The FedRAMP PMO recently announced new rules for how contractors will need to comply with the Federal Risk and Authorization Management Program (FedRAMP) Authorization Boundary rules in draft format. This is a big deal because FedRAMP compliance is mandatory for any company that wants to do business with the federal government.
The new FedRAMP authorization boundary rules will change the way these companies have to approach cybersecurity data, and they will have to make sure they are up to date on the latest security data standard. In this blog post, we will explore what the new FedRAMP authorization boundary rules will mean for you and your company. We will also provide some tips on how to ensure you are compliant with the new rules.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The new FedRAMP authorization boundary rules will have a profound impact on the way CSPs will manage their own corporate network.
In the past, each CSPs were responsible for establishing duplicate corporate systems (i.e., ticketing systems, etc.) inside and outside of their boundary. This resulted in a patchwork of security controls that was often a duplication of effort and inefficient across zones. The new FedRAMP authorization boundary rules guide draft rules streamline the process by further defining the types of data that can reside separately from the boundary. An accredited 3PAO can assess and certify that a cloud service meets the FedRAMP security requirements while also cross-checking its boundary to ensure the proper flow of data.
The last major change with the new rules is the categorization of data types into 4 primary buckets:
- Direct-Impact Data
- Indirect Impact Data
- Low and Limited Impact Data
- Corporate and Non-Impact Data
In the past, once service was authorized, there was little oversight of how data was being generated and used for maintaining the ATO. Under the new draft authorization boundary rules, CSP must continuously define the data their cloud services and networks produce to ensure that the controls are applied where appropriate.
What does this mean for you and your organization?
The new FedRAMP authorization boundary rules will mean that your organization will need to provide more information about its systems and how they are interconnected. CSPs can also take advantage of these rules by removing redundant systems contained within multiple boundaries, such as ticketing systems, security documentation (i.e., SSP), and health and monitoring information. Separating out these systems can help your organization reduce while achieving and maintaining FedRAMP compliance. The following should be considered:
- Reduction of duplicative systems resulting in cost savings
- Reduction of systems within the boundary that have to comply with RMF controls
- Reduction of complexity in managing and deploying within the boundar
How can you prepare for these changes?
If you are just starting to figure out how to get FedRAMP compliant then consider architecting your boundary as one of the initial key focus areas. If you already have an ATO consider rearchitecting your system to take advantage of the new rules.
Under the new rules, CSPs will need to submit a change request to FedRAMP that outlines their proposed changes as it can impact the accreditation decision. The change request will be reviewed by a third-party assessor, who will determine whether or not the CSP continues to meet all of the requirements for FedRAMP certification.
In addition, CSPs should make sure that their systems are compliant with all of the other FedRAMP security requirements, such as having an up-to-date inventory of their systems and assets. By taking these steps now, CSPs can ensure that they are prepared for the new FedRAMP authorization boundary rules and can continue to provide safe and secure cloud services to their federal customers.
What are the benefits of these changes?
The new FedRAMP authorization boundary rules will provide a number of benefits for agencies, contractors, and other organizations that are required to comply with the Federal Information Security Management Act (FISMA). First, the new rules will simplify the process of determining which systems and information assets are within the scope of an organization’s FISMA compliance program. Second, the new rules will clarify the data elements that need to be protected in relation to FISMA compliance. Finally, the new rules will streamline the process of authorizing information systems for operation in accordance with FISMA requirements for the federal government.
The new FedRAMP authorization boundary rules are an important development for anyone who works with or uses cloud-based services. By understanding what these changes mean, you can take steps to ensure that your organization is prepared for them. In particular, make sure that you have a clear understanding of your organization’s security posture and how it will be affected by these changes. With the right preparation, you can ensure that your transition to the new rules goes smoothly and without any issues.