GovDelivery’s FedRAMP Journey
By Chris White, GovDelivery Information System Security Officer
Change is hard.
But changing to comply with FedRAMP has made us stronger. Last week, GovDelivery announced that the GovDelivery Communications Cloud platform achieved Federal Risk and Authorization Management Program (FedRAMP) compliance at the moderate level – the program’s highest level. (You can read more of the details here.)
We learned a lot about FedRAMP and compliance along the way, and came out of the process with a wealth of knowledge and experience. Today, we wanted to tell you a little bit about the FedRAMP process, and how we did it.
If you’re an agency just starting to look at what FedRAMP means, or if you’re a CSP looking to become FedRAMP compliant, you’ll soon realize that it’s a really big deal. In a nutshell, FedRAMP follows the NIST 800-53r4 standard and guarantees that there’s a specific, testable security baseline in place that has been reviewed by not only an independent auditor, but also by the Chief Information Officers of the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA), ensuring that there’s a great foundation in place. These three CIOs make up what’s called the Joint Authorization Board, or JAB.
Currently, only 21 companies in the world have completed the rigorous work required for compliance through the JAB, and when you dig into what changes are needed, you can understand why:
- Documentation: Write a thousand page System Security Plan (SSP) that documents everything you do, from how you physically protect your servers to the FIPS 140-2 certification number for every boundary device. In addition, formalize dozens of policies, standards, and procedures that cover everything in your boundary.
- Training: Create formal employee trainings that cover security awareness, incident response, disaster recovery, development, insider threat, and more, and ensure everyone is in compliance with these courses.
- Encryption: Encrypt all your data at rest and in motion and allow only FIPS 140-2 validated encryption modules into your boundary.
- Authentication: Enable multi-factor authentication not only on your customer applications, but also on every host within your environment.
- Logging: Centrally store all logs from every device in your environment.
- Security Scanning: Conduct monthly scans and create processes to analyze the findings so that you can ensure issues are being remediated within a specific timeframe for the JAB.
At GovDelivery, we started the journey back in 2013, not really understanding what was required. We threw together a quick SSP, wrote up some high-level policies, and thought we would breeze through the process.
We were wrong.
It’s not that a lot of companies aren’t already doing much of what FedRAMP requires. At GovDelivery, we already had a lot of the groundwork in place, at least informally. We required our employees to have strong passwords and had all of our web traffic encrypted long before FedRAMP required it. However in addition to the many different technical implementations that are required, FedRAMP also requires that you have repeatable and, more importantly, provable processes in place. It’s easy to say, “We patch systems monthly,” but do you have a way to not only prove that you do – but also that the patches were tested in lower environments and were properly approved by a change management process?
These repeatable processes require a shift in corporate culture. While in the past, it may have been acceptable to deploy new code immediately, the formalized processes require an organization to take a step back and have a holistic view of the infrastructure before making a change. You’ll initially be met with some resistance because change is hard, but over time it should be easy for everyone to see the benefits, not the least of which is a reduction in unplanned outages.
There’s also a lot of day-to-day changes that can be difficult to implement and can hamper both your internal workflow, as well as customer access.
- Multifactor Authentication: Passwords or SSH keys are not considered strong authentication factors because they can be stolen without your knowledge, so adding multi-factor authentication by way of a token, SMS message, or PIV/CAC card on not only your applications but also on each host connection can slow down your workflow.
- Web Encryption: Removing weak ciphers from your web servers is required, and improves the security of the data you’re transmitting on the web, but will effectively stop customers using older browsers from being able to use your system.
- Locked-Down Laptops: Having administrator rights on a laptop makes things easier for the end-user, but opens up avenues of attack for the bad guys and therefore has to be removed.
Fortunately, none of the FedRAMP requirements are show-stoppers, and it’s easy to see how most of the controls fit into the security puzzle to increase the confidentiality, integrity, and availability of the data.
But the fact is, there will be frustrations along the way from all of the changes that are required.
Security is Everyone’s Responsibility
It’s important for your company to realize that security isn’t just an IT problem – it’s an organizational responsibility. You need support for this mantra from the top levels of the organization, including the CEO, because no amount of technology will make you completely secure. At GovDelivery, we preach this message constantly and it’s permeated throughout our entire culture with everyone pointing out potential issues as they see them, whether it’s an unusual entry in a webserver log or a door to the office that doesn’t close quite right.
It’s just as important that your customers be part of the security conversation as well. FedRAMP assists in this by requiring the organization to provide documentation so that agencies understand their responsibilities. For example, we require that customers review and re-authorize the users they create on the system because we have no way to know when an employee leaves the agency.
What does it mean?
Does the FedRAMP authorization guarantee that GovDelivery is 100% secure and that data will never be compromised? No, and if any company makes that claim you should run away from them because they’re clearly lying.
What it does guarantee is that we have a mature security posture in place that’s based upon the industry-recognized NIST 800-53r4 standard. In addition, since GovDelivery went for a JAB approval, it means we’re working with the FedRAMP team on a monthly basis, that they’re reviewing our findings, and that we’re providing evidence that we’re fixing any issues that come up. It also means that we have the seal of approval from GSA, DHS, and DoD.
In summary, it took three years, a huge investment of money and staff time, but today, we’re proud to have achieved this significant milestone in GovDelivery history. When using GovDelivery technologies, you can now be more certain than ever that your information and data of your citizens’ is secure – and that’s what we’re all about.