Blog

Achieving FedRAMP Authority to Operate (ATO): Phase 2 - Select and Tailor Security Controls

Preparing for the FedRAMP Authorization to Operate (ATO) process in the early stages involves laying the foundation for successful compliance. In phase one we covered some critical tasks organizations must complete to properly prepare including:

  • Consider your offer, make sure you have a thorough understanding of the offer, audience, functionality, and all possible use cases.
  • Categorize your system to determine your security control baseline.
  • Identifying the system boundaries, components, data flows, and any third-party services or dependencies.
  • Take some time to evaluate your resources, does your organization have the availability of staff members to dedicate time and effort to the FedRAMP process?

After taking initial steps to prepare for FedRAMP ATO, this is the point where you will select and tailor your security controls. 

"Controls" refer to the specific security measures outlined by the National Institute of Standards and Technology (NIST). NIST's comprehensive Special Publication 800-53 (currently in revision 5) serves as the authoritative resource for security and privacy controls applicable to federal information systems.

2.1 Understanding Unique Requirements

Unique security controls and requirements for FedRAMP  include those tailored specifically for Cloud Service Offering (CSO)  and systems operating in cloud environments. These controls address the unique risks associated with cloud computing and aim to ensure the security and privacy of federal information processed, stored, and transmitted by cloud services. 

2.2 Get Sponsor Involved 

Should a Cloud Service Provider (CSP) have a sponsor, including a sponsor early when selecting security controls and impact levels for a system undergoing the FedRAMP Authorization to Operate (ATO) process is crucial. The sponsor typically has a deep understanding of the business context and mission requirements of the system. They can provide valuable insights into the criticality of the system, the sensitivity of the data it handles, and the potential impact of security incidents on business operations. Additionally, the sponsor can help ensure that the selection of security controls and impact levels aligns with organizational objectives, priorities, and risk tolerance. They can provide guidance on which security requirements are most critical for achieving organizational goals and maintaining operational continuity. They may also have additional requirements tailored to their environment.

2.3 Gap Analysis

Now that you’ve determined the appropriate impact level, reviewed unique requirements, and have received feedback or guidance from the sponsor, it’s time to perform a thorough gap analysis. 

There are 18 control families contained in each baseline. As the baseline impact level increases, so do the number of controls. Assessing your organization's current state of compliance begins by first comparing your existing security controls, policies, procedures, and documentation against at least the 6 major control families as outlined in each FedRAMP security controls baseline. However, it is recommended that a gap analysis be performed against all families. 

For each of the control families you will want to:

  1. Review the documentation – This includes a review of documented policies, procedures, , roles & responsibilities, as well as any applicable plans including configuration management plans, incident response plans, system security plans, and any other related documentation.
  2. Verify implementation – This includes ensuring the implementation of security controls against the requirements outlined by FedRAMP.  Examples of requirements include access control mechanisms, change management, password policies, Multi-Factor Authentication (MFA), incident response, audit log management, cryptographic protections, and physical access.
  3. Assess the effectiveness – Testing controls using different scenarios will help assess whether your controls are effective in protecting your assets and data.      

2.4 Provide Solution Engineers Detailed & Ample Information from The Gap Analysis

Taking the time to be over-the-top detailed when performing your gap analysis is critical for remediation efforts. Providing solution engineers with as much detail as possible will effectively empower them to make informed decisions, prioritize remediation efforts, and contribute effectively to improving the organization's security posture and compliance readiness.