The cloud, FedRAMP and FISMA compliance
Many federal agencies and government contractors are migrating to cloud-based computing, a trend that will pick up speed as the cloud becomes more efficient, more affordable, and more secure. In fact, Deltek estimates the Federal Cloud market is projected to grow by $6.4B by 2019. Cloud computing offers significant economies of scale, and as such, is an attractive alternative for agencies charged with cutting costs, centralizing data processing, and reducing redundancies.
The push for FedRAMP is a concerted effort by the government to deploy a ‘do once, use many’ strategy to better secure all regulated data. But relinquishing jurisdiction over platforms, storage, and applications makes government security officers nervous—and rightfully so. Agencies and government contractors are responsible for Federal Information Security Act (FISMA) compliance, and moving to the cloud shifts a significant amount of that responsibility and risk to the Cloud Service Provider (CSP).
The Federal Risk and Authorization Management Program (FedRAMP) was enacted to oversee and standardize FISMA compliance as it applies to cloud-based computing services. To do this, FedRAMP establishes accreditation criteria for both CSPs and Third Party Assessment Organizations (3PAOs). Many agencies and government contractors turn to 3PAOs for insights on the cloud migration process — from what to expect and how to initiate a secure transition to how to negotiate a contract with a CSP.
FISMA compliance: What to consider when moving to the cloud
To begin with, your CSP of choice must be FedRAMP certified. But even though a provider is certified, you can’t necessarily count on them to manage compliance effectively. Since ultimate responsibility for FISMA compliance is up to you, oversight and assignment of security controls should be agreed-upon from the outset. How does the CSP monitor their system? How segregated is regulated and non-regulated data? How do they perform audits? Who does them? How often? What metrics can you expect from your CSP? During the contract negotiation, you will want to make sure that your CSP has standards as high as—or higher than—yours. Switching cloud providers can be extremely difficult; know before signing what kind of partnership you’re taking on.
Keep in mind that CSPs share resources with and outsource processes to each other. It’s not always clear who is managing your data, and you may not be privy to where your data resides. (In fact, some of it could even be ‘living’ in another country.) For the first time, your security controls are likely to be virtual rather than physical, so you will have to get used to accessing your controls remotely. And you will have to trust your CSP. All the more reason to make sure your agreement is clear up front.
Your migration plan should be carefully developed, taking into account workflow disruption and the optimal timing for moving sensitive data. Some agencies prefer to start small; they’ll move email to the cloud, for example, before migrating data that contains personally identifiable information (PII) or electronic health information (ePHI).
Some of the key security issues to consider are:
1. Data encryption, which can be an add-on service
2. Physical/logical access to the system
3. The exit strategy: data backup, recovery and destruction
4. On-premise and cloud data integration issues
5. How intrusion detection is managed
6. Storing high-risk data in managed locations
7. Monitoring systems and data centers
8. Assurance that controls are tested/ validated and your right to audit.
Of course, you recognize this list. These are issues you’re already dealing with in a premise-based security management system. The point is, even if you migrate to the cloud, it will still be up to you to make sure your system is FISMA compliant.
FISMA compliance: Third Party Assessment Organizations (3PAOs)
The complexities of migrating to the cloud can be overwhelming for an IT department, given that your staff is most likely already spread too thin. While the idea of offloading a significant portion of system management to a CSP is appealing, getting there can be like rolling a boulder uphill. For this reason, many agencies turn to 3PAOs for guidance on how to make sure their system stays secure during—and after—the transition.
How is it that 3PAOs are so good at this? Not only are they accredited by the government, it’s the 3PAOs that assess CSPs for adherence to FISMA compliance in the first place.
Here are some of the tasks you can expect a 3PAO to help you with:
1. Evaluating potential CSPs for compliance with FISMA/FedRAMP
2. Supporting contract negotiations to clearly delineate responsibilities and expectations
3. Helping to classify risk level of data
4. Structuring a migration plan with regards to data security
5. Testing and validating CSP security controls on an ongoing basis
6. Providing overall guidance, education and support on adhering to cloud security best practices.
If you are thinking of moving to the cloud—but still uncertain what that means for FISMA compliance—keep in mind that CSPs are constantly upping their game. They have to if they want to grow. Your IT staff might be highly skilled, but CSPs have resources that most in-house departments can’t possibly match. CSPs are subject to certifications and rigorous audits, and they often initiate their own advanced security measures: e.g., surveillance systems, data encryption and regular penetration testing. Ultimately, even though there are uncertainties about moving to the cloud, it’s possible that a well-managed cloud solution could be more secure than a premise-based one will ever be.