to implement the new controls by January 2024.
- If the next assessment is planned for July 3 to December 15, 2023: CSPs that have an upcoming audit in the second half of 2023 will need to implement Rev 5 controls by the time of their next audit in 2024. For example, a CSO with an audit already scheduled for August 1, 2023, will need to implement Rev 5 controls by no later than August 1, 2024.
- CSPs Seeking an ATO: If CSPs are seeking an ATO they will have different timelines based on whether or not they were officially in-process prior to May 30, 2023.
- CSPs in Initiation Phase: CSPs are considered in-process if they meet either of the following requirements.
- They have an official agency sponsor or JAB prioritization AND a contracted 3PAO; or
- They have been evaluated by a 3PAO and are in the process of submitting their package to FedRAMP PMO; or
- They have submitted their package to the FedRAMP PMO
CSPs that have achieved Initiation Phase status prior to May 30th, 2023, can still receive their ATO under Rev 4. However, by September 1st, these CSPs will need to identify any deltas between their current Rev 4 implementation and the Rev 5 requirements, and Rev 5 requirement must be implemented by the time of the first annual audit. (For all intents and purposes, these deadlines have now passed and it’s an R5.
- CSPs in the Planning Phase: CSPs that have not reached the initiation phase (e.g., customers who don’t have an agency sponsor/JAB Prioritization letter nor a contracted 3PAO), must submit a package that meets the Rev 5 requirements using the Rev 5 templates.
Resources You Can Use
At the risk of stating the obvious, the R5 transition is a big change: for product owners and engineers in current or aspiring CSPs; for consultants; for SaaS providers looking for market expansion; for the FedRAMP PMO and federal agency security and compliance teams. We have several resources that can help:
A new Anitian whitepaper provides guidance on navigating R5 changes: Speed Bump or Sinkhole? Six Ways NIST 800-53 R5 Affects FedRAMP ATO.
Anitian, AWS, and Carahsoft are teaming up for a webinar on this topic on Wednesday, August 23. Register here, or it will be available on-demand after the session: Seismic Updates: R5 Brings Foundational Changes to FedRAMP.