Achieve FedRAMP Compliance in the AWS Cloud

October 07 2019

IST. NIST. GSA. DOD. DHS. SAF. OMB. FISMA. GSA. FedRAMP. With all the various acronyms and abbreviations used, the US government, its entities, and its myriad of regulations can seem like an alphabet soup. For companies that want to provide cloud-related services to federal agencies, sorting through the letters is the least of their concerns.

As most IT professionals working in regulated industries know, achieving and maintaining compliance with various regulatory requirements isn’t easy. When those regulations are government-directed, things can get even more complicated. That’s the case with the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP and Cloud Security

Most cloud providers build security into their cloud services. AWS is one of them and well recognized for its multi-faceted, high-level security approach. Nonetheless, the US government has its own specifications for cloud security.

Among the requirements to achieve compliance with FedRAMP, organizations that wish to provide cloud service offerings (CSO) to federal agencies must:

  • Determine their authorization strategy and be granted an Agency Authority to Operate (ATO) by a US federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
  • Complete a FIPS PUB 199 worksheet to categorize what types of data are (or can be) contained within the system to determine the impact level for the system.
  • Select the FedRAMP security controls baseline that matches the FIPS PUB 199 categorization level.
  • Meet the FedRAMP security control requirements as described in the NIST 800-53, Rev. 4 security control baseline for moderate or high impact levels. Moderate-level systems have 325 controls, while high-level systems must comply with 421 controls.
  • Document the details of the implementation in a System Security Plan, and show that all its system security packages use the required FedRAMP templates.
  • Undergo an independent security assessment conducted by a third-party assessment organization (3PAO).
  • Develop a Plan of Action & Milestones (POA&M) that addresses the specific vulnerabilities noted in the Security Assessment Report (SAR).
  • Have the completed security assessment package posted in the FedRAMP secure repository.

That’s the abbreviated version. Each of these bullet points can entail numerous steps and decisions. For many companies, it can take 12-18 months just to get through the FedRAMP requirements.

Real-World Compliance Needs

Given the complexity and how time-consuming it can be to achieve compliance with various regulatory requirements such as those of FedRAMP, it’s not surprising that many companies seek the help of third-party companies. Few have the in-house expertise or experience in dealing with specific compliance requirements.

It’s also not surprising that ClearScale frequently helps customers with compliance requirements, including those of FedRAMP. We do have both the experience and expertise in dealing with compliance issues. Often, our solutions involve the use of automation to help accelerate the various processes required to meet compliance requirements. In the case of FedRAMP, that can help drastically reduce the typical 12-18 month timeframe for compliance.

That was the case for one ClearScale customer that was recently preparing for a FedRAMP audit. Among its requirements as to establish a secure configuration posture that required hardening its Amazon Elastic Compute Cloud (Amazon EC2) instances to Center for Internet Security (CIS) Benchmark Standards. Hardening reduces attack surfaces to enhance a system’s security, improving security beyond a system’s default settings.

Specifically, the customer needed custom Ansible playbooks created based on the CIS Benchmarks for the Ubuntu Linux operating systems. Ansible is an open-source tool for automated configuration management, orchestration, provisioning of systems, zero-time rolling updates and application deployment. Playbooks are Ansible’s configuration, deployment, and orchestration language. They can describe a policy for remote systems to enforce or the steps for a general IT process.

The ClearScale Solution

The ClearScale team developed a custom CIS Benchmarks compliance solution in which Ansible playbooks continually monitor the customer’s system against CIS Benchmarks.

The Ansible playbooks analyze hardened images and keep the hardening up to date on all instances. They are launched automatically at specific frequencies to check for and correct any non-compliant items, such as open port 22 on instances, publicly accessible S3 buckets, and non-encrypted communication channels. Because the solution uses a Python-based script, it can be launched in various environments. After each check, a status report is generated and sent to the customer.

By leveraging CIS Benchmarks and EC2 hardened images to create an “audit ready” AWS environment, ClearScale was able to accelerate the process of obtaining FedRAMP authorization for the customer’s application environment.

Always Custom

Of course, no two customers are alike, so solutions to their compliance needs aren’t either. That’s why at ClearScale we take the time to understand our customers’ environments, business objectives, and short- and long-term goals, as well as their compliance requirements. That enables us to create customized solutions to meet their specific needs. For us, it’s the normal way to do business and an approach that’s as easy as A-B-C.

Learn what ClearScale can do for you. Contact us today.

Get in touch today to speak with a Cloud expert and discuss how we can help:

Call us at 1-800-591-0442
Send us an email: sales@clearscale.net
Fill out a Contact Form
Read our Customer Case Studies

San Francisco

Headquarters

71 Stevenson St.

Suite 400

San Francisco, CA 94105

O: 1-800-591-0442

F: 1-415-655-6601

San Jose

5450 Thornwood Dr

Suite #L

San Jose, CA 95123

Denver

1400 16th Street,

Suite 400

Denver, CO 80202

O: 1-720-932-8028

Phoenix

2942 N 24th Street,

Suite 114

Phoenix, AZ 85016

O: 1-602-560-1198

New York

165 Broadway, 23rd Floor

New York City, NY 10006

O: 1-646-759-3656

Houston

11757 Katy Freeway

Suite 1300

Houston, Texas 77079

O: 1-281-854-2088

Toronto

100 King Street West

Suite 5600

Toronto, Ontario, M5X 1C9

O: 1-416-479-5447

About Us  |  Careers  |  Privacy Policy
@ Subscribe
Share