The federal government’s growing use of cloud services and the recent executive order encouraging adoption of cloud service offerings, or CSOs, is putting pressure on agencies and cloud service providers, or CSPs, to continuously monitor and manage those services in order to stay compliant with federal regulations. It’s a tall order. The scale and complexity of maintaining compliance can quickly overwhelm traditional methods of scanning, remediating and reporting vulnerabilities, leaving agencies and CSPs at risk of losing authorization for those services—and, more importantly, putting systems at risk of attack.
Agencies and CSPs need to take a new approach. An automated, comprehensive solution that aggregates and sorts data from multiple scans, provides clear visibility into the cloud infrastructure and generates a Plan of Actions and Milestones, or POA&M, for addressing vulnerabilities can more easily keep their cloud services in compliance while reducing the errors involved in more manual processes.
Expanded Monitoring Overwhelms Security Teams
Agencies launching cloud services and CSPs have a pretty steep hill to climb just to get their initial authorization to operate, or ATO, from the Federal Risk and Authorization Management Program, or FedRAMP, and other similar standards. Often working together, they must go through the first five steps of the National Institute of Standards and Technology’s Risk Management Framework, a time-consuming (typically four to nine months) and expensive process necessary to achieve an ATO.
For cloud solutions, FedRAMP provides a clear path toward authorization, it is still a tremendous amount of work. However, it’s the sixth and final step in the framework that presents the biggest challenge: Monitoring to maintain your security posture and stay in compliance.
To maintain compliance, including with the Continuous Monitoring Performance Guide, agencies and CSPs must collect and prioritize huge amounts of scanner data, identify vulnerabilities and determine their risk as high, medium or low impact. They then must develop a POA&M under which they either remediate the vulnerability or agree to deviate the plan and implement an alternative approach to address the vulnerability.
The complexity of this task increases for agencies as they add more cloud services. CSPs are responsible for managing and reporting their solutions’ security compliance to all agency customers. Adding weight to providers’ responsibilities, a recent White House memo sent after the executive order to corporations and business leaders emphasized what it sees as industry’s obligation to secure its own technology.
Agencies, for their part, must work with their CSPs to review the security posture and authorize the CSO, while also assessing the status of their own internal agency systems. Traditionally, this work has been managed by spreadsheets in a manual, arduous process that just isn’t practical in an expanding cloud environment. The need for an automated end-to-end approach is clear.
Bringing the Power of Automation to Streamline Compliance
CSPs have a wide range of scanning tools to choose from and agencies need to be able to aggregate that data automatically—regardless of the format in the system—to provide actionable insights.
The biggest benefit of a solution that aggregates and prioritizes data, freeing up security experts to actually perform security analysis, generates POA&Ms and keeps cloud offerings in compliance, is that it improves an agency’s security posture. Secondly, it helps maintain an ATO, which is essential to CSPs doing business with the government as well as for agencies providing services.
As the process becomes more codified and operational risks become more visible, it also raises the bar on the acceptable level of risk across the government. With greater visibility into agency portfolios, if one agency decides that a cloud service presents an unacceptable risk, it could be difficult for another agency leveraging the same service to ignore that determination.
Such a solution, however, would benefit CSPs in other ways. For example, POA&Ms would carry over from month to month, so they wouldn’t have to redo anything unnecessarily. More importantly, it would benefit smaller or nascent CSPs that may not have the resources to build or buy their own POA&M management tool. A solution that standardizes POA&M tracking and management and allows for extracts that are in the standard formats, such as FedRAMP and OSCAL, lets CSPs handle the job while allowing them to increase their capacity for free.
For CSPs, the key features to look for are compliance assurance, POA&M management and automated submission of reports. For agencies, it’s portfolio management, asset inventory management and a workflow to handle deviations. By improving operational risk visibility, agencies and CSPs can work together to ensure that vulnerabilities are identified and mitigated, improving the agency’s overall security posture and ensuring compliance with complex federal regulations.
Abheek Sen is a senior technologist at Noblis.