Just like I did for FISMA, I wanted to review the Federal Risk and Authorization Management Program Security Controls (FedRAMP) current release and provide you with my view of it. They indicate the purpose of the document is to “list the security controls and corresponding enhancements that Federal Agencies and Cloud Service Providers (CSP) must implement within a cloud computing environment to satisfy FedRAMP requirements”. They stated that “the controls were selected to address the unique risks of cloud computing environments, including by not limited to: multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.” I have broken it into specific categories below. It is also broken into the control number and name, control baseline, control parameter requirements, and additional requirements and guidance. They also indicated that it is designed to go with NIST SP 800-53 rev 3. Now compared with FISMA, FedRAMP was completely spelled out in an excel sheet… no creative writing on their part. And when it comes down to it… a completely different message and path of possibly getting to the same place. FISMA provides guidance and FedRAMP provides controls.
If we stick with FISMA as a relationship guideline, we can say that FedRAMP is the “most haves” for any relationships. For instance, I don’t want to be in a relationship with a guy unless he is 5’10” or taller, blue eyes, dark hair, and can make me laugh (just to clarify, these aren’t actually my requirements… exactly). Now where is that “same place” that these entities were trying to get to? In opinion these documents were implemented in order to progress movement into the cloud and make users feel better getting there. The question becomes which way are you helping entities. Are you educating them so that they feel better or are you educating them by telling them you must have capabilities and not really explaining why? Personally I believe in educating people and not just telling them how it should be or what you must have. Are there any exceptions to the controls or is it this way or nothing? A prime example is auditable events, AU-2(4) indicates a requirements of “the service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts”. That’s it? No other events?
Don’t get me wrong, anything that promotes movement into the cloud and anything that helps people with that process is great in my eyes. No matter whether they guide you or tell you exactly where to go, documents like these are necessary. I just question the method by which we get people there. I believe in simplicity, I believe that you need to educate those that are on the journey but this is not easy. I mean the NIST document is 237 pages… that is not simplification. How does 237 pages of ONE document help us? This isn’t a relationship guide, this makes me want to stay single the rest of my life.
1.1 : Access Control (AC)
1.2 : Awareness and Training (AT)
1.3 : Audit and Accountability (AU)
1.4 : Assessment and Authorization (CA)
1.5 : Configuration Management (CM)
1.6 : Contingency Planning (CP)
1.7 : Identification and Authentication (IA)
1.8 : Incident Response (IR)
1.9 : Maintenance (MA)
1.10 : Media Protection (MP)
1.11 : Physical and Environment Protection (PE)
1.12 : Planning (PL)
1.13 : Personnel Security (PS)
1.14 : Risk Assessment (RA)
1.15 : System and Services Acquisition (SA)
1.16 : System and Communications Protection (SC)
1.17 : System and Information Integrity (SI)