make a good business better

Blog Information Security

Print Divider Print Divider Branding

Shore Up System Boundaries for a Smoother FEDRAMP ATO

11/25/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

In order to conduct business, cloud service providers (CSPs) must comply with the Federal Information Security Management Act of 2002 (FISMA). The Federal Risk and Authorization Management Program (FedRAMP) was created, so agencies can meet FISMA requirements for cloud systems.

Subscribing to the “do once, use many times” model, FedRAMP takes a standardized approach to security assessment, authorization, and continuous monitoring based on NIST requirements. It aims to mitigate FISMA compliance costs as well as the risks associated with cybersecurity vulnerabilities and offers CSP’s the opportunity to achieve a FedRAMP Authorization to Operate (ATO).  

However, there are hurdles to achieving FEDRAMP ATO – one of them being the need to go back and fix inaccurate system boundaries.


What makes an accurate system boundary?

System boundaries are imaginary borders within the information system – including all internal and external components of the FEDRAMP solution. Within the FEDRAMP solution are technology, information system processes and the people that administer them. When considering accurate system boundaries, you’ll want to ask some of the following questions:

  • Which communications pass into and out of the information system?
  • How are third parties connected to the system and how are users authenticated?
  • Are internal users accessing information or systems defined as outside of the system boundary?

The answers to these questions will provide key insight into how people, process and technology are defined and integrated into an accurate system boundary.

Looking for red flags is another approach to determine the accuracy of system boundaries. One red flag to be aware of is too narrowly defining the system boundary level, which can lead to longer FEDRAMP ATO acquisition. When writing their System Security Plan (SSP), organizations often find that there are areas that they hadn’t previously included in the scope.  Consequently, they don’t have controls in place to meet those FEDRAMP-specific requirements.

Frequently, organizations take a reactive approach to addressing controls – or the lack thereof. Although this may seem like a logical approach, real long-term benefits are realized by implementing them upfront as well as monitoring and testing them regularly – long before they pursue the FEDRAMP ATO. Doing so prior to expanding scope will mitigate frequent remediation – and ultimately, the need to resubmit their FEDRAMP ATO application multiple times.

You can’t place full blame on the technology for these problems either. It goes back to the importance of having a good information system process plan in place. It’s crucial that the scope is defined from the get-go and that the moving boundaries are locked down. To combat it, spend time upfront understanding:

  • The information systems solution and what it encompasses
  • How the information system connects to your people, processes, and technology and the communication processes involved.
  • Understanding how collaborating with your organization’s groups is critical to facilitating the process.

Auditing can help to keep the certification process on track and can also be a huge benefit before going down the FEDRAMP path – especially if you apply these principles across the board – not just in FEDRAMP process. These are not unique controls but should be best practices in every organization. So, the thought here is that you shouldn’t put all your eggs in one basket (i.e.-just information security). FEDRAMP touches many areas – making it virtually impossible to ignore other parts of the organization.

Close Gaps, Avoid Delays

Although the effort to implement controls can sometimes be substantial, they are necessary to mitigate risks and prevent future issues. Without them, you’ll constantly run up against problems and will continually experience FEDRAMP ATO setbacks. In order to mitigate this risk and move through the certification process quickly, efficiently and cost-effectively, vulnerability testing, Plan of Action and Milestone (POA&M’s), and a system inventory can be of great assistance in this process.

Without vulnerability testing, you can’t reduce your risk. It will help you identify where the gaps are – and you can’t fix them if you don’t know where they are to begin with.

POAM recording, tracking, documenting and verifying fixes, requires effort. Again, it’s a necessary part of reducing risk and clearing the path to FEDRAMP ATO. It’s important to track your remediation efforts to ensure that they are completed properly. And it can’t be said enough. Regular monitoring and testing of your controls and processes go a long way to reducing system boundary problems and facilitating a faster FEDRAMP ATO process. The remediation timeline should be looked at as an opportunity to improve versus just another task

Another opportunity to close the gaps lies with you system inventory.  It includes the components in your environment – including systems, people, processes and technologies. For example, you should have firewalls in place and notated in the system inventory and they should match those in your system boundary. If system inventory doesn’t match system boundaries, you have a problem.

Whether it’s the system inventory or the actual controls, every system component and control needs an owner. Without one, it makes remediation difficult. POAM’s needs ownership as well. Otherwise, finger pointing occurs – making inventory control impossible if no one takes responsibility. Sometimes, this scenario happens organically or it could be the result of an orphan control from a legacy program. To counteract this problem, you should conduct regular audits, assign ownership and finding and address issues on your own before the certification process begins.


As with much of our advice, thoughtful planning is essential. Evaluate and then shore up your system boundaries. Leverage the knowledge of organizations that understand FEDRAMP process. It’s very detailed and can be fraught with potholes along the way if you don’t fully understand it. Best of all, your organization will have better controls in place to meet other regulatory requirements.

Moreover, LBMC takes a broader view instead of looking at it purely through the customer’s lens. They recommend working with an outside firm that has control knowledge and experience. Doing so, will enable your organization to quickly address the many control questions in the FEDRAMP ATO process.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP