Sunday, September 25, 2022
HomeCloud ComputingGrowing for FedRAMP Pays Again

Growing for FedRAMP Pays Again

Getting an software or service safety licensed below FedRAMP – the Federal Threat and Authorization Administration Program – is likely one of the hardest hurdles dev and ops groups can clear.

It’s so laborious, that of all of the enterprise companies that exist on the planet, solely 276 are FedRAMP licensed. However these are the apps that the U.S. authorities companies (just like the Departments of Justice, Commerce, and Schooling, and even some Division of Protection companies) can use, so constructing an app to this customary may be profitable. The U.S. Authorities generally is a beneficial buyer.

It’s troublesome to take care of FedRAMP compliance when constructing a SaaS product, however making a DevOps course of on your dev and SRE (ops) groups collectively that permits them to stretch to FedRAMP may be price it. Sustaining FedRAMP compliance means creating merchandise with the best safety specs. The safety requirements of FedRAMP additionally embrace different strong safety requirements from NIST (Nationwide Institute of Requirements and Know-how) and FISMA (Federal Data Safety Modernization).

A handful of Cisco merchandise meet FedRAMP necessities and are listed within the FedRAMP catalog: Cisco WebEx, Cisco WebEx for Authorities, Cisco Unified Communications Supervisor Cloud for Authorities (Cisco UCM Cloud for Authorities), and Cisco Cloud Lock for Authorities. Different merchandise are within the audit course of.

To get a way of what it takes to satisfy the FedRAMP customary and the advantages and alternatives that come from incomes a FedRAMP ATO (Authorization to Function), I sat down with Charles Randall, a former teammate of mine and a safety knowledgeable at Cisco:

What was the largest problem your operations crew wanted to satisfy with FedRAMP?

Charles Randall: Our greatest problem was container vulnerability remediation, which was solely added to scope by the FedRAMP administration workplace the month our audit was scheduled. It was an unlimited change that pulled a lot of open supply tasks into scope, and even required some architectural modifications. We’re nonetheless struggling to cope with the implications right this moment.

How would you describe the distinction in your software and operations safety posture earlier than and after beginning the FedRAMP certification course of?

CR: We began with a strong software safety posture; ok to move ISO 27001/17 and SOC 2 requirements. FedRAMP calls for a considerably increased degree of operational safety, each technically and procedurally. Lots of the safety enhancements we made to attain FedRAMP compliance have been utilized to our business operations environments as effectively, guaranteeing world-class safety for our clients and constant processes and procedures throughout groups.

What are the important thing parts obligatory for sustaining a sturdy ongoing monitoring technique? Would these methods make sense in a non-FedRAMP context?

CR: The important thing parts of a sturdy monitoring program are completeness of imaginative and prescient and a strong set of KPIs. Completeness of imaginative and prescient contains full compliance and vulnerability scanning throughout your complete asset stock, in addition to monitoring of software, system and community actions with a concentrate on anomaly detection. These methods additionally make sense in non-FedRAMP context and have been almost universally utilized to our business working environments.

Do you employ off-the-shelf instruments to distinguish a safety occasion from a safety incident? Would you employ these instruments and strategy if qualifying for FedRAMP wasn’t the target?

CR: We’re primarily utilizing free open supply software program for safety occasion administration, complimented by the complete suite of AWS safety companies. Whereas we do count on rising adoption of machine studying, there’s actually no substitute for the experience of operators and analysts with eyes on logs, repeatedly refining monitoring to attain the best doable sign to noise ratio. That is one other case the place we use the identical tooling throughout FedRAMP and non-FedRAMP environments, as a result of it permits us to re-use the FedRAMP work in our business environments, and keep consistency between working environments.

How do FedRAMP necessities have an effect on software builders? Does their safety posture enhance as a part of the audit course of?

CR: FedRAMP necessities have an unlimited affect on software growth, in any respect ranges. Each choice, from system structure, to third-party element choice, all the way in which right down to your selection of cryptographic ciphers, can have vital penalties whereas pursuing or sustaining FedRAMP authorization. Past technical selections, FedRAMP controls additionally require mature software program growth processes and configuration administration practices, with many necessities extending all the way in which to construct/deploy pipeline and developer laptops.

What are the implications of builders not adopting safety greatest practices early within the worth stream (as a part of their each day work)?

Failing to undertake safety greatest practices early in your product growth cycle, or failing to combine these practices into each day routines, may very well be disastrous, no matter whether or not your group is making an attempt to pursue FedRAMP authorization. It’s well-known that the price of fixing software program defects may be an order of magnitude increased or extra in manufacturing versus growth section of the SDLC. Whereas that’s painful sufficient, whenever you issue within the potential prices of larger-scale redesigns that is perhaps required as a consequence of safety defects, the prices of safety incidents, and the doubtless catastrophic prices of a safety breach, the selection turns into clear that addressing safety calls for early and integrating it into everybody’s each day routine is the best choice. If that argument nonetheless isn’t sufficient to influence you, take into account that person information privateness laws are actually more and more enforced, and sometimes with huge fines.

What would you suggest for builders who’re new to safe coding and wish to stand up to hurry with greatest practices. Would you suggest coaching? Studying and adopting safety particular instruments?

All the above. Safe coding is simply….. coding.


Now learn:


We’d love to listen to what you suppose. Ask a query or go away a remark beneath.
And keep linked with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Fb | YouTube Channel




Please enter your comment!
Please enter your name here

Most Popular