Federal agencies have been stepping cautiously into the IT future with investments in virtualization, cloud, and data center consolidation and optimization. But initiatives like the 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the 2017 Modernizing Government Technology Act that frees up more funds for modernization efforts, and the White House’s President’s Management Agenda and new “Cloud Smart” strategy are widely expected to kick those efforts into a higher gear.
The cornerstone for many of these modernization activities, of course, is the cloud. Agencies leaders are aware of this and are taking steps to migrate more of their infrastructures, platforms and software applications to the cloud.
Meeting FedRAMP requirements can be time and labor-intensive
But in doing so, they often confront a frustrating speed bump: attaining the needed security compliance for those cloud-based capabilities. The process for attaining compliance with federal security requirements is called the Federal Risk and Authorization Management Program, or FedRAMP. Begun in 2011, the FedRAMP assessment process is initiated by agencies or cloud service providers (CSPs) to ensure that new cloud-based offerings meet requirements that are compliant with the Federal Information Security Management Act (FISMA) and based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 rev4.
The problem with FedRAMP is that it can take a year or longer — and cost hundreds of thousands of dollars — to certify a cloud-based capability as meeting federal cybersecurity standards. Even the Federal CIO Council has recently acknowledged these concerns with FedRAMP, saying “there is still work that can be done to improve the pace of authorizing new providers. In addition, the large number of agency-specific processes has made it complicated for agencies to issue an Authorization to Operate (ATO) for solutions, even when using existing authorized cloud service providers. In fact, despite the importance to cybersecurity risk management, agencies continue to cite major obstacles with their own policies and practices, which has transformed the ATO process from a risk-enabling practice to a labor-intensive exercise.”
The General Services Administration, which runs the FedRAMP program, has been working to speed up the process with varying degrees of success. Last July, Reps. Gerry Connolly (D-VA.) and Mark Meadows (R-N.C.) even introduced the FedRAMP Reform Act of 2018, to further streamline the FedRAMP process. Connolly said that FedRAMP “continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers.”
ATO on AWS shortens time to compliance
There is good news, however. Amazon Web Services (AWS) has developed a proven new model for vendors to build applications on Amazon’s FedRAMP-approved GovCloud and attain FedRAMP medium or high accreditation for those applications in less than 90 days — and, in some cases, much less. Amazon calls it the Authority to Operate on AWS program, or “ATO on AWS.”
Launched in November, ATO on AWS is a partner-driven process that includes training, tools, pre-built AWS CloudFormation templates, control implementation details, and pre-built artifacts. Puppet’s ability to automatically manage and maintain complex configurations for an enterprise-scale IT infrastructure to meet security compliance needs is critical to this model. This enables AWS to pre-build and redeploy FedRAMP-compliant templates and packages from the ground up in order to launch new cloud-based products on GovCloud and achieve FedRAMP accreditation faster than ever before.
AWS’ singular ability to dramatically shorten the FedRAMP accreditation cycle involves two key features: Security Automation and Orchestration (SAO) technology and AWS’s robust partner ecosystem.
The SAO framework consists of more than 20 FedRAMP-approved packages, products and tools that can be readily deployed on AWS when standing up a newly regulated offering. SAO refers to the scripted machine-to-machine execution of tasks and the coordinated machine-to-machine execution of workflows. Various solution providers from the AWS Partner Network (APN) employ SAO capabilities to automate security functions, log management, SIEM, and more. Puppet’s contribution to the ATO on AWS model is configuration management and maintenance to ensure that new GovCloud deployments are not only configured to be FedRAMP compliant from the start, but also that they stay FedRAMP compliant.
Using automation to accelerate accreditation
The idea here is simple: By reusing exact copies of packages and templates that have already been deployed, configured, and FedRAMP-accredited to stand up new instances of a cloud-based capability, we can dramatically speed up the process.
And, by compressing the timeframe for FedRAMP accreditation, AWS and Puppet are dramatically reducing complexity and cost while improving outcomes for both government agencies and the software vendors serving them with needed capabilities.
This also means that Puppet solutions are available on AWS so that federal agencies that manage systems in GovCloud can use Puppet to manage, maintain, and enforce their security configurations to comply not only with FedRAMP, but also the Defense Information Systems Agency’s Security Technical Implementation Guides (STIGs), the United States Government Configuration Baseline (USGCB), the NIST SP 800-series publications and Security Content Automation Protocol (SCAP), or any other policies, as needed.
Bill Diamond is a senior sales engineer at Puppet.