The crown jewel of the cloud service providers is arguably their system security plan or SSP. The purpose of the SSP is to provide an overview of the security requirements of the cloud system and describe the controls that are already in place or those that have been planned, the responsibilities and the expected behavior of all individuals who access the system.
The creation of the SSP and the FedRAMP process is not only necessary to sell cloud services to the federal marketplace, it also provides an assurance that the best practices for cloud security are adhered to by the cloud service provider (CSP). It also acts to mature IT security practices in a manner that would not likely occur without the standards being mandated for FedRAMP approval.
The SSP creation is a large but appropriate and necessary effort on behalf of the CSP. My experience has shown that SSPs are created within hundreds of pages and rows (Word/Excel); they are difficult to update, and are certainly not directly tied to any automation (unless that illusive Word/Excel/PowerPoint to C++ compiler has been discovered). I do not mean to imply that CSPs do not use many intelligent, capable, and automated technologies/processes to meet the demands of the SSP. However, the SSP is typically not integrated and automated with the technologies CSPs use to carry out the compliance. The SSP creation and maintenance process itself remains a manual (and very labor-intensive) component of the overall security process.
What is the missing piece?
Tools, platforms, or applications that allow the SSP to be integrated into the automation CSPs utilize for their on-going security compliance are missing.
The ability to have all FedRAMP controls and related language combined with preloaded notional processes, policies, and procedures would be a grand start. The related steps to automate the SSP controls into workflows would greatly enhance SSP management and automation. Tying your control requirements to tools automation and the ability to evidence the required event discovery, alerting, response and remediation within a single management platform would be a panacea. Being able to use that same system to create workflows for your corporate and administrative National Institute of Standards and Technology (NIST) controls also within the same platform would be an icing on the cake.
Market needs showing itself?
That there is a desire (on behalf of the FedRAMP PMO as well as the CSPs) to move the FedRAMP security process to more a holistic automated compliance method can be inferred from the following:
- A recent Request for Information (RFI) has been released by the FedRAMP PMO. In this RFI, FedRAMP is seeking input on the following: (quote taken from the FedRAMP site)
“In collaboration with the Office of American Innovation (OAI) and American Technology Council, GSA and FedRAMP have been working to improve the security authorization process across the federal government. Our ultimate goals include:
- Reducing toil that inhibits our ability to scale improvements.
- Decreasing errors from manual activities.
- Increasing speed to process (approvals and identification of issues).
- Increasing value-add of machine-readable data for improving risk management.
One key component of this effort is identifying ways to incorporate automation into the Authority to Operate (ATO) process.”
Now, the request for information may be geared towards decreasing the time for a CSP to achieve a FedRAMP ATO. However, it also speaks to the constant dialogue that the FedRAMP PMO likely has with its constituent agencies and industry partners (cloud service providers) about increasing efficiencies in cloud security compliance.
What do you say when your friend pulls out their flip-phone?
When my previous company went through the FedRAMP process in 2012, we used the full automation of MS Office! Cut and paste was the best integration we could have hoped for in the creation of our SSP. We didn’t dare to dream about getting that SSP and its related policy and procedures to interact in any meaningful way with the security tools that we used to keep our IaaS secure. We began to see some of the availability of SSP automation prior to my exit. However, any consideration that would change the manual process hugging we had going on was not given a lot of attention. The lack of desire to alter the established manual process was frustrating.
Today, however, the number of CSPs looking to gain FedRAMP authorization is ever increasing. This is the result of a very clean FedRAMP process, and the demand for more and more cloud services from our collective Federal customers. Today’s CSP is starting with the premise that the SSP should be tied, in an integrated fashion, to their tools sets used for compliance. The thought that the SSP and its implementation is going to be all MS Office driven, for them, would be akin to a millennial looking at their parents, with their heads turned sideways, when those parents take out their flip-phones.
Is there a growing solutions market for this type of automation?
A short answer to this question is yes. The longer answer is that the market for solutions like these is emerging, but, from my observation, it is still sparse.
Some Google searches for the SSP automation list a few companies who may have started introducing solutions like this in the market. I found three companies offering security automation tools and security orchestration tools using my search string The top three results were search results of paid advertisements. Following these advertisements were links to SANS and NIST related to system security plans. My search is certainly not exhaustive, but it is one that may prove that these solutions do not exist in any large fashion. Why? Unless you intimately understand the FedRAMP process and further the efficiencies of SSP automation, you wouldn’t suspect the market to have an answer.
What did I find? I found one firm that seemed to have built a solution for the specific use case of automating the FedRAMP and security compliance frameworks.
It is built upon a proper ITSM/CMDB system (ServiceNow) which IMO was wise. ServiceNow is an industry standard that exists in a secure cloud. The product appears to have all FedRAMP controls pre-loaded into its framework, with related workflows tied to those controls. It integrates with SIEM tools that CSPs would use for security compliance. Upon dialogue with the company, it appears that it can also ingest events and alerts from (Non-SIEM) IT management tools (think, if ServiceNow can ingest, act and automate, this solution can do it too).
I will continue my search for other solutions that can assist in SSP automation. These solutions are the missing piece in assisting the expansion of secure cloud services that must adhere to strict security compliance standards.