Cisco achieves FedRAMP success through Coalfire's Advisory Services

CHALLENGE

The U.S. federal government’s rapid cloud adoption and rigorous security standards are setting the pace for agencies and their vendors across the entire public sector, from state and county to municipal and district. The Federal Risk and Authorization Management Program (FedRAMP) is the flagship security compliance framework and defines the go-to-market path for a new generation of government cloud service providers.

Achieving FedRAMP certification has never been easy. The process traditionally took more than two years and was not repeatable between distinct products and services. Cisco saw an opportunity to move quickly and reduce that FedRAMP readiness timeline significantly and make FedRAMP Authority to Operate (ATO) certification reciprocal across divisions, geographies, and product lines.

“Cisco embarked on a mission to simplify and accelerate FedRAMP compliance. They met the challenge, and their transformative journey continues today by empowering product teams to innovate and deliver exceptional cloud services to the U.S. government.”

– KAREN LAUGHTON, EVP, ADVISORY SERVICES, COALFIRE 

SOLUTION

Cloud service and SaaS providers can’t afford to allow competitors to gain first-mover advantage with compliance credentials and public sector contract wins. In response, Cisco adopted an automated compliance strategy – informed by human intelligence – to meet the challenges of evolving standards, the proliferation of machine-learning solutions, and the “alphabet soup” of regulatory frameworks.

Vadlamudi’s team optimized SaaS security compliance by developing a centralized Cloud Controls Framework (CCF) and Federal Operational Security Stack. With the company’s security and IT architecture on a dedicated government cloud, Cisco’s goal was to reduce the time to FedRAMP readiness, bring in operational engineering efficiencies, repurpose the FedRAMP work across multiple teams, along with increasing the security posture of its FedRAMP offers. This was achieved by automating compliance across the company, which in turn accelerated market access for current and future SaaS solutions.

“At Cisco, we want to be proactive and have a strategy that allows us to be ready to comply with various U.S. and global certifications that align with our market access strategy,” said Vadlamudi. “Given Coalfire’s familiarity and success rate with FedRAMP and other global certifications, we decided to build the Federal Operational Security Stack using the Coalfire Advisory practice.”

Coalfire serves as trusted advisor and engineering partner in achieving FedRAMP readiness including:

• Operations stack design/build
• Guiding the stack through the FedRAMP readiness process
• Preparing multiple Cisco products for full FedRAMP assessments
• Identifying compliance gaps and closing them
• Developing required documentation
• Ensuring Cisco product-line compatibility with its compliance operations stack
• Troubleshooting complex technical issues

“Federal and state agencies are quickly embracing the Cloud Smart strategy. They are focused on leveraging modern technologies to support their missions and enhance the services they deliver to the public. With FedRAMP now the law of the land, they have a consistent framework to support the improvement of their overall security posture.”

– KAREN LAUGHTON, EVP, ADVISORY SERVICES, COALFIRE 

RESULTS

The collaborative FedRAMP solution accelerates time to market and saves money. Most importantly, the synergy frees Cisco teams to do what they do best: Engineers build best-in-class solutions, marketers navigate lucrative contracting opportunities, and security pros concentrate on threat-informed defense and response.

Cisco’s Global Cloud Compliance team worked with Coalfire’s Accelerated Cloud Engineering (ACE) solution to build the FedRAMP-ready Operational Security Stack, addressing controls from the following domains:

• Access Control (AC)
• Identification and Authentication (IA)
• Audit and Accountability (AU)
• Configuration Management (CM)
• Risk Assessment (RA)
• Systems and Communication Protection (SC)
• System and Information Integrity (SI)

Today, the Cisco Federal Operational Security Stack allows product teams to inherit more than 50% of FedRAMP compliance controls, which dramatically reduces time to FedRAMP audit readiness.

“There are so many vendors with cookie-cutter solutions. One-size-fits-all was not going to work, nor did we want to turn over the keys to a third party. We needed trusted advisors who understood our technical requirements. Working with Coalfire, we built the right stack, customized operations, and embarked on Cisco’s next-generation compliance journey together.”

– PRASHANT VADLAMUDI, VICE PRESIDENT of GLOBAL CLOUD COMPLIANCE, CISCO 

As a result of this effective compliance strategy, Cisco was recognized by a panel of security leaders, industry experts, and academics with the prestigious CSO50 Award for security projects and initiatives that demonstrate outstanding business value and thought leadership. “This year’s winners of the CSO50 Awards are transformative projects that reflect new and innovative thinking and strong leadership despite the pressures of a rapidly changing threat environment,” said Beth Kormanik, awards program chair. Vadlamudi attributes this success to his extended compliance team.

“At Coalfire, we’ve developed solutions for companies of all sizes, and now open-source our FedRAMP code to allow all organizations the option to build their own compliance environments. On top of our RAMP/pak starter code and documentation, we can support our clients with everything from compliance advisory and cloud engineering expertise to helping them build and deploy innovative FedRAMP-compliant solutions as we did with Cisco’s Federal Operational Security Stack.”

– TOM MCANDREW, KAREN LAUGHTON, COALFIRE