The crown jewel of the cloud service providers is arguably their system security plan or SSP. The purpose of the SSP is to provide an overview of the security requirements of the cloud system and describe the controls that are already in place or those that have been planned, the responsibilities and the expected behavior of all individuals who access the system.
The creation of the SSP and the FedRAMP process is not only necessary to sell cloud services to the federal marketplace, it also provides an assurance that the best practices for cloud security are adhered to by the cloud service provider (CSP). It also acts to mature IT security practices in a manner that would not likely occur without the standards being mandated for FedRAMP approval.
The SSP creation is a large but appropriate and necessary effort on behalf of the CSP. My experience has shown that SSPs are created within hundreds of pages and rows (Word/Excel); they are difficult to update, and are certainly not directly tied to any automation (unless that illusive Word/Excel/PowerPoint to C++ compiler has been discovered). I do not mean to imply that CSPs do not use many intelligent, capable, and automated technologies/processes to meet the demands of the SSP. However, the SSP is typically not integrated and automated with the technologies CSPs use to carry out the compliance. The SSP creation and maintenance process itself remains a manual (and very labor-intensive) component of the overall security process.
What is the missing piece?
Tools, platforms, or applications that allow the SSP to be integrated into the automation CSPs utilize for their on-going security compliance are missing.
The ability to have all FedRAMP controls and related language combined with preloaded notional processes, policies, and procedures would be a grand start. The related steps to automate the SSP controls into workflows would greatly enhance SSP management and automation. Tying your control requirements to tools automation and the ability to evidence the required event discovery, alerting, response and remediation within a single management platform would be a panacea. Being able to use that same system to create workflows for your corporate and administrative National Institute of Standards and Technology (NIST) controls also within the same platform would be an icing on the cake.
Market needs showing itself?
That there is a desire (on behalf of the FedRAMP PMO as well as the CSPs) to move the FedRAMP security process to more a holistic automated compliance method can be inferred from the following:
- A recent Request for Information (RFI) has been released by the FedRAMP PMO. In this RFI, FedRAMP is seeking input on the following: (quote taken from the FedRAMP site)
“In collaboration with the Office of American Innovation (OAI) and American Technology Council, GSA and FedRAMP have been working to improve the security authorization process across the federal government. Our ultimate goals include:
- Reducing toil that inhibits our ability to scale improvements.
- Decreasing errors from manual activities.
- Increasing speed to process (approvals and identification of issues).
- Increasing value-add of machine-readable data for improving risk management.
One key component of this effort is identifying ways to incorporate automation into the Authority to Operate (ATO) process.”
Now, the request for information may be geared towards decreasing the time for a CSP to achieve a FedRAMP ATO. However, it also speaks to the constant dialogue that the FedRAMP PMO likely has with its constituent agencies and industry partners (cloud service providers) about increasing efficiencies in cloud security compliance.
What do you say when your friend pulls out their flip-phone?
When my previous company went through the FedRAMP process in 2012, we used the full automation of MS Office! Cut and paste was the best integration we could have hoped for in the creation of our SSP. We didn’t dare to dream about getting that SSP and its related policy and procedures to interact in any meaningful way with the security tools that we used to keep our IaaS secure. We began to see some of the availability of SSP automation prior to my exit. However, any consideration that would change the manual process hugging we had going on was not given a lot of attention. The lack of desire to alter the established manual process was frustrating.
Today, however, the number of CSPs looking to gain FedRAMP authorization is ever increasing. This is the result of a very clean FedRAMP process, and the demand for more and more cloud services from our collective Federal customers. Today’s CSP is starting with the premise that the SSP should be tied, in an integrated fashion, to their tools sets used for compliance. The thought that the SSP and its implementation is going to be all MS Office driven, for them, would be akin to a millennial looking at their parents, with their heads turned sideways, when those parents take out their flip-phones.
Is there a growing solutions market for this type of automation?
A short answer to this question is yes. The longer answer is that the market for solutions like these is emerging, but, from my observation, it is still sparse.
Some Google searches for the SSP automation list a few companies who may have started introducing solutions like this in the market. I found three companies offering security automation tools and security orchestration tools using my search string The top three results were search results of paid advertisements. Following these advertisements were links to SANS and NIST related to system security plans. My search is certainly not exhaustive, but it is one that may prove that these solutions do not exist in any large fashion. Why? Unless you intimately understand the FedRAMP process and further the efficiencies of SSP automation, you wouldn’t suspect the market to have an answer.
What did I find? I found one firm that seemed to have built a solution for the specific use case of automating the FedRAMP and security compliance frameworks.
It is built upon a proper ITSM/CMDB system (ServiceNow) which IMO was wise. ServiceNow is an industry standard that exists in a secure cloud. The product appears to have all FedRAMP controls pre-loaded into its framework, with related workflows tied to those controls. It integrates with SIEM tools that CSPs would use for security compliance. Upon dialogue with the company, it appears that it can also ingest events and alerts from (Non-SIEM) IT management tools (think, if ServiceNow can ingest, act and automate, this solution can do it too).
I will continue my search for other solutions that can assist in SSP automation. These solutions are the missing piece in assisting the expansion of secure cloud services that must adhere to strict security compliance standards.
John Keese is part of the GovLoop Featured Blogger program, where we feature blog posts by government voices from all across the country (and world!). To see more Featured Blogger posts, click here.
Have you investigated the OpenControl project? http://open-control.org/
Archer GRC.
Jamie. I have not but will. Thank you for the “point”
John,
Great article.
Just wanted you to know that your long search for an Automation tool for the SSP (and all the other required RMF/FedRAMP documentation) is over.
That miracle tool is: ViewTrust.
Sold through Virtusteam ( a Dell EMC Company), ViewTrust Automates everything you mentioned in your article, and then some. We also provide full lifecycle management for Compliance and Continuous Monitoring.
We have been in the marketplace for a number of years, with success in numerous Federal agencies, as well as commercial organizations. So it is a proven solution. In fact, is was a strong part of why EMC spent $1.2 Billion to acquire Virtustream two years ago. One year prior to Dell buying EMC for nearly $70 Billion.
In the DoD environment, we have a two-way interactive interface with DISA’s eMASS.
This is a unique differentiator for ViewTrust. Also, we are the only vendor who takes a holistic, complete lifecycle view of the IT Compliance and Risk Management and Monitoring, with active near real-time Dashboard views, and extensive reporting.
We are a complete and proven solution for both government and commercial organizations.
I would like to touch base with you in the near future to lay out for you our full capabilities, as well as where we see the market going.
Feel free to reach out to me at: [email protected]
Thanks,
~Rich Hennigan
http://www.virtustream.com/software/viewtrust
Rich:
Thanks! I would like to hear more, and will start my look as well from what you sent on.
John,
Thanks for this article. I’m sorry your research did not bring up much of the emerging community community, tools, and writings around “Compliance as Code.” I’m wondering what you searched so we can improve our SEO for the topic.
Here’s a list that should be of interest to you and your readers, including some materials from my company, GovReady PBC. We’re automating compliance with mini-apps that map system components onto compliance frameworks and automatically generate control implementation descriptions.
Good Reads
==========
“Automating Security Compliance in the U.S. Federal Government” – White paper by ex-Deputy Federal CTO, Nick Sinai – http://bit.ly/sinai-paper-ato
“GovReady Security Control Compliance Server” – Presentation at DHS Science & Technology 2017 Cyber Security R&D Showcase and Technical Workshop – http://bit.ly/GovReady-Cyber-2017
“Compliance at Velocity” – Medium thought pieces on integrating Compliance and DevOps – https://medium.com/compliance-at-velocity
Projects
=======
GSA RFI on Automating ATO and responses from OpenControl Community and GovReady – https://www.fedramp.gov/rfi-on-ato-automation-tools-out-for-industry-response; http://bit.ly/oc-gsa-ato-rfi; http://bit.ly/gr-gsa-ato-rfi
Project Boise, 18F research project to improve federal software security compliance process – https://github.com/opencontrol/discuss/issues/28
Compliance as Code weekly webinars hosted by GovReady PBC – http://www.govready.com
NGA’s ATO-in-a-Day – https://medium.com/@NickSinai/ato-in-a-day-fd53f0ef4a5d
Tools for ATO Automation:
======================
There are lots of existing, quality products help with security and maintaining compliance. I have a bias toward the below tools because they each have certain attributes that make them particularly relevant/friendly to developers seeking to automate compliance as part of their DevOps CI/CD workflow.
OSCAL – NIST effort to make compliance requirements (e.g., compliance frameworks and control descriptions) more machine readable and extensible.
OpenControl and Compliance Masonry – A kind of compliance markdown in YAML creating re-usable control implementation descriptions and proof-of-concept assembler for generating SSP’s automatically. http://github.com/opencontrol
OpenControl Repos: RedHat’s (https://github.com/opencontrol/RedHat), Docker (https://github.com/docker/compliance), Cloud.gov (https://github.com/18F/cg-compliance)
OpenSCAP & SCAP Security Guide – The only open source certified SCAP-scanner and open source SCAP content repository – https://www.open-scap.org
Ion Channel – A software supply chain monitoring tools and risk assessor with special features managing software delivery on secure government networks.
InSPEC – Ruby-based, BBd-style open source framework for testing infrastructure compliance from Chef – https://www.inspec.io
GovReady Compliance Apps – demo video – http://govready.com/videos/demo/
Sonatype – a supply chain analysis tool and repo very popular in Java circles – https://www.sonatype.com
Greg Elin
CEO, GovReady PBC
[email protected]
Greg,
I know the research seemed incomplete? Maybe these guys are selling one particular product and are pitching it. I am not sure there are several good solutions out there. Expected govloop to be more agnostic.
Max good talking to you last night. No I nor my firm sell any products like these as we discussed.
Good links I am sure the readers will appreciate
Tryump – mafazo.com/tryump
Been done 100 times over 🙂 for not just FedRAMP usecases but 100s others in the agencies. Please add us to your research
Thank you …noted