The Importance of FedRAMP Authorization and Continuous Monitoring – Part 4
Baan Alsinawi, TalaTek founder, and Managing Director, Strategy & Risk, CISO GlobalOrganizations that have a cloud application and plan to sell these services to federal agencies will need to first undergo the Federal Risk and Authorization Program (FedRAMP) authorization process and become FedRAMP certified.1
A key part of FedRAMP certification is continuous monitoring, also called ConMon, and organizations will need to incorporate this into their security process to maintain their authorization. For example, TalaTek established its ConMon process when first obtaining an Authority to Operate (ATO) for the company’s TiGRIS Software as a Service, listed on the FedRAMP Marketplace. TalaTek now undergoes an annual audit by a third-party assessment organization (3PAO) that checks to be sure it still implements ConMon.
What Is Continuous Monitoring?
FedRAMP’s continuous monitoring program,2 is based on the steps detailed in NIST SP 800-137, Revision 1, Information Security Continuous Monitoring for Federal Information Systems and Organizations. NIST 800-137 defines ConMon as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
NIST 800-137 also covers how organizations should go about achieving continuous monitoring (check the NIST document for more details on each step):
Define an approach by developing a strategy that addresses ConMon requirements at each of the three organizational tiers: organization, mission/business processes, and information systems.
Establish a specific program to implement the ConMon strategy that can inform risk-based decisions and keep operations within an organization’s set risk tolerances. This includes processes and procedures for assessing security controls. These assessments should measure the organization’s security status, detect and track changes in its environment and data system infrastructure, and clearly measure the effectiveness of each of the security controls it has in place.
Implement the ConMon program by collecting required security-related information for predefined metrics, conducting security control assessments, and reporting security-related information according to the organization’s policies and procedures. Every control should be monitored for effectiveness and can be used in monitoring the organization’s security status. These processes should be as automated as possible—from the collection stage through analysis and reporting.
Analyze all the data that comes out of this ConMon process in the context of an organization’s risk tolerances, possible vulnerability impacts on the three tiers, and the possible impact of migration options.
Respond to any findings at all three tiers, taking steps to mitigate all identified risks across people, processes, and technologies—including operational vulnerabilities. Review and update the ConMon program to ensure the initial strategy continues to be improved upon, building on lessons learned at each step and showing an organization’s ability to mature the ConMon program over time. As the name indicates, continuous monitoring is a process that requires ongoing refinement.
Benefits of Implementing Continuous Monitoring
It’s true that organizations may find setting up ConMon to be a heavy lift, but once they incorporate the process into their regular risk monitoring strategy, they will likely find they are achieving more than FedRAMP authorization. They can also gain ROI in the following ways.
1.Helps Protect the Organization’s Enterprise
Data breaches can be disastrous. They’re extremely expensive; compromise operational uptime; and can result in fines, brand damage, cyber insurance premium increases (or cancellation of a policy all together), and maybe even the loss of an organization’s federal contracts. Continuous monitoring helps mitigate the risk of data breaches; catches and requires the patching of system vulnerabilities; and prevents system hacks, ransomware attacks, and even insider threats. This protects the enterprise and its reputation, and importantly, an organization’s bottom line.
2.Improves Flexibility and Responsiveness
Attackers are always changing their tools, tactics, and processes to find ways around a system’s firewalls and into an organization’s environment. The only way to be secure is to stay ahead of the malicious actors and keep up to date on current and validated threat information.
NIST’s ConMon processes help organizations define criteria for unexpected events, putting controls in place that can address this type of emerging threat. By incorporating event-driven assessments of these controls, organizations enhance their ability to respond to threat information rapidly and decisively.
3.Proves an Organization’s Security Posture
A key part of the continuous monitoring process is proving an organization’s security posture—3PAOs do annual assessments to ensure the organizations they are auditing are meeting the stringent FedRAMP requirements. This means that potential clients both in and out of the federal government space can be confident that the FedRAMP-certified organization they are considering hiring does what’s necessary to protect all parties’ sensitive data.
This “seal of approval” can be a key differentiator in helping the FedRAMP-authorized organization stand out from its non-FedRAMP authorized competitors, earning new business and returning that investment on the time and resources spent to achieve this certification. The FedRAMP Program Management Office requires continuous monitoring to ensure the federal government is using the most secure cloud service solutions. However, most organizations lack the staff and expertise necessary to establish and maintain their ConMon program.
Here’s where TalaTek can help. TalaTek has gone through the process so the company know what’s involved first hand. TalaTek is also a FedRAMP-accredited 3PAO and can offer organizations continuous monitoring support activities, including managing and updating system documentation, maintaining the continuous monitoring plan, delivering monthly status reports, and managing Plans of Action and Milestones (POA&Ms).
[1] See the first three blogs in this FedRAMP series for more details: Blog #1: The Importance of FedRAMP Authorization to Government Contractors; Blog #2: How to Prepare for FedRAMP Certification; and Blog #3: Is FedRAMP Worth It? Overcoming Common Obstacles.[1] See the FedRAMP Continuous Monitoring Strategy Guide for more information.