Agencies to Security Industry: Automate Cloud Compliance Faster

While it is a well-worn adage that the federal government is slow to modernize their IT environments, facts today are telling a different story. Not only are agencies the largest consumer of cloud solutions, Coalfire’s recent research shows that 33% more infrastructure as a service, platform as a service and software as a service cloud solutions were approved for government use in 2018 than the year before—and agencies are consuming them, spending 32% more year over year in 2018 across all cloud offering types. More than 150 government agencies are now using FedRAMP-authorized clouds, with 44 using 10 or more unique clouds. We predict this trend will continue. 

The move to cloud is likely a response to the government’s “Cloud First” policy initially announced by the Office of Management and Budget in 2011, which directs departments and agencies to utilize cloud-based computing solutions whenever possible. The Federal Risk and Authorization Management Program, better known as FedRAMP, is a chief enabler of this transformation, establishing cybersecurity requirements and a certification process for cloud service providers wishing to deliver solutions to the federal market. Today, the federal government is asking the industry to more aggressively employ automation in their FedRAMP compliance programs so that agency customers can adopt and consume cloud innovations even faster. 

In a recent House of Representatives hearing to discuss improvements to the FedRAMP program and proposed legislation—the FedRAMP Reform Act—designed to achieve that goal, agency officials urged the industry to adopt more automation in cloud compliance processes. “Opportunities exist to support [cloud providers’] understanding and implementation of security requirements in a more automated and cost-effective manner,” said Joseph Klimavicz, chief information officer at the Justice Department. 

But agencies are hardly alone in this desire for more automated processes. Cloud providers also want faster, more efficient FedRAMP compliance, and today, this is well in reach. The use of security automation and orchestration techniques—combined with new FedRAMP Third-Party Assessment Organization evaluation and engineering methodologies designed to leverage automation—have dramatically reduced the times required for cloud service providers to achieve FedRAMP authority to operate. Using these techniques, the traditional 12 to 18 months consumed on the path to ATO have been shaved to as little as six months. 

Automation can address more than just the FedRAMP compliance challenge, which can be considerable. Cloud service providers wishing to demonstrate “best-in-class” security posture often must juggle 15 or more additional regulatory frameworks on top of their FedRAMP obligations. With such a hefty load, traditional compliance assessment methods that involve manual sampling, interviewing and observing become painfully inefficient, scaling poorly to meet the reality of a compliance-focused, security- and privacy-conscious world. In addition, these traditional methods are becoming increasingly inadequate when evaluating the security of today’s cloud environments, considering the incredibly fast pace most cloud service providers deploy minor code changes and new features throughout the calendar year. Compliance automation can help providers, assessors and cloud customers alike respond to multiple pressures. 

While the concept of security automation is not new, using it to address compliance oversight and the entire security posture of an information system was, until recently, considered too expensive or unfeasible. The industry drive to automation and the rise of security concepts such as “security-as-code” have begun to change that thinking, leading not only to success stories about faster times to FedRAMP ATO, but companies increasingly realizing the benefits of freed-up employee time and economies of scale that come with leveraging automation to drive exponential increases in coverage and operational efficiency for the control implementations. Automation also provides near-real-time transparency to security issues, enabling near-real-time response, improving overall security.

Security automation in the cloud requires security and compliance teams at CSPs and at cloud customers alike to fundamentally rethink the way they approach their work. The FedRAMP concept of “do once, use many” is helpful if thought of in more ways than just a vision statement. Applying replicable concepts to reference architectures; thinking of every action and activity needed to keep an environment running as a snippet of easily duplicated code; looking to other cloud services to supply what previously would have been built manually – these are all ways that CSPs and their customers can begin to move toward the future of compliance. For CSPs with more direct interests in the FedRAMP program, embracing the agency push for automation will not only allow those early adopters to maintain their security and compliance in a more continuous manner, they will be able to more quickly demonstrate compliance for new services and with new regulatory frameworks in the future. 

Automation cannot replace people; it is designed to augment staff, who play an essential role in monitoring its activity and results. Just as few would be comfortable riding in a fully automated plane without a human pilot providing oversight, we need skilled professionals directing automated systems and overseeing its end-to-end functions.

This paradigm is expected to quickly become the new normal, but it requires a willingness to embrace compliance automation – and adopt a very different perspective than the compliance industry of the past. Either way, federal government customers and many other industry stakeholders are beginning to watch with great interest. The future of compliance beckons. 

Tom McAndrew is the chief executive officer of Coalfire.