In February 2022, the FedRAMP Program Management Office updated the rules for their threat-based profiling methodology. This little-known approach to FedRAMP risk profiling and the rating security controls serves as the program’s effort to streamline authorization and program management with industry knowledge and agile development methodologies.
Why Would the FedRAMP PMO Look for a Risk Profiling Methodology?
FedRAMP is a unified and comprehensive approach to cybersecurity for cloud service providers and government agencies. This framework provides these organizations with the guidelines and tools they need to assess security needs (on the part of agencies) and proper security control implementation and maturity (on the part of CSPs).
One of the challenges of this framework, however, is the wide range of applicability of control families. FedRAMP primarily draws from NIST Special Publication 800-53, a relatively stable set of standards that these organizations may follow. But, depending on the actual needs and capabilities of all stakeholders, CSPs may find themselves with different infrastructures serving different requirements across different agencies.
Therefore, the FedRAMP Office of Management and Budget (OMB) coordinated with the Program Management Office (PMO) to create a study on the feasibility of developing an agile way to assess security controls and streamline cloud offering authorizations.
The FedRAMP Threat-Based Risk Profiling Methodology emerged from this study. The goals of this methodology are threefold:
- Efficiency: A comprehensive framework for assessing risk profiles would simplify assessing authorizations, providing a way to measure a system’s overall maturity and health as opposed to listing off security controls from NIST SP 80–53.
- Security: At the same time, this framework had to maintain high levels of security and assessment in the FedRAMP program and, as such, combine robust risk assessments with compliance requirements to promote real-time security and threat awareness.
- Industry Coordination: The profiling methodology in this framework draws from several industry organizations and standards, notably the MITRE Engenuity program and the ATT&CK knowledge base.
As part of this coordinated study, the PMO also worked with the two cybersecurity threat analysis frameworks to develop an applied assessment model for controls in NIST SP 800-53. These include:
- Department of Defense Cybersecurity Analysis and Review (DoDCAR): This DoD-created operation defines a technical cyber threat framework. This framework relies on threat and infrastructure evaluations to create end-to-end analyses of organizational cybersecurity architecture.
- Department of Homeland Security CISA Cybersecurity Analysis and Review (.govCAR): This program parallels the DoD program for non-defense (civilian) federal agencies.
Primarily leaning on the .govCAR team, the PMO was able to align a methodology utilizing rigorous government and private-industry standards.
What Are the Three Phases of the FedRAMP Risk Profiling Methodology?
The meat of the methodology is a three-phase process that moves from analysis to assessment and profiling:
Phase 1: Threat-Based Analysis
Currently, there is a set of standard baselines for FedRAMP Authorization… but these baselines are spread across different cloud offerings, security systems, and agency demands. This means that Authorization packages may need to adopt different security implementations based on agency relationships and industries.
The core of this particular methodology is to establish potential “common values” that can align with the baseline FedRAMP criteria. Controls from NIST SP 800-53 were scored using the .govCAR process and rated on their capability to Protect, Detect, and Respond against threats and threat actions in industry-standard frameworks like MITRE ATT&CK. For each category (Protect, Detect, Respond) the control would receive a value of Limited, Moderate, Significant, or Not Applicable to illustrate its importance to that category.
The process took almost a year, and the departments wanted to streamline the remaining NIST 800-53 revision 4 controls along with new controls and changes in revision 5. This led to a comprehensive process in which controls were scored using one of the following approaches:
- MITRE Engenuity Scoring: The MITRE Engenuity program scored the majority of controls. Engenuity is a particular group within the MITRE organization tasked with aiding government IT and security efforts as they adjust to new threats and vulnerabilities.
- Enhancement Scoring: If a control had enhanced requirements due to the revision or a FedRAMP Impact Level, assessment groups would either give the control the same score as its base control or justify an updated score.
- Correlated Controls: Controls that weren’t assessed in the Engenuity scoring but inherited a score from a similar or related control that was covered.
- Non-Engenuity-Scored Controls: Certain controls not covered by the Engenuity scores received specific assessments based on the types of attacks or threat mitigations.
Phase 2: Security Control Assessments
These security controls were then “deconstructed” into more granular control items. These items were more concrete reflections of security capabilities, each of which can be tested for defects.
At this phase, the implementation of a security control item could be assessed with a status of either Satisfied or Other than satisfied. Furthermore, the assessment of implementation and defects could be automated using the control items as inputs.
Phase 3: Risk Profiling
Using a calculation that takes the values assigned to NIST 800-53 security controls and the satisfied (or unsatisfied) score of each control item, this model can then provide a maturity level based on the NIST Interagency Report (NISTIR) 8011.
The 16 capabilities in NISTIR 8011 used to measure maturity include:
- Manage and Assess Risk (RISK): Capabilities related to reducing exploits related to the failure of risk management. Includes using ISCM dashboards and the scoring of risk levels, with intimate involvement from C-level officers (CIO, CISO, CEO, CTO).
- Platform Resilient Systems Engineering (SE): Reducing exploits resulting from policy and management failures. Includes the ability to monitor and evaluate systems and adjust or expand policies and controls to stop comprehensive threats.
- Hardware Asset Management (HWAM): Preventing unauthorized and unmanaged devices from threatening an IT system. Includes maintaining inventories of devices and hardware and establishing a device boundary.
- Software Asset Management (SWAM): Preventing threats from unauthorized software or using a platform to move laterally throughout a system. Includes maintaining inventories of software and executables.
- Configuration Settings Management (CSM): Maintaining common configuration settings to prevent system compromise. Includes maintaining system settings and treating deviations from system settings as security defects.
- Vulnerability/Patch Management (VULN): Applying updated patches to emerging vulnerabilities in the National Vulnerability Database. Includes patching vulnerable systems, using scanning tools, and updating patches based on the CVE security vulnerability database.
- Manage Trust for Persons Granted Access (TRUST): Restricting access to system resources from unauthorized users. Includes user screening, tracking, authentication, and authorization.
- Manage Behavioral Expectations (BEHAVE): Educating authorized users on acceptable behaviors based on security requirements. Includes regular training, documentation of best practices and procedures, providing certification courses, etc.
- Manage Credentials and Authentication (CRED): Using limited authentication to limit credentialed access to unnecessary resources.
- Manage Privileges and Accounts (PRIV): Using principles of least privilege to ensure users may only access minimal resources to complete tasks. Includes role-based authorization and in many cases, zero-trust principles.
- Manage Physical Boundaries (BOUND-P): Maintaining physical security into and out of physical locations like data centers, offices, and work areas.
- Manage Network Boundaries (BOUND-N): Maintaining network security to monitor and control traffic in and out of local and sensitive areas, including network enclaves and secured servers or workstations.
- Manage Other Boundaries (BOUND-O): Maintaining best practices to ensure sensitive information privacy, confidentiality, and security. Includes encryption for data at rest and in transit.
- Manage Preparation for Events (PREP): Implementing and executing contingency plans in the event of a breach or system compromise. Includes backing up data, maintaining hot and cold recovery systems, installing physical recovery devices (generators), and so on.
Consider Implementing Risk Profiling with Continuum GRC
Risk maturity and profiling are potent and effective approaches to security and compliance, and the authorities in FedRAMP have made it clear that they see it as a potential component of their program.
The best way to prepare for such a methodology is to have a solution that allows you to measure compliance and risk together, visually and in real time. That solution is Continuum GRC.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.