Cisco Umbrella just received In-Process status on its FedRAMP?journey. But when we hear "FedRAMP" do we really understand what it means? Is it just another mysterious techno-term or do we truly appreciate what it takes for a product like Cisco Umbrella to go through and complete the rigorous process required to receive the designation? Genuinely understanding FedRAMP is critical. So, let's pull back the curtain on this process so everyone can better understand its inner-workings, specifically-what it means for Cisco Umbrella to be In-Process and what needs to be done for FedRAMP completion.
The U.S. Federal Government has been promoting adoption of cloud computing since the Cloud First Policy[1] was first developed in 2011 by the Office of Management and Budget (OMB). The driver behind Cloud was to make information sharing easier, more accessible, and faster across federal agencies. Plus, to enhance communication between the federal government and its citizens.
The Federal Risk and Authorization Management Program (FedRAMP) is a program housed in the U.S. General Services Administration (GSA). It was developed to standardize the assessment, authorization, and monitoring of cloud computing services used by federal agencies. Vendors, Cloud Service Providers (CSPs), and federal agencies seeking to adopt cloud computing services need to be familiar with FedRAMP.
In a nutshell, understanding FedRAMP means realizing it standardizes the security risk assessment, authorization, and regular monitoring of cloud computing services used by federal agencies. It's important to note that:
Here is where Cisco comes in. As a vendor, we would like to get one or more of our products listed on the FedRAMP Marketplace. In this case, Cisco Umbrella. Currently, Cisco has FedRAMP Authorized, Ready, and In Process solutions (see the list) and we're continually adding to it.
There are two possible ways to authorize a Cloud Service Offering through FedRAMP. The first is through anIndividual Agencyand the second through theJoint Authorization Board (JAB). For Cisco Umbrella, we chose the individual Agency route, which requires an Agency Sponsor. The United States Federal Communications Commission (FCC) chose to be ours. The alternate way is the JAB Provisional Authorization. JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA).
The first phase when using an Agency Sponsor approach is the Preparation phase. It consists of two steps: Readiness Assessment and Pre-Authorization.
Preparation Step 1: Readiness Assessment
For this step, Cisco chose a FedRAMP Ready designation, which is optional for the Agency Authorization process, but highly recommended. But it requires working with an accredited Third-Party Assessment Organization (3PAO) to complete a Readiness Assessment Report (RAR) of its service offering. This documents Cisco's capability to meet federal security requirements.
Preparation Step 2: Pre-Authorization
Cisco then formalized its partnership with the FCC via the requirements outlined in the FedRAMP Marketplace: Designations for Cloud Service Providers. We also prepared to undergo the complete authorization process, making any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization. During this stage, Cisco completed the following.
Cisco then held a Kickoff Meeting with the Agency Sponsor to discuss the following.
After successful completion of the kickoff, Umbrella was scheduled to be listed as In Process on the FedRAMP Marketplace.
Next up is the Authorization phase. It also consists of two steps: the Full Security Assessment and the Agency Authorization Process. This is where Umbrella currently sits within the FedRAMP process (as of May 10th2023) and will now move to the following.
Authorization Step 1: Full Security Assessment
A Third-Party Assessment Organization (3PAO) will perform an independent audit of the Cisco Umbrella system (completed by Coalfire). Prior to this step, the Cloud Service Provider should ensure that the Site Security Plan (SSP) is complete and has been reviewed and approved by the Agency Sponsor. During this phase, the Security Assessment Plan (SAP) will be developed by the 3PAO. The 3PAO will then test Cisco Umbrella, creating a Security Assessment Report (SAR) which details test results and any recommendation for FedRAMP Authorization.
Once the 3PAO is finished, Cisco will develop a Plan of Action and Milestones (POA&M) based on the SAR findings (with input from the 3PAO) which will outline a plan for addressing test findings.
Authorization Step 2: Agency Authorization Process
The Agency Sponsor will conduct a security authorization package review, which may include a SAR debrief with the FedRAMP Project Management Office (PMO). Depending on the FCC review results, Cisco remediation may be required. The Agency Sponsor will also implement, test, and document customer responsible controls during this phase. Lastly, the FCC will perform a risk analysis, accept any risk, and issue an Approval to Operate (ATO). This decision is based on the Agency's risk tolerance.
Once the Agency Sponsor provides the ATO letter for use of Cisco Umbrella, the following closes out this step:
The FedRAMP PMO will perform a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized Status and the date of authorization. The security package will then be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.
Continuous Monitoring
Once it receives Authorized status for the FedRAMP Marketplace, Cisco Umbrella will enter the continuous monitoring phase. This consists of post authorization activities in support of maintaining a security authorization that meets FedRAMP requirements.
Post Authorization in FedRAMP
During the Continuous Monitoring phase, Cisco is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Each agency using the service will review the monthly and annual continuous monitoring deliverables. Cisco will also utilize the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.
Our team at Cisco is continually focused on getting Cisco Umbrella FedRAMP compliant. It has successfully navigated the required kick-off meeting with the FCC and is now listed as In-Process on the FedRAMP Marketplace. Cisco Umbrella will now begin the intense audits from the 3PAO, Coalfire, that are required during the Authorization phase's Step 1 -Full Security Assessment. Once completed, Step 2 -the Agency Authorization process, will begin. If all goes well, Cisco Umbrella will then be Authorized in the FedRAMP Marketplace. From there Cisco Umbrella will enter the Continuous Monitoring phase to meet the requirements to stay Authorized on the FedRAMP Marketplace.
As we now see, understanding FedRAMP, whether for Cisco Umbrella or any of our other FedRAMP solutions, means recognizing that it is indeed a rigorous and thorough process that is taken seriously by all stakeholders. By submitting our solutions to this process, we're helping federal agencies create a more secure cloud and helping government innovate for the future.
[1] The Cloud First policy was intended to accelerate the pace at which the Federal Government realized the value of cloud computing by requiring agencies to evaluate safe, secure, cloud computing options before making any new investments.