Cyber Risk Advisory

Long-Awaited Changes to the Nation's Cybersecurity Infrastructure Become Reality

Coalfire Cybersecurity Team

June 24, 2021
Blog Images 2022 Executive order tile

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

The White House puts FedRAMP® at the forefront in a new Executive Order.

There is a lot of buzz in the biz about the ripple effects of President Biden’s “Executive Order (EO) on Improving the Nation’s Cybersecurity,” which comes on the heels of the Colonial Pipeline hack. The pipeline, which delivers about 45% of the fuel used on the Eastern Seaboard, was shut down after a ransomware attack by a group of alleged criminal hackers who call themselves “DarkSide.”

The 30-page EO is pushing the government and its contracted service providers forward to improve security, shining a light on improving practices and collaboration among federal government civilian agencies, defense, national security agencies, private industry, and the Federal Risk Authorization and Management Program (FedRAMP). This EO comes at a critical juncture as cloud service providers (CSPs), federal agencies, and third-party assessment organizations (3PAOs) await the updated FedRAMP security control baselines to be published now that the National Institute of Standards and Technology (NIST) has released NIST SP 800-53B, Revision 5.

You might be wondering how this upcoming modernization will affect your current or future FedRAMP endeavors. It is safe to say that all CSPs, agencies, and 3PAOs will absolutely be affected—but the $64,000 question is HOW?

Modernizing FedRAMP

In the next 60 days, sweeping changes will be implemented to modernize FedRAMP. Coalfire® has identified elements of the EO we think will have potential impact.

The EO calls on the FedRAMP Program Management Office (PMO) to improve awareness, adoption, authorization speed, and automation. Improvements will be made to:

Better FedRAMP Agency Authorization Training
A program will be developed to train agency authorizing officials to better understand their limited role in the FedRAMP process. This greater understanding will increase the number of agencies who are willing to partner with CSPs to bring them into the FedRAMP marketplace.

Improve communication with CSPs throughout the authorization process 
There is never enough solid communication, and communication must improve as FedRAMP evolves. To give credit where credit is due, the PMO has expanded its communication base to social media, most recently with a YouTube channel, a blog, a newsletter, and a Twitter handle. The PMO also has an amazing customer experience team that has provided great direction for CSPs looking for a sponsoring agency. FedRAMP needs more of those outreach teams. That said, there needs to be a more cohesive dialogue between PMO, agencies, 3PAOs, CSPs, the Joint Authorization Board (JAB), and DoD. A lot of progress has been made, but the silos need to come down further.

Incorporate automation
One word: OSCAL. Open Security Controls Assessment Language is in the works, is happening, and may come sooner rather than later. So, prepare for it, whether you’re a CSP, agency, or 3PAO. Expect more JSON and YAML at the table. In addition, streamlining required documentation with online accessibility and pre-populated forms will increase efficiency and gradually ease the exhaustive but necessary documentation process.

Identify relevant compliance frameworks
The EO is calling for the FedRAMP PMO to identify relevant compliance frameworks (e.g., SOC 2, Type 2, ISO 27001, FISMA RMF, CMMC, HITRUST, and PCI), map those frameworks to requirements in the FedRAMP authorization process, and potentially allow those frameworks to be used as substitutes for the relevant portion of the authorization process, as appropriate. It is still unclear how the FedRAMP PMO will incorporate the substitution of other compliance frameworks; however, this mapping is unlikely to lower the bar for meeting FedRAMP requirements or substituting something like a SOC2 certification as equivalent to FedRAMP authorization. The net effect is likely to clarify which FedRAMP requirements would be met by other certifications a CSP has.

Zero Trust Architecture

The federal government is putting a strong emphasis on a transition to the cloud, as well as implementing Zero Trust Architecture (ZTA). ZTA is a model that bundles design principles, cybersecurity, and system management strategies based on the premise that threats exist inside and outside network boundaries. DHS, the Cybersecurity and Infrastructure Security Agency (CISA), OMB, and FedRAMP will develop security principles that CSPs will be required to incorporate into their FedRAMP systems.

That said, how will those principles affect current FedRAMP boundary guidance and how CSPs and agencies architect future systems? With probably the strictest boundary rules and regulations among the more common frameworks, and rightfully so. It will be important to see not if, but how, the guidance will incorporate ZTA. Additionally, for those CSPs and agencies using legacy systems, or who have invested heavily in on-premises systems in data centers, how will cloud migration affect costs and increase the need for funding? If you want to learn more about ZTA, consult NIST SP 800-207, Zero Trust Architecture.

New Software Supply Chain Guidance

This guidance requires CSPs to implement and 3PAOs to attest to secure software development practices as part of FedRAMP authorization. Although many of the EO’s directions on securing the software development process are already included under existing FedRAMP High-impact ATO (Authority to Operate) requirements (such as automated code testing and vulnerability management), there are some notable additions CSPs should be on the lookout for in the future:

  • Secure software development environments, including such actions as:
    • Using administratively separate build environments
    • Auditing trust relationships
    • Establishing multifactor, risk-based authentication and conditional access across the enterprise
    • Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software
    • Employing encryption for data
    • Monitoring operations and alerts and responding to attempted and actual cyber incidents
  • Make publicly available summary information on completion of these secure software development actions, to include a summary description of the risks assessed and mitigated
  • Maintain accurate and up-to-date data, provenance (i.e., origin) of software code, components, and controls on internal and third-party software components, tools, and services present in software development processes. This includes performing audits and enforcement of these controls on a recurring basis, including open-source software (to the extent practicable)
  • Provide a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website
  • Participate in a vulnerability disclosure program that includes a reporting and disclosure process
  • Apply practices of the least privilege, network segmentation, and proper configuration for critical software

Changes to Incident Reporting Requirements:

  • More transparency and widespread communication will be expected in CSPs’ investigations and reporting of confirmed and potential incidents. Historically, CSPs were only required to communicate with agency partners when incidents were confirmed as affecting their data. Now they will also need to communicate all potential incidents. As a result of this change, we expect possible changes to FedRAMP’s Incident Communications Plan and NIST’s Computer Security Incident Handling Guide.
  • In updates to specific reporting timeline requirements for different types of incidents or potential incidents, CSPs will need to catalog events and incidents to ensure they report relevant incidents or potential incidents in a timely manner. CSPs will at most have 72 hours to report the most severe cyber incidents, but some incident types may be sooner.
  • More engagement by CISA, FBI, and/or other federal security and intelligence organizations when incidents are confirmed by CSPs.

Coalfire is the leading FedRAMP 3PAO in the industry, providing advisory and assessment services to cloud services providers (IaaS/PaaS/SaaS).

This blog post is co-authored by Jason Oksenhendler, Director, FedRAMP Advisory Services; Jake Schauefele, Director, FedRAMP Advisory Services; and Marc Zurcher, Director, FedRAMP Advisory Services.