Easing into FISMA and FedRAMP? It's possible.
The FedRAMP program that took effect in 2012 and a FISMA reform being considered by Congress are combining to raise agency concerns over compliance.
Across the federal government, managers are worrying about how to comply with new forthcoming security standards, including the possible reform of the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP), even as their budgets shrink and pressure mounts to incorporate new technologies. While the transition may not be seamless, insiders say it does not have to be the struggle some fear.
There is no doubt the new rules will be disruptive. Among the many new requirements between the two measures are directives for securing data and other digital assets, adhering to compliance reporting, implementing security efforts that likely include new capabilities, and working with approved technology providers who have passed rigorous testing. Agencies also must either retrofit legacy systems and rework existing contracts or move to completely new versions of both. All around, the new standards are disruptive, most agree.
FISMA reform is still making its way through Congress, but if the legislation passes, the effect on agencies will be significant.
"It's a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year," Robert Duffy, CIO in the Homeland Security Inspector General's office, said at a recent industry event in Washington. "It's changing how we look at the network layer, what people are doing and the network piece that has become embedded with everything else that supports the mission. It's exciting in one sense because we're strengthening security...but also presents challenges going forward in what skill sets you really need to work the mission."
It is not only agencies that must contend with change – under FedRAMP, which pertains to government cloud security, providers undergo thorough third-party assessments to ensure they meet all new requirements before receiving accreditation and approval to be a cloud vendor for agencies.
Agencies and companies alike are faced with a decision that really only has one option: get on the security train, overcoming issues like upfront investment, cultural resistance to change and a steep learning curve on numerous and complex controls, standards and requirements.
"It's like 4,000-ft. sheer cliff glacier: This looks like a big scary thing coming at me, but it doesn't look like it's moving, so I ignore it. I look up again, and now it looks closer," said Ken Ammon, chief strategy officer at Xceedium. "But this all is going to totally change the landscape; there's no stopping it because it makes all the sense in the world. Whatever the downsides and risks are, we can navigate them all. So you can either figure out how to climb on the glacier and ride it, or be paved over."
While FedRAMP and FISMA are distinct initiatives, they are closely tied: FedRAMP is a security standardization directive specifically for cloud derived from FISMA's controls and baselines.
Under FedRAMP, cloud service providers must apply for authorization, which is granted by the joint authorization board (JAB), while third-party assessment organizations (3PAOs) independently verify and validate security controls. Eventually, other requirements, including continuous monitoring will be incorporated as well.
According to Maria Roat, director of FedRAMP at the General Services Administration, the measure is going to make things significantly easier for agencies. Once a cloud services provider receives 3PAO approval from one agency, other organizations are able to take advantage of that, reviewing their offerings and requirements for their own use, she said.
"This really goes back to the 'do once, use many times' – that's really a driver for the FedRAMP program," Roat said May 8 on a panel at an industry event in Arlington, Va.
"This is accreditation as a service," added Zachary Brown, chief information security officer at the Consumer Financial Protection Bureau. "Cloud, shared services, everything we're doing now is really bridging the public and private sectors more quickly than probably a lot of us feel comfortable doing. That means that we need to get familiar with [each other's] vernacular. You need to all come from a common ground."
Most officials will acknowledge the transition is daunting – FISMA alone has more than 600 security controls. But managers have to start out with smaller steps, including in the partnerships between government and industry, according to Dan Waddell, senior director of information assurance and cybersecurity at eGlobalTech.
"You have to start the conversation with data and risk – and not, 'Oh, you have to fill out this 350-page template,'" Waddell said. "Yes, we do, but you have to break it down into terms of this is the type of data we're looking for, this is information we're looking for – you have to break it down into a conversation [everyone] is able to understand and support the process to make things easier."
There also is denying that becoming compliant will involve upfront investment, but officials say that the savings end up paying for themselves.
"When you talk about sequestration and the effects of cutting budgets, where FedRAMP and FISMA come in it seems like a tremendous overhead," said Steven Hernandez, CISO and director of information assurance at the Health and Human Services Department's Inspector General office. "In terms of the efficiency we're getting out of this, that's tremendous...we're literally spending 10 percent of the time and resources on the review that we were before."
FedRAMP went into effect in June 2012.