Are you looking to get your product authorized for use by federal agencies?
Then you probably need to understand FedRAMP, how it works, and, most importantly, whether it applies to you.
In this episode, I chat with Stephen Halbrook, Partner and Government Compliance Specialist at Schellman & Co, who answers the most common questions about the government security assessment.
- What is FedRAMP and who does it apply to?
- What is a typical timeline for the ATO process?
- Should you go through JAB or an agency?
- How much does it cost?
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry: (00:25)
Hey there and welcome to yet another episode of the Virtual CISO Podcast here in 2021, pretty amazing to say. I’m your host John Verry and with me as always, the Jay-Z to my Beyonce, Jeremy Sporn. Hey Jeremy.
Jeremy Sporn: (00:40)
Hey John, hello everyone.
John Verry: (00:43)
What you think Stephen?
Jeremy Sporn: (00:43)
So I’m just happy we got Stephen on. Had a few scheduling conflicts and it was very clear why with FedRAMP taking off as it has, Stephen is just a really busy guy. He gave one stat where he said something about 200 firms with a FedRAMP ATO total, but 60 plus have been granted in 2020. So you could just see the ramp. You could see what’s coming down for FedRAMP and his insights were very timely.
John Verry: (01:14)
Yeah and to contextualize that, I think he said that the program started in about 2012. So realistically, that’s 60 out of 200 occurring in the last roughly 12 months is pretty crazy. And that ramp in interest and that ramp in organizations pursuing is really why I thought it was so important that we get him on at this point in time, because we’ve seen that similar increase in client calls and client interest in FedRAMP.
Jeremy Sporn: (01:41)
Actually, the timing for you I thought was good. I know you’re that ISO 27001 fanboy, self proclaimed, but with the ramp in CMNC, your NIST knowledge has taken… it’s gone up a few notches and it was easy to hear how excited you were to understand the FedRAMP side of government security requirements.
John Verry: (02:01)
Right and for the record, I’ve been a NIST fanboy for a long time as well. I’ve always thought that their guidance was fantastic. They just didn’t really have as good an accreditation program, if you will, as you got with an ISO, the SOC, which is really why we were there, because our clients always needed that certificate. FedRAMP, of course provides said certificate, authorization to operate. Now we’ve got CMMC doing the same thing so you’re right, I mean with CMMC and FedRAMP, the new privacy framework that came out from NIST, the new version of 800-53, I am spending a remarkable percentage of my time in the NIST world the last six months. Honestly, it actually has been fun.
John Verry: (02:38)
With FedRAMP in particular, when we’re chatting with clients, when you look at the level of effort and the cost and the different pathways, if you will through the process, I think this conversation will be as good or better for the people that might listen to it, or read the content as it was for me. And it was, you’re right, it was helpful for me. Stephen’s a very, very smart guy.
Jeremy Sporn: (02:58)
Absolutely. So if you are a business or security leader, especially if a SaaS organization and have thought about providing services to the federal government, stay tuned. Stephen Halbrook, partner and government compliance lead at Schellman & Co. is exactly the right person to listen to. He gives some great insight and practical advice to those looking to move their SaaS in the government space.
John Verry: (03:23)
And just to be one point of clarity, doesn’t have to be SaaS. SasS is the most common, but technically FedRAMP is an ATO for any cloud service provider. So you might infrastructure, service, hardware stores, anything that qualifies as a cloud service and with that, let’s get to the show. Stephen, hello sir. Thanks for coming on the show today.
Stephen Halbrook: (03:47)
Absolutely John. Good to be here and talking with you.
John Verry: (03:50)
Ditto. Same. It’s not like we don’t talk fairly frequently anyway, so it feels like a normal week.
Stephen Halbrook: (03:58)
John Verry: (03:58)
So I’d like to start super simple. Real quick, tell us about who is Stephen Halbrook and what do you do everyday?
Stephen Halbrook: (04:03)
Yeah. Absolutely John. So like you said, I’m Stephen Halbrook. I joined Schellman & Company 15 years ago. Previously was with the big four accounting firms of the world and really wanted a place I could grow with, and believed in the mission at Schellman. Fast forward here today, I’m a partner at the firm based in our nation’s capital. Looking out the window here at the season’s first snow.
John Verry: (04:31)
I mean, it’s coming up the turnpike to us. I’m looking out the window and it hasn’t gotten here yet.
Stephen Halbrook: (04:36)
Okay. Yeah, it’s headed up your way, but yeah. As far as what we do, putting it simply, we enable other companies to deliver technology services to the government, to their clients. Some people call us assessors, auditors, but basically our mission is to enable the mission of others, our clients.
John Verry: (04:56)
And you personally are focused on the government sector, right? FedRAMP and associated services.
Stephen Halbrook: (05:02)
That’s right. There’s two of us that head up the practice. I’m here on the East Coast and then I have a peer out on the West Coast.
John Verry: (05:11)
Stephen Halbrook: (05:13)
Yeah. That’s right, Doug Barbin, yeah.
John Verry: (05:16)
Another strong resource, really good guy as well.
Stephen Halbrook: (05:20)
John Verry: (05:20)
Cool. So before we get down to business, I always ask, what’s your drink of choice? Personalize this a bit.
Stephen Halbrook: (05:27)
Yeah. Drink of choice John. So I’m a Pinot Noir guy, you know? I don’t know what it is about the soil out there in Russia River Valley, Ebony Hills, Oregon. I don’t really care, but I’m a big fan of the wine they produce from the grapes that they grow out there.
John Verry: (05:45)
Okay. So here’s the problem with Pinot Noir, and by the way, we drink Russian River Valley chardonnays, right?
Stephen Halbrook: (05:52)
John Verry: (05:52)
I’m a big fan of that. Sonoma Cutrer and we actually are a member of a wine club, actually they canceled the wine club of the pandemic, but White Oak, another winery out there.
Stephen Halbrook: (06:02)
John Verry: (06:02)
So drink Russian River Valleys and agree with you completely. Cold air coming up through there changes the stuff that comes out of that area. I’m a big Sonoma versus Napa guy as well, but that being said and I do love a good Pinot Noir, the problem is I cannot afford a Pinot Noir that I think is good. I think if you buy any Pinot Noir’s that are under $25 at least, they tend to be a little bit thin.
Stephen Halbrook: (06:28)
John Verry: (06:31)
[inaudible 00:06:31] are there Pinot’s that are, in your mind, that are drinkable at less than $25.
Stephen Halbrook: (06:36)
It starts to get tough and maybe Sonoma Cutrer is one of those, I know you mentioned them. They tend to have it around that price point and can pick them up, but mostly the ones that I enjoy are a little bit more costly than that, and I just kind of wait for [crosstalk 00:06:56] Yeah, special occasion.
John Verry: (06:59)
Yeah, yeah. I mean, it was so funny… I’ll tell you what man, I’ll tell a super funny quick story about Pinot’s. So we really… I love Pinot’s and I could never find one. So I go into a liquor store where I recognize the guy who had been a pretty good wine guy and I’m like, “Look, can I find a Pinot that’s drinkable almost as an every night glass of wine?” Because I like to have a glass of wine most nights. “That’s under $20, $25.” And the guy goes, “I’ll show you four, five that I think are pretty good.” So he gives me four or five of them and then he gives me a… and then I said, “Okay, I need a gift Pinot.” So he gave me a $50 Pinot. I think it was a Landmark Grand Detour, I think if I recall correctly.
John Verry: (07:40)
So I take them, I put them in the box, they’re out in the garage and we’re drinking. My wife says, “Oh we’re done with this one.” All of them are just what I thought, a little bit thin. I mean, drinkable, but I’m like, “Yeah, I’m not excited. I’d rather have a $13 bottle of cab at this point, I’d enjoy it more, right? So what happens is I send my wife out and she opens one up and she pours it and my wife’s… we’re not sophisticated wine drinkers. My wife goes, “Oh my.” She says, “How much did this one cost?” I’m like, “Well all of them were under 20 bucks.” She goes, “I don’t care what this costs, I would drink this every night. This is fantastic.” And I’m like, “Oh this is great, we found one. This is great.”
John Verry: (08:18)
And I taste it, I’m like, “Holy crap, this is good.” And I went, “Oh no. Which box did you pull it?” She had opened up [inaudible 00:08:28] So anyway. Well after this call, I will definitely get us some recommendations on a Pinot from you, for special occasions. Because I don’t drink them enough to know, but I think you’re right, when they’re good, they’re great. All right. Let’s get to really why you’re here. People are not… they’ll listen to Robert Parker if they want wine advice, they don’t care about your advice. But they might want to hear your advice on FedRAMP. So let’s start with the simple thing. What is FedRAMP and who does it apply to?
Stephen Halbrook: (08:55)
Yeah. Absolutely. So FedRAMP rolled out in 2012, right? And it’s a government wide program providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. So federal agencies that choose to use the commercial cloud services that are out there, they’re required to only use cloud services that are found through this FedRAMP process. So it applies to these federal agencies. I think very relevant to today that listeners could relate to would be Zoom, right? We all use Zoom being remote these days and Zoom is a prime example where the government wanted to leverage their technology. They took Zoom through the FedRAMP process, granted an ATO and now there’s a number of agencies using their product.
John Verry: (09:48)
Got you and that ATO is authorization to operate, correct? That’s sort of like [inaudible 00:09:53] certification. I mean, that’s kind of the equivalent of the way they say certified?
Stephen Halbrook: (09:58)
Yeah. Technically, it’s authority to operate, but referred to as authorization and what it really means is that the agency that provides that sponsorship and decides to use the system is accepting the risk, right? So coming out of the FedRAMP assessment, there’s findings, there’s risks that get identified by the assessor. Those get documented and then the agency makes the decision to authorize or grants an ATO based on those results.
John Verry: (10:26)
Cool. Now when you talk about FedRAMP, we talk about the concept of low, moderate and high. What is low, moderate and high? And how would an organization that was pursuing FedRAMP determine whether or not which one they should pursue?
Stephen Halbrook: (10:42)
Yeah. So low, moderate and high, those are the different baselines, right? And this has different control sets at those baselines and it really comes down to the sensitivity of the information that the agency’s going to put into the system. So if you went out and you searched for FIPS 199, you’re going to pull that up. It’s a NIST document and there’s going to be a table in there, and there’s going to be somethings that you would walk through around the confidentially, the integrity, the availability for the CIA of the information that the agency would be putting into the system. So a cloud service provider would go through this exercise, determine what baseline is relevant based on the information they anticipate being put into the system. And then they would head down that path. Is it low? Is it moderate? Is it high? That’s really the differences there, the decision path for how to go about this.
John Verry: (11:43)
Right. Yeah and I always tell people that yeah, you can do a FIPS 199 security categorization. I think there’s a document on NIST SP 800-60 it might be, which is like you can kind of cheat and look up, hey, here’s the kind of data we process, right? It’s kind of a cheat sheet. But I think most important, it is important to know who are the agencies you’re targeting and making sure that they’re comfortable with whatever level that is, because if they want a moderate and you’ve only got a low, yeah you’re out of luck, right?
Stephen Halbrook: (12:10)
Absolutely. We see that all of the time and it’s a losing argument, because at the end of the time, the agency is the customer, they’re the client and if they’re going to serve them, they need to pretty much do what they ask them to do.
John Verry: (12:25)
Right and the other thing about that decision, which is really important is not only making sure that the client is going to accept the level, but it also changes the price and complexity of getting there, correct? Because at a high 421 controls, at a moderate you’re at 325 and a low you’re at… I forget the number.
Stephen Halbrook: (12:44)
Yeah, right around 100.
John Verry: (12:45)
125, yeah. Okay. So that’s another part of this that’s a big decision as well, right? And the budget of course, is going to be significantly different so [crosstalk 00:12:55] high than it would be the low.
Stephen Halbrook: (12:57)
Absolutely. So there’s… right, there’s their cost to implement the controls, maintain them and then you also have the assessment itself, right? Where is it 100? Is it 300? Is it 400 controls? And generally speaking, as you progress from low to high, you’re going to have some more stringent controls, control parameters and the actual assessment itself becomes more rigorous. Not only the number of controls, but just the… some of the additional requirements that go into the assessment.
John Verry: (13:31)
Right. Yeah and it’d probably be fair to just point out for folks that yeah, this low, moderate, high concept and the controls we’re referring to are all the documented NIST 853 and that’s really, FedRAMP is built on 853, if you will, right? That’s where we get in the controls from and where we’re getting the guidance from.
Stephen Halbrook: (13:49)
Exactly. FedRAMP took this 853, they massaged it and put out the FedRAMP baseline that leverages 853, and that’s what’s consistent through all of the templates and documents out at fedramp.gov., where the providers work from for things like their system security plan, and then assessors and… or advisors work from that as well for those templates.
John Verry: (14:15)
Yeah. So I always refer to FedRAMP as a bit of convoluted and choreographed process with a lot of people in that. So let’s talk about that. So let’s start with those… can you talk about the two routes that most people use to pursue FedRAMP?
Stephen Halbrook: (14:34)
Yeah, absolutely and we’ll start with the one that I think is the more direct route, and that is the agency sponsored path. So what is it about the agency sponsored path, right? So it requires commitment from a federal agency prior to heading down the assessment path, and really the intent is that this agency will become a client at the end of the process, and throughout the process that the assessment process, they’ll have some involvement, right? They may want to see your system security pan, which John, you and I both know is where a provider documents, the details on their system, they describe how they’ve implemented all of the controls, 300 plus at the moderate baseline.
Stephen Halbrook: (15:17)
So the agency sponsor may want to look at the SSP before the assessment, and then throughout the assessment, there is some key milestones, like the system assessment plan they’ll want to take a look at. But then most importantly is the security assessment report that gets generated by the assessor at the end of the assessment and that’s what we touched on earlier, right? The ATO or the authorization that’s granted by the agency client based on the risk profile of the system.
John Verry: (15:53)
Yeah. So we have that agency route then we also have the JAB GSA route, if you could explain that and how that differs and why you might… you’re saying that you think agency right now is the way most organizations are going?
Stephen Halbrook: (16:03)
Yeah. So with agency, what we mostly see there is SaaS services that are going through software as a service and those tend to be more niche or specialized type services, but then when you take a look at JAB or the joint authorization board path, that’s where you’ll see a lot of the IaaS and PaaS providers that are authorized, they have JAB ATOs and the reason for that is that these SaaS providers that I mentioned, that are headed down the agency sponsored path, they’re leveraging these IaaS and PaaS providers for their services and you run into this concept of something is JAB authorized, it should be leveraging JAB IaaS PaaS. If something is moderate baseline, it should be leveraging a moderate baseline or higher IaaS PaaS. I think that helps to explain the difference as far as what services tend to lean towards agency versus JAB. I think of JAB as being really more broad use case of capabilities for the types of services that would go down that path.
John Verry: (17:12)
Okay and does that also tie into why they do it the way they do it? My understanding is current mode of processes. You quarterly can submit an application and the JAB is going to review those applications and each quarter they pick roughly three organizations to sponsor and take through the process.
Stephen Halbrook: (17:33)
Exactly and so there’s quite a big more that goes into JAB. Like you said, there’s that application process on a quarterly basis and a CSP, cloud service provider, would put together their application, apply and if they get selected by the JAB, they then have to pivot and go through the FedRAMP readiness assessment report engagement. The FedRAMP RAR is really, as you know, I refer to it as maybe the top 10% of the controls in the federal mandate. So it’s a scaled back assessment that has to be performed by a 3PAO, much like the full assessment. So they get selected by JAB, they have to move into this RAR assessment, and then once they’ve completed that, they then go into a full assessment. So you have this additional step there, the application process, the RAR assessment and then you’re finally caught up with the agency path, in terms of moving through the full assessment.
Stephen Halbrook: (18:35)
Then of course at the end, there’s a slight nuance to what the positive result is. It’s referred to as a provisional ATO, whereas for the agency, we talked about that being an actual ATO. So what does provisional mean? The JAB can’t accept the risks associated with the cloud service. It’s really going to be up to the agency that comes along, picks up the package and grants an ATO.
John Verry: (19:02)
Got you, got you. And then in terms of… I know in theory, the extent and rigor of the process should be the same. Do you find that in practice? Or do you find that with some of the agencies that their rigor of the review process may not be as high as the JAB’s because the JAB does it every day, all day, where these agencies may never have done it before, have only done it a few times.
Stephen Halbrook: (19:26)
Yeah. We do see that and I think to be more specific, it really comes down to accepting risks or findings. We know that there are things that the JAB just will not accept, whereas an agency is motivated to want to use this product, they may have a little more tolerance to finding and risk accept certain things that we know the JAB is not going to.
John Verry: (19:52)
Yeah, that’s well said and that explains my experience personally is that… we sailed through one agency ATO and then they went from there through the JAB GCA process and got beat up a little bit, to be honest with you.
Stephen Halbrook: (20:06)
John Verry: (20:08)
And it was like, “Oh okay.” But that actually explains it more in a logical way. It’s not a matter of the extent and rigor. It’s that it’s a risk based approach on both sides and the acceptance risk criteria that an agency might use could be higher than the acceptance risk criteria that JAB would use. Which makes sense because that’s more a baseline authorization that almost any agency might reach out and grab, correct?
Stephen Halbrook: (20:29)
That’s correct and to your point John about rigor, once you get through the JAB assessment, the next step is really what they call continuous monitoring. So you go through three months of continuous monitoring with the JAB. So the CSP is providing their scans, their inventory, their POA&M, much like they would do with a sponsoring agency when they’re authorized, but they’re actually having to do that with the JAB for three months before they can even get through and hopefully receive that provisional ATO. So not only do they move through that RAR full assessment, but then they’ll get a little bit beat up during those three months of combine.
John Verry: (21:12)
So for that reason then, it would seem as if not only is it a little bit less expensive to got the agency route, maybe the extent rigor of the process is a little bit lower, but then we also could get there three months faster in theory, because we don’t have to go through the ConMon phase?
Stephen Halbrook: (21:26)
Yeah, exactly. No ConMon, no FedRAMP RAR, no application window that you’re waiting for to open up to apply to. Absolutely.
John Verry: (21:37)
Yeah. Cool. So that’s why I know that… and you and I, when we’ve had these conversations when we talk to clients, you always recommend that route, if at all possible and those would be the reasons why, correct?
Stephen Halbrook: (21:48)
John Verry: (21:50)
Cool. So you talked about some of the pieces, right? So we talked about the JAB GSA or the… and the ISSO there. Just out of curiosity, I know on the JAB GSA you kind of get this information security officer that’s integral to this dance, does the agency have the same responsibility to assign that ISSO?
Stephen Halbrook: (22:07)
Yep, they’re going to have someone internal to the org that is the ISSO, and that’s really the key decision maker within the agency.
John Verry: (22:16)
Okay. So in terms of these key players, you got the cloud service provider that’s seeking the authorization. You got the 3PAO, that’s you or Schellman, that is going in and you guys are responsible for doing all of the testing and validation that the JAB GSA or the agency is going to rely on. And you’ve got the ISSO, who is going to be integral into understanding and accepting those risks that we talked about and then maybe there’s a consulting firm like us, which would be the entity that would… if they don’t have the resources, either the expertise or the bandwidth, someone like us might help them in preparing an SSP and helping them… take them through the process. Did I get all the key players from your perspective right?
Stephen Halbrook: (23:00)
Yeah. I think you summed it up really well. There’s… sometimes when the reference to JAB GSA PMO all gets lumped together, but calling out the PMO that sits at GSA, right? They really manage the overall program and promote the adoption of these services across the government. Yeah, I mean those really are the key players and to your point, while the assessment is required to be performed by the 3PAO, the advisor, the consulting on the front end, it’s not required, but we’ve seen it go… we’ve seen both approaches John and it tends to go much, much better when working with an advisor, consultant like to the point on the front end.
John Verry: (23:51)
I think not that these people can’t do it themselves, it’s just that they have day jobs. FedRAMP is an incredibly… I mean, just the process of putting together an SSP, if someone hasn’t seen one, there’s 600 pages. I mean, it’s just a crap load of work. So if a guy’s got a full time job and then he’s trying to get someone FedRAMP ATO’d in his spare time, yeah that’s going to be a tough road to hold. I always tell people… I was on a call with somebody 30 minutes ago about FedRAMP and the guy said, “Can we do it ourselves?” I said, “Absolutely.” I said, “But whoever the person is that’s going to do it themselves better not having any other work that you’re giving them to do.” Right?
John Verry: (24:32)
If you can free up a guy completely who’s a security expert and someone who’s got the time and energy, you can do it. But I think that’s where the challenge is, it’s just bandwidth, right? I mean, how many… what cloud service provider has people sitting around looking for things to do?
Stephen Halbrook: (24:47)
None that we’ve worked with.
John Verry: (24:48)
Exactly. So what’s that… what’s a typical timeline that you see for organizations? From “Hey, this is a good idea,” to “Hey, congratulations, we got our ATO.”
Stephen Halbrook: (25:03)
Yeah. I would say six to 12 months really from that start, right? They’re going to work on the advisory consulting piece for a couple of months, then assessment for a few months and then they have to account for the unknown that happens at the end, right? That’s the agency review process, the PMO’s review of the results from the assessment. And that can iterative. There can be… as you know, there can be some pretty big findings that come out during the assessment and they may require a couple of weeks, a couple of months to work into a release plan, or get implemented without breaking other things, just given the complexity of the FedRAMP. So the advisor and the assessment piece can pinpoint those pretty well, but the unknown’s really when you get to the reviews at the end of the assessment. And then of course, ultimately that authorization.
John Verry: (25:56)
Yeah. The only thing I would say that timeline… I think that timeline is a good timeline if somebody’s already got a reasonably mature environment, they’re already ISO 27001 certified or SOC 2 test or something of that nature. But if somebody doesn’t have a mature control environment, because one of the challenges you come in… if every time you ask somebody, “How do you do this?” They say, “Well we don’t or we’re not sure.” How do you do [inaudible 00:26:22] how do you do SCAP scanning? Well what’s SCAP scanning?
Stephen Halbrook: (26:25)
John Verry: (26:27)
Yeah. Then that initial onset of getting that initial traunch of the SSP done can kind of drag on, because if you’ve got to consult on every one of those 325 controls versus three quarter of those controls, they say, “Oh, here’s how we do it.” You know?
Stephen Halbrook: (26:45)
Yeah, that’s fair. That’s a fair point.
John Verry: (26:48)
Costs, and I know it’s always a difficult thing to put. So I’ll start it off by saying this is that the mast majority of the time when I talk to somebody, and they’ve already talked to somebody like yourself or other consulting firms, generally speaking, we hear numbers like four to $600,000 dollars to get to a FedRAMP moderate. Fair number, too high, too low?
Stephen Halbrook: (27:11)
It varies, right? I think… I don’t think it’s too high or too low if you’re factoring in advisory and consulting, technology changes that they’re going to have to make, the personnel cost and then of course the assessment. What gets me is somebody will come out and say, “FedRAMP is cost prohibitive. It’s over a million dollars to get to the FedRAMP process. It’s two million dollars.” These big numbers and what they’re not providing context, right? What makes up that cost? And as you start to break it down, it’s more than the assessment. It’s more than the advising and the consulting.
John Verry: (27:53)
Yeah and I was. I was talking about an all in cost, right?
Stephen Halbrook: (27:56)
John Verry: (27:57)
From my perspective and if you’re going to use rough ball parks, let’s say 100, $150,000 in consulting, the RAR would be 50-ish, the C3PA would be two to 25, something like that. Then you’ve got… I think it’d be fair to say, and correct me if I’m wrong, most organizations are going to stand up a dedicated of gov environment, FedRAMP environment, they’re not going to try to run their ISO environment and then FedRAMP that, and then keep running both within one environment. So you’ve got the dedicated cost to set up that stuff. Maybe you need some hard costs on a new SIMS solution, new vulnerability configuration management scanning stuff, multi factor authentication, right? Those are the kind of things that would change that 450 to 550 or something like that, correct?
Stephen Halbrook: (28:42)
Agreed and great point, what we most often see is a provider has a very successful commercial offering, they want to sell to the government, so they stand up a federal dedicated instance of that offering and get that FedRAMP authorized versus their entire commercial platform.
John Verry: (29:04)
Got you. Quick question for you there, is that… and I’ve never asked anyone this question, I never thought it through, is that actually a requirement? Are there any requirements within FedRAMP that you have to have that level of segregation? It only makes sense to me because the cost to operate a gov cloud, a FedRAMP authorized environment because of the [inaudible 00:29:24] the controls versus ISO is much higher. But is it actually… technically, is it a requirement? Or it just makes sense to do it?
Stephen Halbrook: (29:33)
It’s not a requirement for FedRAMP. It just makes sense to do it. Where it does become more relevant is if you’re going to start selling into the DOD and start talking about impact levels four, five and up. That’s when a provider will run into an issue if they’re trying to run their commercial platform through the DOD process. They’re going to need something separate and dedicated.
John Verry: (29:59)
Right because we’re not going to hit the encryption requirements. If a system is subject to ITAR, right? Technically it has to be in that gov cloud environment, in order to meet that ITAR requirement, et cetera. All right, so we know it’s not inexpensive to get there, but there is a big pot of gold at the end. What about maintaining it? What’s a ballpark cost for somebody to maintain a moderate security categorization ATO?
Stephen Halbrook: (30:25)
Yeah. So from an assessment perspective, we usually say it’s roughly 75% to 80% of the year one cost for the assessment. That annual assessment is really a repeat of a reperformance of the initial assessment. It’s just that there’s fewer controls that we’re testing.
John Verry: (30:44)
Got you. Does it take a sampling approach like you do with ISO where over a three year period, you’re sampling all the controls? Is that how that works?
Stephen Halbrook: (30:53)
Yeah, exactly. So the way it works, FedRAMP has around 100 core controls that must be in each annual assessment and then we’ll… they’ll often want to include some items that were on their POA&M, the POA&M being where they track their findings, their timelines for remediation. So we’ll validate those findings that they’ve pulled in from their POA&M and remediated. Then we’ll take a look at a third of the remaining NIST controls, if you will, and over a three year period, the intent would be that they’ve covered all of the NIST baseline.
John Verry: (31:29)
Cool and is that done in a more continuous audit process? Or is that done more in a discreet annual internal audit you would with ISO or SOC?
Stephen Halbrook: (31:43)
Yeah. From an assessment perspective, it’s going to be pretty discreet where they’ll say, “Here’s a third, here’s a third.” They’ll tend to have their control selection mapped out and that’s… we’ll validate it, make sure the core controls are included and then over the three year period, get coverage.
John Verry: (32:02)
Yeah, I did a bad job asking that question. What I was asking was is that do you come out annually? Or is there some requirement for that to be done on a more periodic basis or continuous basis?
Stephen Halbrook: (32:15)
Yeah. So it’s an annual requirement. So we’ll come out once a year. The assessment needs to be done once per year, but what also takes place on a monthly basis is that the provider’s going to be providing things like their scans, their POA&M and other things on a monthly basis so that their agency clients can stay aware of the security posture of the environment, and have dialogue with the provider if there’s some concerns.
John Verry: (32:46)
Got you. So they have that obligation to actually proactively provide that data to any agency that’s consuming the service?
Stephen Halbrook: (32:55)
Yep they do. It’ll go to OMB MAX, centralized repository and then the agencies can pull it from there. It’s really on the agency to take a look at the information. Some… not all agencies are created equally, in terms of their involvement with the process. Some will monitor things on a monthly basis. Others we hear haven’t. They haven’t checked in a while. So it really depends on the agency but by design monthly basis.
John Verry: (33:28)
That makes sense. So I have spent more time talking about NIST in the past year than I probably did in the five years proceeding that. Oh, in addition to seeing just… so two questions for you. One is it seems to me that FedRAMP is heating up. A, do you see the same thing? And B, why?
Stephen Halbrook: (33:51)
Yeah. It is heating up. There’s some interesting metrics that are out there. So we talked a little bit about the FedRAMP taking effect in 2012, right? So as today, there’s 200 systems that are authorized out there. So you go in the FedRAMP marketplace, boom, 200-ish systems have been authorized. 64 of those were authorized in fiscal year 2020.
John Verry: (34:20)
Oh wow. That’s insane. So one third of the systems that have been authorized were authorized in the last year?
Stephen Halbrook: (34:23)
Yeah. The first 100 were authorized over the first six years. So 2012 to 2018. So to your point, it is heating up. There’s certainly an upward trend in the use of cloud services.
John Verry: (34:41)
And is there a why to it? Do you think it’s just the fact that everything is going? Cloud? I mean, every conversation we have is though we had an on prem product, or we had this type of product, but we’re getting pushed to this. Is it literally just the natural evolution of cloud? And the federal government’s, I call it adoption of cloud?
Stephen Halbrook: (35:02)
Yeah. I really think it’s that John. Where it’s taken a little bit of time and… but they become more comfortable with it, the adoption is taking place. The FedRAMP program has really proved it’s here to stay. I mean, it’s been here since 2012 and it just has really good trajectory. There’s… again, you go out to the marketplace and it’s just a great illustrative example of how much… how well the program is doing.
John Verry: (35:33)
Yeah. We see just insane acceleration the last three or four months. It’s just been nuts how many people are paying us and I feel bad for people right now, because I mean, I think anyone that’s looking at going FedRAMP right now is swimming upstream a little bit, because of the CMMC. CMMC is so hot as well, and I think that there is a… there’s not a wealth of really strong NIST experience out there. So from that perspective, there is a lot of activity. Do you seem CMMC impacting FedRAMP? Do you see the idea that I have that we might have a resource shortage because it’s the same resources that would probably help to put CMMC in FedRAMP? What are your thoughts on CMMC as a FedRAMP guy?
Stephen Halbrook: (36:14)
Yeah. You know, I do think if we’re talking resources as far as getting people ready, getting people assessed, companies, firms. Getting them ready and assess and taking them through the CMMC process. I do think there is a shortage. I mean from a CMMC perspective, they’ve just now started granting provisional approval of C3PAO’s, which is the credential for the firms to do the actually assessments. And even still with that, assessors need to get trained up and up to speed and have completed enough audits to be able to be a qualified assessor for CMMC. So there’s that that’s going on and competing, I’ll say with a similar basket of resources that would perhaps work in FedRAMP as well, just given the tie back. It seems everything ties back to NIST 853, right? So I do think that there are some limitations there.
John Verry: (37:19)
Yeah. I mean, because if you think about it logically, the guys that… you’re going to be a C3PAO, Schellman will be a C3PAO, I’m sure. I’d say you’d doing CMMC audits and the same pool of guys that would do CMMC audits are probably the same pool of guys that you designed FedRAMP for, right? Because they understand… think of a NIST. Not that NIST and ISO are radically different, but the subtleties and the awareness and the experience within NIST is definitely… there’s definitely a bit of a learning code.
Stephen Halbrook: (37:51)
Yeah. It’s getting to that level of comfort where is there an organization meeting the intent of the control, right? I mean, you can read the control on the screen, on the paper and be left scratching your head if you haven’t worked in this for some time and have seen the controls applied in different environments; cloud, on prim, whatever it may be.
John Verry: (38:15)
Yeah and I always look at the same thing with ISO and SOC 2, right? So you guys do ISO and SOC 2 as well. I find that ISO’s controls are much… with exception of a couple of pretty darn straight forward and I think most auditors can interpret a control pretty consistently. I look at some of the SOC 2 language and it’s like, “I’m not sure how.” So unless you’ve been there, done that with SOC 2, you’re going to struggle a little bit to understand what the rigor is or how most entities interpret and hold somebody accountable to a particular piece of language. I think that’s that same idea in NIST, right? It’s kind of got a little bit of that same vagueness and then we have the further vagueness of the fact that we don’t know how the C3PAO’s are going to interpret how they’re being taught by the CMMC-AB to actually interpret that and/or validate.
John Verry: (39:06)
So we hear terms like validate the persistent habitual execution of a control, right? So right now, you and I can smile about that and we can say, “Well I think that probably means six months.” Is that habitual? But you don’t know that until people start going out and doing audits and either accepting or not accepting three months with audit evidence, right? Or three months of [inaudible 00:39:30] So going to be fun. So I’ve heard talk of reciprocity for CMMC. So if you’re FedRAMP certified, let’s say FedRAMP moderate ATO organization that that would basically make you CMMC level three conforming, have you heard that? What are your thought?
Stephen Halbrook: (39:50)
Yeah, we’ve started to see maybe the two in change a little bit on reciprocity from strongly stating that it wouldn’t happen, to now saying it’s likely to occur, but it’s not going to be blanket reciprocity one for one. I do think that… my opinion is that there… I don’t think there’s going to be straight reciprocity between CMMC and FedRAMP, and I don’t think a situation where FedRAMP would accept CMMC. I think it really comes down to scoping. The scope with CMMC isn’t really bound to an authorization boundary like FedRAMP and for CMMC, the scope is likely to expand beyond the typical authorization boundary, and sure, there’s some overlap there in CUI, but then CMMC looks at FCI, right? The federal contract information, which is almost always going to be outside of the FedRAMP system.
John Verry: (40:49)
Yeah, that’s true. I mean, I guess the fundamental answer to that would be how aligned are the scopes? Right? I mean, if we’ve got a one for one scope, you would largely argue that if you were moderate security categorization that you’ve implemented… and I haven’t done a one for one mapping, but more likely than not, you’ve implemented all the controls that you would need for CMMC level three. And even the FCI controls, I mean, there’s a logical subset of the CUI controls, so you’d probably be there, but you’re right. There’s a little bit more complexity to that than just saying reciprocity, so well said. I haven’t thought of it that way. Scope as always rules.
Stephen Halbrook: (41:32)
It does. It absolutely does.
John Verry: (41:36)
So what’s the buzz about the FedRAMP reform bill?
Stephen Halbrook: (41:41)
Yeah. So I think what you’re talking about John, last year they introduced some legislation to codify the FedRAMP program into law. It was approved earlier this year and it was voted into that National Defense Authorization Act, so in the AA legislation. This was moving forward, things were looking good and as of this month, it ended up getting pulled from the bill and the proponents behind it are back to the drawing board next year to see if they can get it pushed through. What this would do for FedRAMP is that it guarantees funding for the program and some other provisions, given and I’ll say more teeth. Just hoping to guarantee the longevity of the program. I mean, we talked earlier about just the trend and the metrics that we’ve seen with the FedRAMP program. My opinion is that it’s here to say, but this would just really formalize things at a much greater level.
John Verry: (42:43)
Okay, so we’re heading down the same path we’ve always been heading down. This would either accelerate or reinforce FedRAMP, but we don’t have to worry about FedRAMP based on the fact that they’re still figuring it out.
Stephen Halbrook: (42:56)
Correct. Yeah and those signs indicate any need for worry.
John Verry: (43:01)
Cool. Last question, what is FedRAMP Tailored?
Stephen Halbrook: (43:05)
Yeah. So FedRAMP Tailored or low impact SaaS, right? I know we talked earlier about the different baselines, right? So moderate, high, but then FedRAMP Tailored is… there’s the low baseline, which is separate and then there’s FedRAMP Tailored, which is low impact SaaS and for low impact SaaS, used interchangeably with FedRAMP Tailored, there’s really roughly around 35 controls that get assessed for that. There’s no pin test and it is by far the fastest pass to authorization. So a cloud service provider, if they have an agent sponsor that’s willing to provide sponsorship at FedRAMP Tailored, they can move very quickly into authorization. Well, they can move very quickly through the assessment process into authorization.
Stephen Halbrook: (43:53)
Where we often see this is a provider that… and you had asked this question earlier, but we have clients that have a very successful commercial offering and they want to deploy a federal dedicated instance at the moderate baseline, but they have agency clients that… or prospective clients that want to use that commercial offering, so they’ll take that commercial offering through FedRAMP Tailored while they’re spinning up their moderate environment that’s dedicated. Get authorized, get people using and paying for that service, and then pivot over to the moderate baseline.
John Verry: (44:29)
Got you. So just to be real clear. The tailored is a low security categorization, right? So the agency has to accept the low security categorization, and do you see that as being a stepping… for most organizations is going to be a stepping stone? You’re going to start with… like you said, you use the low to get in the door, and then what you’ll do is then build on that, then move to moderate after that?
Stephen Halbrook: (44:52)
Exactly. That is what we most commonly see. When I think back to some of the recent assessments that we did for FedRAMP Tailored and that’s exactly the approach that they were taking. It’s worth noting that there’s five or six criteria for being eligible for low impact SaaS, and that often we doubt providers from, I’ll say qualifying to go through FedRAMP Tailored or low impact SaaS path. And then coming back to your point earlier, is the agency comfortable providing sponsorship at that level?
John Verry: (45:27)
And are they willing to accept that risk for some period of time? You might go to an agency and say, “Hey look, let’s start by going this and I guarantee I’ll get you to here by one year from now.” So their risk window is fairly compressed, but they’re willing to work with you.
Stephen Halbrook: (45:40)
John Verry: (45:41)
Question for you, does those characteristics that you referred to, is that different than the… I believe it’s 800-145 is the five essential characteristics of a cloud service provider, which is what you have to pass to even be considered for FedRAMP? Is this another set of criteria beyond that that does the tailoring for the tailored?
Stephen Halbrook: (45:59)
Exactly. They would have already met the NIST definition of cloud computing to be eligible for FedRAMP. And then it’s things like are they leveraging a FedRAMP authorized IaaS provider? Is their system designed to ingest PII? Can it operate without the requirement of ingesting PII? And that’s often where we’ll see clients fall out of qualifying for low impact SaaS is that PII qualifier.
John Verry: (46:29)
Okay and PII in the old definition of PII? Like privileged identifier? Like social security number, driver license number or current generation privacy like virtually any piece of data that would allow me to directly identify an individual and household. Which definition of PII are we talking about?
Stephen Halbrook: (46:50)
Yeah, it’s going to be the latter, but-
John Verry: (46:52)
Or the current NGDPR CCPA personal information definition?
Stephen Halbrook: (46:58)
Yeah, but there’s some wiggle room there when it comes down to things like username, but yeah.
John Verry: (47:05)
All right cool. All right, so I know you have a hard stop in five minutes and I was late. So anything you want to cover with regards to FedRAMP that we didn’t cover yet before we say farewell?
Stephen Halbrook: (47:18)
No. I mean, I think we covered a lot of good information about FedRAMP. I do think it’s worth noting that we talked about NIST 853’s, the underlying baseline, Rev 5 of that has recently come out and this is a pretty good because Rev 4 has been in place since 2014. It took them… what are we, six years now and Rev 4’s going to be withdrawn next year in September. So you’re probably fielding questions from clients. What do we need to do about Rev 5? I know we are and it’s really coming down to the typical… I’ll say two buckets, right? Some clients aren’t really doing anything about it and then others are being more proactive, because that’s just how they operate, or maybe their agency that’s pushing the requirement on them is pursuing this pretty aggressively and pushing it out.
John Verry: (48:13)
So what’s going to happen? Will you be required at your next refresh? So after about whatever period, I’m assuming at some point, your FedRAMP ATO will need to shift to R5. How does somebody calculate that, when they need to shift?
Stephen Halbrook: (48:29)
Yeah. So the FedRAMP team is really going to determine that and there’s a really good blog out at their website, and there’s really four steps. They’re pretty typical steps, right? So right now, FedRAMP’s developing their draft of the Revision 5 baseline. Again, just putting the FedRAMP massage on it and getting that together. They’ll release that for comments. We’ll provide comments, you’ll provide comments and then the PMO will update based on those comments, and then they’ll release the final version. With that, there’s going to be, I’m assuming, some type of timeline for adoption. It all really hinges on [crosstalk 00:49:11]
John Verry: (49:10)
Short answer is we don’t know yet, but we can probably assume that within the next year and a half or so that you’re going to start to see a bunch of people… and I’m assuming, I’ll sure they’ll put out all new templates that are going to align with five and that’ll be probably a pretty good indication when we should get our act in gear. [inaudible 00:49:27] my vision, right?
Stephen Halbrook: (49:28)
John Verry: (49:31)
So do you want to answer the CISO question? Or do you want to skip it and get to your next goal?
Stephen Halbrook: (49:36)
Oh, the CISO question.
John Verry: (49:39)
Yeah, that I was asking. Are you [inaudible 00:49:41] You didn’t prepare did you Stephen? [inaudible 00:49:45] no I’ll tell you. I know you have a hard stop, so let’s just say our farewells. So thank you very much for coming on. Genuinely appreciate it. Stephen’s my go to guy when I have a question about FedRAMP and I appreciate you coming on the podcast. If folks want to get in touch with your and/or Schellman to talk about FedRAMP or any other government stuff, how would they do that?
Stephen Halbrook: (50:10)
Yeah, they can go out to schellman.com and we have a very informative website that from a federal perspective, will eventually work it’s way to the right person, which would be me or Doug. Otherwise, I’m at [email protected]
John Verry: (50:26)
Awesome. Steve thanks man. How does the snow look?
Stephen Halbrook: (50:30)
Nice. Good full bodied snowflakes coming down.
John Verry: (50:34)
All right. Well you’re a few hours south man. Not yet here, so I’m guessing it’s going to get here soon. Well listen, genuinely appreciate you coming on man, good to catch up.
Stephen Halbrook: (50:44)
Thank you John. I enjoyed it very much.
You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.