Cyber Leaders Warn Against Limitations of FedRAMP

Before jumping into FedRAMP solutions, federal agencies should develop an intimate understanding of their data and data needs, cyber leaders said at FCW’s FedRAMP Summit last week.

“When you look at FedRAMP tech solutions and are looking to deploy them, it’s not a simple plug-and-play replacement,” said Nagesh Rao, CIO of the Bureau of Industry and Security at the Department of Commerce. “You’ve got to turn off the legacy platform, migrate the data to the new solution, and then part of that you have to make sure there’s a connectivity point to do the migration.”

FedRAMP works best when you understand how it can work for you, Rao said.

“For example, if you’re going from IaaS (infrastructure-as-a-service) to SaaS (software-as-a-service)-based solution, there’s got to be a touch point of that SaaS solution talking to the legacy system,” he said during the event. “When you do the FedRAMP stuff, there’s always those little tweaks and configuration changes that need to be adapted for that agency’s select system in order for us to actually do the play and allow an ATO (authority to operate) to occur. I think a lot of people think you’re starting off with a blank canvas [with FedRAMP] and you’re not.”

Victoria Yan Pillitteri, a supervisory computer scientist with NIST, echoed Rao’s comments and stressed that “not one size fits all” when dealing with FedRAMP.

“Nagesh has a very different risk profile than NIST,” she said. “We need to protect the information and systems that are serving those functions very differently. At the end of the day, FedRAMP is a great first step in terms of being able to communicate what these security countermeasures are. At the end of the day, we need to understand that and tailor it to each organization. Compliance is just the first step of risk management.”

Pillitteri recommends “following the data” when choosing FedRAMP solutions. Prioritizing high-value assets and continuous monitoring are also key to maintaining cyber awareness.

“You wouldn’t protect your diamonds the way you protect an old toothbrush — it’s all about the risk,” she said about the assets. “The concept of continuous monitoring is continuously knowing your cybersecurity posture. We have these great programs like FedRAMP that provide you that point in time, [but] you have to understand what’s changing, external or internal, and how it impacts your risk posture.”

Kenneth Bible, CISO at the Department of Homeland Security, also warned fellow CISOs against relying on FedRAMP authorization as cybersecurity assurance.

“FedRAMP isn’t just about getting the provisional authorization, it’s about continuous monitoring,” he said at the event. “Agencies make risk-based decisions, [but] the [Joint Authorization Board] (the primary governing body for FedRAMP) cannot accept risk on behalf of the agency.”

Bible advises drilling down on software supply chain risk management to boost continuous monitoring efforts in the cloud.

Automating security processes in the cloud can also smooth FedRAMP transitions, according to Citizenship and Immigration Services CISO Shane Barney. When USCIS migrated IT operations to the cloud 10 years ago, automating security was the only way to effectively manage terabytes of data.

“On the FedRAMP side, automation really becomes that linchpin between the trust and verify aspects of it and how we best utilize our resources at all levels,” Barney said at the summit. “If infrastructure is code, security is code, too. It’s an ongoing Agile approach, there’s never an end state for this. The future of security is clearly cloud-based, and cloud is all about development. Learn the program, learn Python and how it works and why because it becomes a critical tool for you to use going forward.”