FedRAMP and Risk Management
FedRAMP Authorization is a complicated undertaking due in no small part to the layers of requirements that cloud offerings must meet throughout the process. As part of the government’s turn to more comprehensive security, FedRAMP requirements include significant risk management standards that all providers must meet.
What Is Risk Management?
Risk management is identifying, categorizing, and evaluating potential sources of security risks in a given IT system.
Risk assessment is more complex than identifying faulty security components or modules outside compliance. Unlike the checklist approach to security, risk asks the organization to consider its entire IT apparatus and place it within a specific context that includes up-to-date security threats, compliance demands, and business goals.
The result? The organization may make decisions based on business goals and security demands that don’t 100% line up with the strongest or latest cyber security recommendations. Or, more concretely, they may have different technological configurations that address specific issues or vulnerabilities even if they don’t align with a particular compliance framework.
A risk assessment process will include some or all of the following steps:
- Context: Every IT system exists in a context through which other considerations will emerge. The context will consist of the total scope of the IT system in question (including components that fall under regulatory requirements), any compliance frameworks, the kinds of data processed or stored, and the stakeholders involved.
- Identifying Risks: Identifying risks involves locating where, if a security event could and would occur, there will be damage to included systems and data. These risks can apply to a few criteria, including those that would prevent organizational goals from being achieved, those that trigger undesirable events (compared to more ideal events), those that emerge from external threats, or those that exist due to the interactions between two or more components.
- Measuring and Assessing Risks: Risk management requires an organization to take risks and assess them based on their potential impact on the system and the business’s mission. Depending on the assessments of these risks, the organization must determine how they can minimize the issue, how they might pursue alternate security measures, or if the risk itself is a worthwhile burden compared to other considerations.
- Developing Mitigation and Response Procedures: If risk exists, and the organization decides adopting that risk is worthwhile, they must establish response measures to mitigate or eliminate problems if that vulnerability becomes a problem.
How Is Risk Managed in FedRAMP?
Considering that the full name of the standard is the Federal Risk and Authorization Management Program, risk assessment and management play a role in cloud provider authorization. Because the demand for cloud technology offerings is growing, it’s critical that these providers can support ongoing and thorough security assessments to protect sensitive federal information.
Like other security requirements in FedRAMP, risk management standards are drawn from the National Institute for Standards and Technology (NIST) Special Publication 800-53. More specifically, FedRAMP includes items from the “Risk Assessment” collection of controls contained therein.
These controls include:
RA-1, “Policy and Procedures”
Risk cannot be performed as an ad hoc procedure, nor can cloud providers give the FedRAMP authorization bodies proper risk management documentation without policies and procedures in place. Organizations must include risk management policies and procedures within larger security and privacy policies, documented and reported to FedRAMP authorization bodies. Furthermore, providers must update these policies in case of a security incident, substandard audit results from a 3PAO, or security laws and requirements changes.
RA-2, “Security Categorization”
Organizations must categorize threats and controls based on how they may impact the overall system through loss of confidentiality, integrity, and availability. Guidance for these approaches to categorization is drawn from FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems.” It will align with federal Impact Levels (Low, Moderate, or High).
RA-3, “Risk Assessment”
Organizations must conduct risk assessments that include:
- Identifying threats and vulnerabilities
- Determining the likelihood of a negative impact
- Integration of results from the assessment into management decisions and business operations
- Documentation of the risk assessment and results
- Review of the results to help determine future actions and policies
- Dissemination of risk assessment results to relevant stakeholders, including internal security and information officers
This requirement also describes some enhancements, some of which that may play a role in higher levels of FedRAMP authorization:
- Supply Chain Risk Assessment: The increasing reliance of businesses and federal agencies on third-party vendors presents security challenges to organizations attempting to map out their risk landscape. Supply chain risk assessment requires that organizations investigate and inventory supply chain personnel and technology for risks that may impact their systems and, if necessary, take mitigating actions.
- All-Source Intelligence: “All-source” intelligence uses a source of information (whether an organization or a product) that derives that information from all available sources in that area. In this context, it refers to the derivation of risk assessments using all available information, including open-source data, human intelligence, signals intelligence, and imagery intelligence.
- Dynamic Threat Awareness: An organization has a demonstrated ability to absorb information from the industry and the cybersecurity landscape and integrate changes in policy and procedure to meet shifting threats and requirements.
- Predictive Cyber Analytics: An organization can utilize automation and AI to support security threat teams in the form of predictive analytics and suggestions. These tools should also be able to streamline complex workflows and data collection such that threats may be more readily responded to or thwarted.
RA-5, “Vulnerability Monitoring and Scanning”
Organizations must additionally include vulnerability scanning tools and operations such that they meet a set of responsibilities, including
- Monitoring and scanning for vulnerabilities in a system and applications
- Employing monitoring tools facilitating interoperability among scanning tools and processes
- Analyzing reports from scanning and monitoring
- Remediating vulnerabilities along procedures outlined in the risk management policy
- Sharing results from scans with relevant personnel to eliminate similar vulnerabilities
- Employing tools that can be readily updated to incorporate newly-discovered vulnerabilities
Like RA-3, RA-5 also includes enhancements that could change how this regulation is applied under FedRAMP. These enhancements include:
- Updated Vulnerabilities to Be Scanned: The organization can regularly update scanning tools to meet newly discovered threats and implement congruent mitigation efforts.
- Breadth and Depth of Coverage: The organization can express the coverage of a scan as a percentage of the total covered system, the types of systems, and the vulnerabilities checked. This is used to determine the efficacy and suitability of the scan.
- Discoverable Information: The organization can identify discoverable information or data that hackers can gather without breaking into the system.
- Privileged Access: Scanning tools must be given privileged access to sensitive systems to provide more detailed and accurate results.
- Automated Trend Analyses: The organization uses analytics tools to provide insights on scanning results over time.
- Review Historic Audit Logs: The organization can look back into its audit logs to determine if a vulnerability has been exploited before discovery and, if so, to what extent.
- Correlate Scanning Information: The organization must use collections of scanning results alongside other information to trace attack trees or complex collections of activity that point to potential or realized attacks. This allows for the identification of new attack vectors or security vulnerabilities.
- Public Disclosure Program: The organization must establish a public reporting channel to disclose vulnerabilities. This channel must be discoverable and utilize clear language to facilitate the understanding of scanning results.
Prepare Your Risk Management Portfolio with Continuum GRC
Compliance has long moved away from checklists to ongoing assessments and risk management, and FedRAMP is no different. Fortunately, the Continuum GRC platform is a cloud-based utility that allows organizations to track compliance and risk requirements in real-time, all with the support of our cybersecurity experts.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every significant regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.