EFS has been providing fully outsourced services to the Federal Government since 2003, two years before NIST Special Publication 800-53 was adopted as a standard for assessing the controls required for FISMA compliance. When NIST SP 800-53 was adopted as a standard, NASA’s FIPS-199 categorization of the data managed by EFS was MODERATE for internal and external data and HIGH for the 99.995% availability required for www.nasa.gov. Under the new standard we agreed to our service being defined as a System under which we provided Hosting, Application Development, Application Operation and Maintenance, Software and Support for enterprise users, and Delivery of all content and streaming.
As a System provider, EFS is responsible for the Management, Certification, and Accreditation of the security of the entire system including our subcontractors, leaving NASA with the validation of our Certification and Authorization (C&A’s) and responsible for only those controls required to fully maintain the FISMA level (i.e. Meeting Data Categorization, PII, Application compliance, etc.) and monitoring continuous compliance. These generally were policy-related controls regarding NASA responsibilities for utilizing our services in such a way that our security model remained complete.
FedRAMP Cloud Broker
With the release of NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, we quickly realized the similarities of our System approach at NASA to the proposed role of the Cloud Broker within the Reference Architecture. We have adapted our existing model to fit within this Architecture and are actively working to promote our model as a full service system cloud broker, not only managing the contract, billing, and business relationship with the Cloud Service Providers (CSPs), but also providing all of the security controls not provided by each of the CSPs, which we call Extended Security.
Based on the FedRAMP Joint Authorization Board (JAB), charter the provisional authorization granted by the JAB for cloud service providers is only an initial approval; individual agencies such as NASA must then make a risk-based decision in granting an Authority To Operate (ATO). With our approach we provide the necessary integration of all of CSPs with Provisional ATOs into one view, with a Broker Provisional ATO, thus further simplifying the ATO assessment process by the Agency. In doing this, the Agency greatly benefits from not only streamlining the service security of the CSP in the “Certify Once, Use Many” FedRAMP model, but also streamlining the entire service offering of the Cloud Broker. Our proposed model, in the context of the NIST Cloud Computing Reference Architecture Conceptual FedRAMP model. EFS, as the Cloud Broker, will provide:
Service Intermediation: By providing Cloud Management and Security including Business Support, Provisioning Configuration, and Extended Security, we directly enhance the service delivered to service consumers, essentially adding value on top of a given providers service, making it more usable for our enterprise service consumers.
Service Aggregation: By combining the services of multiple CSPs we ensure that data, account management, security, and support is combined across all component services and integrated seamlessly to meet all of the complex requirements of the service consumers. In doing so, we also ensure that portability/interoperability is maintained, ensuring the movement and security of data between the service consumer and multiple providers.
Service Arbitrage: The services we aggregate aren’t fixed. In fact, our intent is to provide flexibility, innovation, and opportunistic choices of the best solutions of multiple providers as the best cost that will certainly change over time, or even to replace our own aggregation solution components when better ones are offered by others.
The advantages of our approach are:
Cost Savings: Our Cloud Broker Model further streamlines the “Certify Once, Use Many” Provisional ATO’s of the present FedRAMP model to the broker provider of the additional controls that would otherwise have to be provided by the Agencies using the CSP services, thereby avoiding further security costs. In addition, by aggregating multiple providers’ cloud components and ensuring interoperability among them, we can optimize the cost, security, and service level provided to our service consumers.
Greatly Simplified On-Boarding: The Agency’s process for on-boarding applications, web sites, and people to our blanketed ATO Broker service offering is greatly simplified. The requirements for utilizing the entire suite of services provided are covered in On-Boarding Agreements that specify what rules and procedures must be followed for each user, application owner, or group to live within the secured system.
Improved Overall Security: Utilizing our Cloud Broker’s service provides the Agency with the benefits of our global 24×7 Security Operations Center (SOC), which has visibility of security threats, incidents, etc. across the entire range of services. Our offering includes longitudinal tracking of threats, people, and attacks and incidents across all services for Security Incident & Event Monitoring (SIEM), including privileged access and SaaS user actions. Dynamic cyber threat detection is also provided, as well as APIs and/or GUIs for direct integration with Agency internal SOCs.
Improved Compliance Monitoring and Reporting: Compliance monitoring and management is maintained across the entire broker offering, including compliance up through the full stack of IaaS, PaaS, and SaaS, not just at the CSP-provided level. Monthly reports are provided which complement and simplify Agency reporting to OMB and other organizations.
Unified FICAM: Compliant two-factor authentication is managed uniformly across the entire service offering with multiple roles for privileged access, application user access, etc. for the same vetted identities. NIST SP 800-63 (Electronic Authentication Guideline) access Level of Assurance (LOA) is also supported for the entire offering.
Unified Software Assurance: Common tools for security code scanning, penetration testing, Cross Site Scripting (XSS), and SQL injection and other up-to-date tools are provided across the offering.
If you consider the number of companies who have applied for CSP approval and the fact that each of them provides only a limited set of security controls which don’t encompass all that are required for FISMA Moderate service, the benefit of the cloud broker assuming the responsibility and associated liability of the entire set of controls becomes apparent. Under the CSP model, each Agency is responsible for providing the additional controls that will likely be very different for each CSP. The burden placed on each Agency in doing this will likely require as involved a process as the existing stove pipe security done today on their internal environments. We believe the government should allow full service brokers to assume the responsibility for all security controls not provided by the CSPs that they aggregate in their broker service offering. Thus, their offering presents a complete FISMA Moderate solution with all the required controls in place with continuous monitoring, ongoing assessments, etc., to ensure the security of the entire offering. With this approach, each Agency would not have to sort through and manage all of the controls not provided by the CSP’s whose services they use. With a Cloud Auditor also assessing the incremental controls provided by the broker, the integrity of the entire service offering of the broker should provide each Agency with the confidence that residual risks are minimal.