make a good business better

Blog Information Security

Print Divider Print Divider Branding

How FedRAMP Impacts FISMA Compliance and Cloud-Based Computing Services

06/24/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

For organizations both public and private, cloud computing solutions provide myriad benefits, ranging from greater efficiency to heightened flexibility to an increased ability to scale quickly and precisely.

It's no surprise, then, that organizations of all types are seeking to move many of their functions to the cloud. But as federal agencies migrate their data and operations, they must be vigilant against security risks. For this reason, the federal government has established the FedRAMP program to provide oversight and security validation for cloud services and solutions.

FedRAMP brings new consistency and specificity to FISMA compliance rules for cloud providers. But in the end, it's up to agencies to ensure that their data is secure. So how can organizations make certain that their migrations to the cloud don't put their data at risk?

Choosing the Right Systems to Migrate

First, agencies should ensure that the data, application, or service they intend to migrate is a practical fit for a cloud solution at this time. Moving from highly entrenched legacy systems to a cloud solution is an opportunity for a significant upgrade, but it can also be a massive, time-intensive project, so agencies must ensure that they have the resources to complete the task in an efficient and effective way.

In order to develop an informed migration plan and better understand the process, some organizations choose to shift smaller services or resources to the cloud first – email, for example. Based on this experience, they may move on to higher-value or more sensitive data.

Asking the Right Questions

In order to begin a cloud migration, agencies must work with a FedRAMP-certified Cloud Service Provider (or CSP). They cannot, however, simply outsource their security concerns to these providers entirely. Agencies remain responsible for their data and for FISMA compliance, so it is essential that they carefully assess and craft their security controls, understanding exactly how cloud resources will be managed by the CSP.

Once an organization begins a relationship with a CSP, it can be difficult to switch to another provider, so it's important to answer and resolve critical security questions up-front. Relevant questions for agencies to ask of CSPs include:

  • How do you conduct security audits?
  • How is your data monitored?
  • Are your FedRAMP-certified resources separated from other resources? How?
  • What security metrics will you provide us?
  • Will our data or systems ever reside on the servers of other cloud providers? If so, how will you ensure that they meet the appropriate security standards?
  • How will our data be encrypted?
  • Do you use an intrusion detection/prevention system?
  • What are your strategies for backing up, recovering, and destroying data as necessary?

Ultimately, agencies should ensure that they have the ability to audit or otherwise validate the controls put in place by their CSPs. As organizations begin the process of a cloud migration, it can also be useful to have assistance in this validation.

How Third-Party Assessment Organizations Can Help

Especially in complex or large-scale migrations, organizations may require the assistance of an objective and external party to assess the security implications of their planned actions. In these situations, an agency, contractor, or CSP might engage a Third-Party Assessment Organization (or 3PAO).

These accredited assessors verify that CSPs meet FedRAMP requirements, and they can provide vital insights as agencies consider a shift to the cloud. A 3PAO will bring the expertise to help organizations gauge the risk level associated with their data, to evaluate a CSP's compliance and overall security fitness, and to help coordinate contract negotiations in a way that makes all parties' rights and responsibilities clear.

Once the initial negotiation and evaluation is complete, a 3PAO can also help create a detailed migration plan that puts security first. And even once the new cloud system is implemented, a 3PAO can continuously validate the CSP's security controls and provide insight that will help all parties function more securely.

Looking to the Clouds

As with any major change or upgrade to a critical technology, a cloud migration isn't to be undertaken lightly or naively – but that doesn't mean agencies should steer away from the process, either. On the contrary, cloud systems can greatly enhance an organization's efficiency and adaptability.

As agencies consider cloud migrations, they should closely consider FedRAMP requirements and issues of FISMA compliance. By asking the right questions of cloud services providers and, when appropriate, drawing on the insight of 3PAOs, agencies can improve their systems and drive new efficiencies, all while maintaining a robust security strategy.

To learn more about FedRAMP, download a free copy of our guide below, Grow Your Business With FedRAMP Certification.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!

Download Grow Your Business with FEDRamp Certification guide

Posted in: FedRAMP, FISMA