This article was written by Kathryn M. Daily, CISSP, RDRP of BAI Information Security.
In a previous article, security control inheritance from an external system hosted at a departmental or agency data center was discussed. In this article, we are going to discuss inheritance from a FedRAMP Approved Cloud Service Provider (CSP) such as Amazon Web Services (AWS), Microsoft Azure, etc.
FedRAMP is an assessment and authorization process for cloud computing products and services. Federal agencies have been directed to use FedRAMP approved cloud computing products and services to ensure that a minimum level of security is provided by the CSP. Like federal information systems, FedRAMP approved CSPs receive an ATO for a period of 3 years, and they go through the A&A process again, or when there is a major change. As with inheriting from another information system, the benefit of using a FedRAMP approved CSP is that it eliminates redundant validation of compliance—the compliance of the “providing system” (CSP) automatically inures to the benefit of the “receiving system” (hosted customer system).
This inheritance makes YOUR A&A process much less painful. For one, Maintenance, Media Protection and Physical and Environmental are completely inherited. Prior to FedRAMP, the Security Control Assessor (SCA) had to visit the data center to check the “gates, guards and guns” every single time, even if that specific assessor had previously visited that data center. That is no longer necessary. The FedRAMP ATO takes care of all of that. In addition, there are several “shared controls” where the CSP provides the capability to fulfill the control, and provided that the customer configured the mechanism appropriately, the control is compliant. One example of this is the Access Control family. AWS provides a tool called Identity and Access Management (IAM) that enables you to securely control access to AWS services and resources for your users. IAM provides the capability to be compliant with much of the Access Control family.
AWS also provides CloudTrail, which provides the capability to be compliant with most of the Audit and Accountability family. You can obtain the System Security Plan for the CSP you choose, which documents the details of the implementation for each of the shared and inherited controls.
At https://marketplace.fedramp.gov you can see all available CSPs, their service models (SaaS, Iaas, PaaS, etc) and the impact level (high, moderate or low). Currently there are 67 CSPs that are ‘In Process’ and 86 that are approved. You can also fill out the Package Access Request Form which will get you a copy of their FedRAMP artifacts (SSP, ATO, etc). Keep in mind a government employee will need to request the package on behalf of a contractor.