search

opencontrol / discuss

a place to have conversations about OpenControl projects
https://github.com/opencontrol/discuss/issues
Other
16 stars 0 forks source link

FedRAMP Challenges #74

Open trevorbryant opened 4 years ago

trevorbryant commented 4 years ago

Currently, FedRAMP does not support a model for a full-SaaS solution.

After talking with FedRAMP PMO team, the following are identified:

  1. Vendors must over scope controls in order to be "safe".

This is an inappropriate financial risk to solution providers. Each control requires budget to implement, and those companies with small budgets (awaiting Series B, etc) are unable to fairly compete with larger corporations.

  1. Misunderstanding of control inheritance.

Some control families are obvious, some are not. The PMO was under the impression that CSP SSPs provide clear guidance on CSP and customer controls. The guidance given to the PMO was misguided and not necessarily true. For example, not every solution using Azure can obtain Microsoft's SSP and a SaaS may not know what's inherited or not. Even if a CSP's SSP can be shared, the security strategy is for that CSP and not anything else. There's a lot of "figure it out" action, hence item 1. above.

3) RFI and RFP Challenges

There are agencies providing RFI or RFP with requirements that a solution's provider must be able to achieve a FedRAMP ATO when the contract is signed or sponsor only close to ATO. Demonstrates the agency lacking the education on the services the FedRAMP PMO provides. The PMO stated being brought into discussion with said agency(s) to explain FedRAMP services to move forward.

4) Privacy Act, Public PII, and Confidentiality

The Privacy Act provides clear guidance on what is PII and what is not. The Act allows agencies to categorize what is called Public PII. The current FedRAMP model does not provide a way forward for Confidentiality levels that are Public PII and considered Low. This can remove the option for a SaaS to target a Tailored baseline (which is how I got into this mess in the first place).

  1. 3PAO

Quote shopping yields high costs for 3PAOs, which are a requirement to achieving FedRAMP marketplace. 3PAOs cost in the 200-500k range, depending on the quality desired. Lack of regulation to the 3PAO competitive market absorbs the majority costs that need to be planned and budgeted to achieve FedRAMP. This is (on average) a ~250-500% markup from traditional A&As, making FedRAMP the largest expense and providing less cost-effective security.

  1. Policy

Not a challenge with any SaaS, but FedRAMP in general. There is nothing at the policy level that requires any agency or solution provider to take the FedRAMP route. An agency can implement a solution into their own private GovCloud and further assess and authorize that system for use. The agency can provide its services internally or establish MOU/MOA/TIC to provide its services to other agencies, allowing for a more cost-effective security. Agencies today have this type of implementation already prior to FedRAMP.

The PMO acknowledges these items.

  1. Agencies Don't Know FedRAMP

A unique challenge discovered along the way is that not all agencies actually know what FedRAMP is or how it works. Some agency POCs are under the impression that the FedRAMP PMO authorizes the use of a service into the marketplace, or a service directly to that agency. The PMO only prepares the authorization package to the agency POC and the agency authorizes the use of that service.

shawndwells commented 4 years ago
  1. RFI and RFP Challenges

There are agencies providing RFI or RFP with requirements that a solution's provider must be able to achieve a FedRAMP ATO when the contract is signed or sponsor only close to ATO. Demonstrates the agency lacking the education on the services the FedRAMP PMO provides. The PMO stated being brought into discussion with said agency(s) to explain FedRAMP services to move forward.

Huge, huge +1 on this. We (Red Hat) are currently undergoing FedRAMP Tailored for a SaaS offering and there is immense confusion/chaos behind getting a sponsor.

Contracts require having FedRAMP, however for products newly introduced into the market, there is a chicken-and-egg problem. Agencies believe services MUST have FedRAMP in order to use it, not fully understanding the Agency ATO path. Most have been under the impression sponsorship will cost them several million (!!) dollars.

Even when doing government-to-FedRAMP PMO conversations, agencies receive different messaging depending who in the FedRAMP PMO they speak to.

shawndwells commented 4 years ago
  1. 3PAO

Quote shopping yields high costs for 3PAOs, which are a requirement to achieving FedRAMP marketplace. 3PAOs cost in the 200-500k range, depending on the quality desired. Lack of regulation to the 3PAO competitive market absorbs the majority costs that need to be planned and budgeted to achieve FedRAMP. This is (on average) a ~250-500% markup from traditional A&As, making FedRAMP the largest expense and providing less cost-effective security.

FWIW, this has not been our experience with FedRAMP'ing Red Hat's SaaS offerings.

For FedRAMP tailored, multiple quotes from the leading 3PAO's averaged 50-75k.

For FedRAMP Moderate (for the same offering), the quotes were generally 65-100k.

Our intent is to pursue FedRAMP Tailored to have something near-termish, then net year elevate to FedRAMP Moderate.

shawndwells commented 4 years ago
  1. Agencies Don't Know FedRAMP

A unique challenge discovered along the way is that not all agencies actually know what FedRAMP is or how it works. Some agency POCs are under the impression that the FedRAMP PMO authorizes the use of a service into the marketplace, or a service directly to that agency. The PMO only prepares the authorization package to the agency POC and the agency authorizes the use of that service.

:clap: :clap: :clap: yes. this! Many agencies are under the impression they will have to independently audit the FedRAMP offering (e.g. staff their own security control assessors). This was a significant impediment in finding agency sponsorship.

trevorbryant commented 4 years ago

Thanks for all your feedback. I really appreciate it. I'm glad I put all this out there.

FWIW, this has not been our experience with FedRAMP'ing Red Hat's SaaS offerings. For FedRAMP tailored, multiple quotes from the leading 3PAO's averaged 50-75k. For FedRAMP Moderate (for the same offering), the quotes were generally 65-100k. Our intent is to pursue FedRAMP Tailored to have something near-termish, then net year elevate to FedRAMP Moderate.

Unfortunately, we haven't received those quotes. However, we contracted the top 3-5 on the marketplace list. I assumed that we were being taken advantage of being a small startup. Something interested to note is that one particular 3PAO stated that they would not perform a target assessment from graduating tailored to moderate. It would be a full cost and assessment, rather than the moderate specific controls only.

shawndwells commented 4 years ago

Thanks for all your feedback. I really appreciate it. I'm glad I put all this out there.

FWIW, this has not been our experience with FedRAMP'ing Red Hat's SaaS offerings. For FedRAMP tailored, multiple quotes from the leading 3PAO's averaged 50-75k. For FedRAMP Moderate (for the same offering), the quotes were generally 65-100k. Our intent is to pursue FedRAMP Tailored to have something near-termish, then net year elevate to FedRAMP Moderate.

Unfortunately, we haven't received those quotes. However, we contracted the top 3-5 on the marketplace list. I assumed that we were being taken advantage of being a small startup. Something interested to note is that one particular 3PAO stated that they would not perform a target assessment from graduating tailored to moderate. It would be a full cost and assessment, rather than the moderate specific controls only.

I ended up going with CoalFire. Mostly for their brand. Slightly more expensive than others, but the differences between all the 3PAOs were +/- $10k of each other. We bundled in the FedRAMP Tailored to FedRAMP Moderate Uplift Assessment.... but "uplift" is slightly misnamed. It's a targeted assessment vs "lets audit only the control deltas."

trevorbryant commented 4 years ago

@shawndwells I wanted to think about this a lot more before responding so that I'd have a more productive response.

What I really enjoy about the United States Postal Service (USPS) is that it unintentionally regulates the costs of United Parcel Service (UPS) and FedEx. I could pay for better protective shipping with FedEx, or I could guarantee that my holiday season gifts arrive on time with UPS. But, if I wanted to pay less money to have a similar outcome I could use USPS. It may arrive bent, broken, or bruised by USPS, but by the law of the FISMA I would be able to achieve a service delivery by the most cost-effective route.

That's just not what FedRAMP provides today. But it should.