The protection and storage of government data is not a matter that is taken lightly. That’s why there’s FedRAMP, the Federal Risk and Authorization Management Program, which enables government agencies to move from outdated systems to secure, cloud-based IT through certified Cloud Serice Provider partners.
On this episode of Government Enabled, host Gil Tillman interviews Maria Horton, the Founder and CEO at EmeSec, a federal contractor that offers cloud security, compliance and engineering as well as assistance in the FedRAMP application process.
The process is more of a marathon than a sprint, says Maria, who has years of experience in the FedRAMP system. Her company is a FedRAMP Third Party Assessment Organization (3PAO), which means they are accredited to advise Cloud Service Providers (CSP) on the design and preparation of their application.
Despite the long and complex process, Maria says it’s worth the time and cost.
“To me, FedRAMP is a strategy into the marketplace. It is an ongoing process. You can’t just get in, get certified and drop it. You actually have to be thinking FedRAMP while you’re managing and operating your cloud solution,” she says.
Trust is an essential ingredient in the relationships between cloud service providers, the government and the government’s extended customers — the citizens, Maria says. This all started with the Office of Management and Budget’s cloud-first strategies in 2010-11, and today FedRAMP is influenced by the office’s recommendations.
There are a lot of layers to FedRAMP, Maria says. It’s not necessarily a complex process, but it does take a long time and is ongoing. She encourages customers not to get overwhelmed and to focus on long-term goals. “If you don’t look at it from a journey perspective, it can seem very overwhelming, and you may end up not having enough time on your journey to accomplish the things you want to do successfully within the FedRAMP federal marketplace,” she says.
FedRAMP is a key strategy for entering the federal marketplace, and it’s not as simple as just getting certified and moving on. It should be a constant thought when managing and operating a cloud solution, Maria says. If you get certified and then don’t pay attention, you could be kicked out of the program. There is a responsibility to being FedRAMP certified, she says.
Educating customers about the intricacies of testing
“We’ve been in this business as a small business for a while. And when we do inspection testing or we get the question — how quickly can you test us? — we spend a lot of time talking to those potential customers about what’s involved in the testing … you not only have to prove the design through technical testing, you have to prove the paperwork is there so that the government and the end users can understand how the system works.”
A transparent governance model
“The governance model looks at — how should a cloud service provider or a CSP provide services to agencies and citizens? How should it be managed on a regular basis, and when should it report to the government itself about how well they’re performing? When I look at the governance model, I think that’s what the PMO is trying to provide with clarity so that everything is transparent for both the individual entities that want to serve government agencies, as well as the government agencies that are using those new solutions.”
A process that requires time, people and resources
“When you look at the way you begin this journey, you’re going to need resources, people and money to be able to become FedRAMP certified. You also need a team effort. One or two people in a company makes this process very difficult and hard to support when the FedRAMP PMO [Program Management Office] or the JAB [Joint Advisory Board], or even an agency is looking at your system. You truly need a security culture to grow up within the cloud solution provider.”
Work with existing cloud resources
“When you’re planning this, you need to clearly utilize the publicly available resources. Fedramp.gov has a number of templates and guidance materials, very important to utilize. Don’t reinvent the wheel. A lot of folks are very proud of their development skills or unique skills that they have within a business. Instead of using some of the things that are available to them, they want to kind of showcase their skill sets. Sometimes you can, in today’s world, use already available cloud pieces and integrate them into your unique offering. That might be a shorter way on the journey instead of building it yourself.”
The importance of continuous monitoring
“When we look at continuous monitoring, this is ongoing testing, it’s management of plans of action and milestones, ways to remediate any potential vulnerabilities you may have, and there is an annual testing component to it in which cloud service providers that have been FedRAMP certified come back and report back to the FedRAMP program management office on how well they’re doing. In continuous monitoring, you’re looking at your system, you’re assuring your customers and end users that the vulnerabilities that come up from day to day or the potential risks are handled.”
New requirements for federal contractor cybersecurity
“We are entering a new era for not only federal contractors but commercial organizations. You might be using, growing, maintaining a FedRAMP certified cloud capability that you’re selling to your federal customers, but that now is sitting on your network for your corporation or your organization. The government has seemed to put new requirements on federal contractors so that they now must manage their own organizations and their own networks and applications that they use with an eye on cybersecurity.”