FedRAMP - RMF Deficiencies

This blog provides an overview on the RMF deficiencies impacting FedRAMP's approach.

DISCLAIMER: As someone who have worked with virtualization technologies since 2007 and someone who served as the Information Systems Security Officer (ISSO)/Security Engineer for one of the first government cloud systems to use a hybrid cloud deployment model in 2010, prior to FedRAMP being available to U.S. Government agencies, the information noted within isn't meant to denigrate nor disparage the FedRAMP team, but rather provide a professional input based on hands-on years of experience spent securing government systems and performing assessments on multiple government environments in accordance with NIST and Organizational Level guidance.

Fast forward seven (7) years since inception, and the FedRAMP team continues to ignore guidance from NIST and have failed to address key areas that are deemed essential for the process to work. Like many government agencies, they have turned the NIST 800-53 controls into a checklist process, one that not only fails to address cloud computing risk as it pertains to it's architectural and engineering side of the house, but also fails to ensure all CSPs understand the importance of an Enterprise Level Risk Management process, whether it is based on NIST and/or other internaltional standards. To make it worse, government agencies sponsoring FedRAMP systems continue to foster the implementation of Tier 3 without fully grasping the gravity and risks that CSP's without a proper Enterprise Risk Management can have for all parties involved. The following provides an overview of the current deficiencies, as it pertains to the RMF process and extracts of the NIST guidance linked to the deficiency. Let's begin by taking a closer look at NIST's Publication's input.

NIST publications, specially NIST 800-53 have always stated the following:

The security controls defined in the NIST 800-53 publication and recommended for use by organizations to satisfy their information security requirements should be employ as part of a well-defined risk management process that supports organizational information security programs.

This is further emphasized as follows:


Examining the above extract directly from the NIST publication, the following needs to be emphasized:

Information Due Diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organizational security plans meet the mission and business requirements of organizations.

Risk Management Framework

FedRAMP abides by the NIST Risk Management Framework; however, they emphasize their process on Tier 3 and fail to provide guidance to the CSP's on Tier's 1 & 2. Tier 1 & 2 are essential to successfully mitigate risks, even within a cloud environment. Failure to apply the framework correctly has lead to:

  • Unnecessary and Bulky Compliance Paperwork
  • Unnecessary Expenses and Acquisitions
  • A False Sense of Security for all parties involved
  • Undiscovered/Unknown CSP Perimeter and Organizational Risks due to lack of an organization-wide Risk Management Process

While the above items aren't always obvious for many, it is for those of us who have spent many years securing and assessing government systems. But like everything else, facts are necessary. Let's just say... a few years back I was hired by a CSP to audit the work of a 3PAO organization hired, after the initial assessment identified a high level of failures, to develop the documentation required to meet FedRAMP's process. In addition to auditing all of the work developed by the 3PAO organization, I was also tasked with performing a Risk Assessment. Since I was fully aware of the RMF process, I performed an Enterprise Level assessment and the findings of such lead me to identifying a high level of deficiencies across the CSP trying to be certified. But that's not all. The CSP, like many others, was simply creating the documentation (i.e., Policies and procedures) to be applied only to the environment for FedRAMP and not across the board. The deficiencies at the enterprise where so many that even if they passed FedRAMP's checklist, the environment was still prone to a high level of deficiencies around the secured environment. This is depicted on the graphic below:


There's still time to address the deficiencies identified above. Certainly, the level of deficiencies will differ from CSP to CSP, as it is organization specific, but it seems to be an issue across many who believe that applying FedRAMP at the program level only is enough to protect the environment. That notion is wrong at many levels, because development of the architectural and security document and access to the secured environment starts from within the organizations boundary. If the organization's boundary isn't protected properly, an attacker and/or insider can gain access to the secured environment.

At the minimum, it's essential to understand the underlying deficiencies of CSPs. This can be determined by leveraging the Cybersecurity Framework Tiers which would provide a better picture of the ERA approach applied by the CSP's to address the underlying security processes not addressed at Tier 3.

What's the risk for CSP's and Government Agencies?

Failure to implement/integrate the Risk Management Framework organization-wide can have detrimental consequences for the provider and the consumer. The biggest risks for all parties is... The following:
  • costly legal litigations,
  • sensitive data and/or intellectual property leakage
  • civil penalties than can impact both entities, and
  • damage to image or reputation of the organization(s) involved.


It's highly advisable that anyone, not only CSP's, who is serious about limiting cyber attacks, perform at the minimum, an Enterprise Level Risk Assessment identifying deficiencies that may impact not only the organization internally, but also the consumers and 3rd Party Service Providers leveraged by the organization. This will provide a better idea of risks across the organization and whether or not the organization is willing to accept the risk identified and/or develop a plan to prioritized the remediation process.

Interested on learning more? Contact US via our site form at https://www.cyberadeptness.com 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Monday, September 3 2018 04:29

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL : https://www.cyberadeptness.com/CA-BLG/index.php?trackback/27

This post's comments feed