Seeking a FedRAMP authority to operate is a critical part of any cloud service looking to work with the government in an official capacity. It’s required if you are going to handle controlled unclassified information on behalf of the government or its contractors, and since the requirements trickle down, you don’t even necessarily have to be part of the government’s prime contractors to need your ATO.
Since so many cloud services are discovering the need to achieve a full FedRAMP ATO to win the contracts that will keep them going, it’s more important than ever to make sure you’re doing it right. Otherwise, you waste time, you waste money, and you lose potential contracts along the way.
One part of FedRAMP compliance is the SSP, or System Security Plan. Getting the SSP right is critical, but there are a lot of mistakes many businesses make along the way. We’ve pinned down the seven most common mistakes we see among our clients to help you avoid them in your own FedRAMP journey.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontSecuring a FedRAMP authority to operate is essential for cloud services dealing with government data. Common mistakes to avoid include not understanding the System Security Plan (SSP), failing to define the security scope, excluding key team members, skipping foundational groundwork, neglecting automation, not staying involved, and overlooking documentation. Properly addressing these areas ensures compliance, helping secure government contracts and maintain cybersecurity. Use templates, segment systems, and involve experts for effective implementation.
Mistake #1: Not Understanding What an SSP Is
The first and arguably most important thing you need to do when seeking to compile your SSP is to know what an SSP even is. The phrase “system security plan” isn’t all that specific, but fortunately, the government provides plenty of documentation about what they expect to see and what you need to provide.
Your biggest resource is going to be the FedRAMP page full of templates, where you can see essentially what you are expected to provide, along with checklists and other resources to help you along the way.
The downside here is that templates, while they are one-size-fits-all, have a lot of variability in how you’re expected to fill them out. That’s because the precise list of security controls you need to implement and the exact mechanisms of implementation will vary from cloud service provider to provider. The list of documentation will also vary between low, moderate, and high impact levels, though realistically, virtually everyone reading this will be on a moderate baseline.
Bear in mind, as well, that just because there’s a template available doesn’t mean filling it out will be easy. The templates for FedRAMP impact level documentation run more than 300 pages of detailed information. It’s extremely daunting, especially to novices who haven’t had to comply with a security framework before.
There’s a lot that you need to define and document for your SSP, so make sure you’re paying attention to the details, including system inventories, data flow diagrams, control implementation, and more.
Mistake #2: Not Properly Defining Your Scope
Before you can even really get to the point where you’re implementing, you need to figure out what even needs to be implemented. Before you can do that, you need to figure out what elements of your systems need to be secured.
The simple answer is that everything needs to be secured, but that’s not actually the best way to go about a FedRAMP implementation.
The truth is that FedRAMP goes above and beyond what you generally need for commercial and business security. The specialized security controls and regulations that deal specifically with controlled government information are both stricter and require more overview than normal security.
This is a source of risk in and of itself. As we all know, human nature is to take the easiest path when possible. The more obstructive the security controls are, the more likely people are to not take them seriously, especially when they don’t seem necessary for their day-to-day tasks. So, in a tangible way, over-securing your systems when it isn’t actually necessary is more likely to lead to gaps and holes in that security as people find ways around it to make their own lives easier.
Therefore, the first step is to define the scope of your security. Where does CUI enter your ecosystem, what systems does it touch, and where does it leave? Who is involved, and who has access to those systems?
One of the smartest things you can do as a brand seeking FedRAMP compliance is begin by segmenting your systems and partitioning off the governmental contract systems. The narrower the scope, the easier it is to secure, and the more reliably you can keep it validated.
Mistake #3: Failing to Include the Right People
It’s often said that the right people make the job, and that’s definitely true with something as critical as your business cybersecurity.
You will need the right kind of team to handle everything involved, and it’s going to need to be a robust and varied team of experts, stakeholders, and people with the access and knowledge to make the changes and guide implementations as necessary.
Consider roles such as:
- Cybersecurity experts, either in-house or consultants brought in to bring your systems up to snuff.
- Business stakeholders like your head or heads of governance, risk, and compliance, so you have top-level overviews and someone with the ability to authorize what needs to be done to minimize delays.
- Systems experts who know the way your business works inside and out and who can think logically about the security requirements and how they need to be handled.
Another role that can be very useful to have on your team is a dedicated technical writer. Your system security plan is a large series of documents that need to be composed and put together in a logical way, covering all the bases but without the messiness, duplication, or disorganization that can come from a process where documents are effectively thrown into a bucket and handed over at the end of the day.
Having someone who can take that bucket and make it all make sense to the government can be an invaluable asset. More than one company has failed its initial attempts to receive a FedRAMP authorization despite having done the work right because its documentation was too much of a mess.
Mistake #4: Not Laying the Groundwork
Another key to a successful implementation of a system security plan is taking the time to make your foundational documents before you begin.
First, make sure you have a detailed diagram of all of your network components and network architecture. You want an overall bird’s eye view of your entire network, including all of the entry points, all of the interconnections between systems, and all of the components along the way. As mentioned above, you’ll want to be as narrow in scope as possible, so this diagram can give you a good idea of where you might be able to cut off systems to segment them down for an easier process.
Next, develop your complete systems inventory. This should be an itemized list of all of the components throughout your network diagram, complete with whatever identification numbers and designations they have. You want to be able to see a full list of everything within your network, as well as have the ability to associate between a physical device and its digital presence.
It can also be a good idea to define your data flows as firmly as possible. Consider for various government contracts, what kind of information would be flowing in, where it would enter, where it would pass through, and where it would be handled. This becomes the list of what needs to be secured. It can also give you insight into further ways to segment your systems for a more robust but narrower set of security implementations.
Mistake #5: Not Leveraging Automation Whenever Possible
We’ve said before that FedRAMP implementation is not easy and not one-size-fits-all, despite the ability to use templates to guide the process. However, that doesn’t mean there aren’t ways to automate and streamline various elements of the analysis, implementation, and validation processes.
In fact, automation is one of the most important tools you will have at your disposal. Whether it’s data entry, validation, editing, or monitoring, automation through powerful government compliance tools can help you out in a lot of different ways.
There’s no one tool that can be pointed at your systems and do all of the work for you. Sometimes, you can run a configuration wizard to set appropriate settings. Other times, your custom network configuration is impossible to adjust automatically and will need an expert’s touch. This is a big part of why you need the right team in place; otherwise, just running a bunch of tools may feel robust but won’t get you nearly enough advancement in security to meet compliance rules.
Automation will also be critical for the final stages of FedRAMP implementation: continuous monitoring. A lot of FedRAMP implementation is setting systems to a secure state and leaving them be, but more of it involves actively and passively watching for signs of intrusion, setting up warning systems, and knowing how to react and deal with issues as they arise.
Mistake #6: Not Staying Involved with FedRAMP Implementation
A lot of cloud service providers, especially those that are on the smaller end, run into a significant problem. They want to implement FedRAMP, earn their authority to operate, and work with the government on important (and lucrative) contracts. However, their services and their team are made up of outsourced, modular, or otherwise lightweight teams, many of whom are freelancers, temporary contracts, or otherwise don’t have a stake in the security of the business.
These CSPs often turn to third-party implementation specialists to do the work for them.
Now, it’s entirely possible that these third-party groups can do the work and set up the CSP for success. However, FedRAMP isn’t a state of being; it’s a process. One-time implementation is a state of security that rapidly degrades as the technology evolves and the threat environment shifts.
This is why one of our entries above was already focused on making sure you have executive and team-level buy-in for your FedRAMP implementation. Anything less, and you can end up with misaligned or mis-implemented security systems, with gaps in coverage that stem from an incomplete awareness of what your CSP does.
Worse, part of FedRAMP is the behavior and training of the people involved in handling CUI. If they don’t know why security measures are in place and bypass them out of ignorance, it jeopardizes your business and your contracts.
It’s not a sin to hire a third-party company to work with you for your security implementation. You just need to stay engaged with the process to make sure you carry it forward when they’re done.
Mistake #7: Failing to Gather the Appropriate Documentation
FedRAMP’s list of required documentation is immense. Your network architecture diagrams, your system inventories, your data flow maps, documentation of each of the security controls required out of FedRAMP at your impact level, artifacts and proof of the implementation of those controls, POA&Ms for the ones you can’t finish in time; there’s a ton of documents you need.
Moreover, unless you’re working in the right way with the right tools, it can be easy to end up losing track of some of those hundreds of documents. Whether they’ve been emailed to a stakeholder who hasn’t kept them all in place, or whether they’ve been written and overwritten as they’ve been iterated on and the latest version could be anywhere, it all leaves you flailing.
This is where something like the Ignyte Assurance Platform can come in. As experts in FedRAMP and many other security frameworks, we designed the platform as a robust, collaborative, and centralized way to store all of the documentation, proof, and artifacts you need to submit in your final package. It’s not a fully automated platform, but it does help ensure that your FedRAMP authorization process goes as smoothly as it possibly can.
Here at Ignyte, we’re proud to be a certified FedRAMP third-party assessment organization. So, if you have questions, need information, or want to see what the Ignyte platform can do for you, all you need to do is reach out to get started. We’re more than happy to work with you in nearly any capacity to help ensure you meet the requirements for your impact level and can rest assured of your certification.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.