Many organizations, Hyperproof included, are pilgrims on the road to FedRAMP Moderate authorization. And we can attest — working through the security assessment and authorization phases is no small feat (though certainly worth it).
Whether you’re currently working to become FedRAMP authorized or just toying with the idea, you’ve likely wondered about the FedRAMP continuous monitoring requirements and what resources it will take year-over-year to maintain your hard-earned Authority to Operate (ATO) letter.
Here’s what to know about maintaining FedRAMP authorization.
Why FedRAMP moderate?
If your company provides cloud computing services or software-as-a-service (SaaS) applications and you are interested in having a US government agency as a customer, you must be able to demonstrate FedRAMP compliance.
FedRAMP categorizes Cloud Service Providers (CSPs) into one of three security impact levels (Low, Moderate, and High) and lays out different security control requirements for each level. Most organizations will be at the moderate level, with moderate Impact systems accounting for nearly 80% of CSP applications that receive FedRAMP authorization.
Continuous monitoring fundamentals: FedRAMP is a program, not a project
In and of itself, FedRAMP continuous monitoring (ConMon) is extremely prescriptive as to what is required for the ongoing assessment of security controls. The FedRAMP Continuous Monitoring Strategy Guide lays out these requirements and the deliverables required for continuous monitoring activities. The FedRAMP ConMon process is based on the process described in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137.
To maintain a FedRAMP Moderate Authorization to Operate (ATO), CSPs must perform continuous monitoring activities, including:
Put a system security plan (SSP) in place
Complete lengthy documentation templates provided by FedRAMP to identify the CSP’s security controls, assess their risks, and outline how the CSP will monitor and report on their effectiveness.
Collect security data
The CSP must collect data from various sources, including system logs, security information and event management (SIEM) systems, and vulnerability scanners.
Analyze security data
The CSP must analyze the collected data to identify potential security threats and vulnerabilities.
Take corrective action
When the CSP identifies a threat or vulnerability, it must take corrective action to mitigate the risk.
Implement a managed change control process
The CSP must have a managed change control process to ensure that all changes to its cloud services are assessed for security impact.
Implement an incident response plan
The CSP must have an incident response plan to respond promptly and effectively to security incidents.
In addition to what’s required in the Continuous Monitoring Guide, FedRAMP Moderate also has a degree of flexibility and freedom. The goal is to maintain a secure cloud environment, and it’s best practice for security teams to carefully consider their environment and include processes and controls specific to their organization.
Thomas Wilcox, CISSP, Sr. Director, Security & Compliance at Hyperproof, recommends wrapping your FedRAMP ConMon program around your organization’s routine deliverables. “Define the other continuous controls you’re putting in place,” Tom said. “I can tell you from talking with other folks in the FedRAMP world, you don’t have the option of just providing nothing there. They want to make sure that you are looking at your infrastructure from the critical eye of a system owner and you’re saying what is important here to make sure it isn’t compromised.”
Hear more from Thomas on FedRAMP Authorization here.
Following overall best practices will steer you to the right level of monitoring and continuous monitoring and, importantly, will help you think about how to incorporate automation into your controls to streamline ongoing evidence collection and more.
Need help with FedRAMP? Hyperproof can streamline your processes.
Frequency of security control assessments to maintain continuous compliance
Security control assessments fall into three categories: monthly, annually, and when significant changes occur.
Every month, CSPs are required to conduct and report on specific security controls, including:
- Complete authorization boundary inventory with evidence of 100% success in scanning.
- Vulnerability scanning of operating systems, web applications, containers and databases in the authorization boundary
- POA&M status showing monthly findings with associated scan results for accuracy, and the history of remediation of past issues.
- Patch and vulnerability status reports
- Change control records
Annually, certain controls and processes need to be reviewed and assessed at the direction of the FedRAMP Joint Authorization Board (JAB) and your Third Party Assessment Organization (3PAO), including:
- A full security assessment by a third-party assessment organization (3PAO)
- Review and update of key documentation, including the System Security Plan (SSP)
- Annual security control testing for a subset of the implemented controls
It’s to your benefit to foster a strong bond with your 3PAO, as you’ll be working closely with them throughout the year and at annual assessment time. Your 3PAO can be a valuable ally, guiding CSPs to formulate and uphold a continuous monitoring program that ticks all FedRAMP boxes.
A final and essential area to understand is significant changes. What constitutes a “significant change” isn’t the same for every organization, but it includes anything that could affect the security state of the information system. If, for example, you offer an application, like Hyperproof, and put out new feature sets within the application and not just enhancements to existing feature sets, that would be considered a significant change. Changes to architecture, data processing and storage, and security controls are other examples of a significant change under FedRAMP.
Whenever there’s a significant change to the system or its environment, a security impact analysis is required. Depending on the outcome of this analysis, some controls may need to be re-assessed immediately and the system may require re-authorization.
Managing FedRAMP Moderate reauthorization
According to Tom: “The whole reason continuous monitoring exists is to set you up for success long-term and to make the annual requirements less painful than they would’ve been under some other programs.”
If you’ve ever gone through a SOC 2 audit, for example, you’re probably familiar with the scramble to document and prepare. When following FedRAMP ConMon, meticulous record-keeping and documentation throughout the year make the reauthorization process much more straightforward — and the assessors are assuming that too.
Because you are maintaining documentation and understand your continuous monitoring requirements, if you decide midway through the year to switch a monitoring tool, for example, you’ll be in good shape when authorization time comes around if you’ve done the things that are required along the way to authorize with your AO and the FedRAMP PMO.
The bottom line is that if you have a very well-documented program from the get-go and keep up with continuous monitoring requirements, you’ll be well-prepared for the reauthorization process.
Finding the resources for FedRAMP continuous monitoring
In general, the world is moving toward continuous monitoring as the standard. Continuous compliance can sound like a heavy lift to maintain, especially knowing that security and compliance teams are already overworked and bogged down in security questionnaires, audit documentation requests, and other manual compliance operations processes.
Moving forward, the best practice for aligning with requirements like FedRAMP ConMon will be to build automation into your process to streamline and bring efficiency to repetitive tasks that are part of your system security plan. Automation helps organizations save time, adds visibility, and limits how intrusive new requirements are to your organization’s existing process or workload. Additionally, automation is something auditors are going to be looking for as a best practice in the years ahead.
Hyperproof’s powerful compliance operations platform is specifically designed to automate evidence collection and link evidence to requirements and controls with dozens of integrations to ensure your proof is always up-to-date for your next audit. For FedRAMP in particular, you can:
- Automatically generate SSP Appendix A reports to get a comprehensive overview of your security program and prepare for your FedRAMP audit
- Use Hyperproof’s Jumpstart feature to map your existing FedRAMP controls across multiple frameworks like ISO 27001 and NIST SP 800-53 so you can quickly add new frameworks
Demonstrating continuous compliance helps in a lot of ways, both from a security perspective and for getting a deeper level of visibility into the environment from a compliance perspective. We’ve seen this on our own journey to FedRAMP Moderate compliance.
For more on that journey, follow along with our podcast series, “Drafting Compliance” with Kayne McGladrey and Thomas Wilcox.