CG - I'm a Little Bit (FedRAMP) Country, I'm a Little Bit SOC2 'n Roll

hello happy people thank you for coming welcome to Common Ground if you haven't been here before uh it's wonderful to see you uh you know just a few sort of housekeeping things I want to say thank you to our sponsors uh Amazon and I say blah blah blah blah sorry but anyway um a little housekeeping we've all got cell phones and we don't want to hear any of them for the next hour so please check them now make sure they're silenced um be respectful blah blah blah um also feedback we love feedback so in the schedule on on the website hit the feedback button tell us what you think and that's pretty much it I don't want

to stand in the way of two of my favorite people uh right here Wendy Knox Everett and Shane angle who will introduce themselves before I say embarrassing things about them take it away Gus foreign hi everyone Welcome to our talk about fedramp um we can all have a little PTSD here together if you've done pedramp before if you haven't and you're a sock 2 person you're interested in doing your uplift uh we're here to give you lots of hints and tips and share the pain so um I am going to hand this off to Shea in a second but we are delighted to be here thank you so much for coming to our talk thanks Wendy uh Shane angle I am

currently a practice lead and director of audit services for Leviathan Security Group um have been in security for about 15 years listing all of the roles that require sitting over a drink for a long time or something I've been working in bed rent since 2014. that picture was taken roughly 2013 which is fed rank is one of the reasons why there's a lot more gray hair now um and I have the cutest dogs in the world which Wendy is going to disagree with me on yeah I bring photograph proof in this slide but hi I'm Wendy I'm CSO at a startup that works a lot of healthcare information but in a prior life I did a

lot of fedramp I also did a ton of sock to work so I'm going to be speaking mostly to the sock 2 side of this both of us have done both the audit programs so we'll both speak a little bit to them but I am here representing stock too and that is my puppy dog's little black and white one up there her name is tally she just turned a year old she is a walking fuzzy Cloud as Mara Tam says uh that is truly on the left and uh Joey on the right Joey is best described as if a raccoon was raised by a family of cats that's what his behavior would be and trivia you can kind of see that

picture is best described as a Chihuahua head transplanted onto a potato body I love them dearly and they're clearly much cuter cool so who is this for uh if you have ever done a sock 2 type 2 I guess if you've ever done a sock 2 type 1 but it's gonna be even bigger uplift there there's a federal agency that might be interested in your really cool whiz bang uh product uh you want to sell your Cloud offering to like Department of Transportation FBI or so forth you will need to go through bedramp you so um so you know when he said so maybe you have an existing stock 2 program you're looking to achieve uh Federal

authorization um and the initial thought often when you're dealing with competing programs like that is well great now I have to start over from scratch no uh we will but uh um we will explain how um it is going to be a lot of work but you can um do use your sock 2 work as a lot of the foundational work for uh Federate so we'll talk as you said a little bit about stock 2 introduction bed ramp introduction and then what exactly what that uplift that I mentioned is going to be and then some strategies for achieving fedramp authorization and kind of reducing the pain level on that cool so I'm going to do a little bit of

level socket setting on stock too how many people here have ever been through a stock 2 audit of any kind okay so this will be pretty basic this is probably more for people who have no idea what we're talking about we talk about stock too others these things called Trust Services criteria security availability confidentiality are the most common ones especially if you're in a cloud availability and confidentiality aren't quite gimmies but they're pretty easy uh easy relatively un can inherit a lot of that from AWS to your Cloud platform for getting the certification you have to implement controls that Implement those Trust Services criteria so insecurity either be some things that you have to put in place availability

you have a couple more and I'll go through those in a moment and then you bring in an audit firm has to be a CPA firm that's licensed to give a sock 2 certification they will come in and make sure that you are actually following the controls that you say you follow if you don't know how to build your own control set they can help you build a control set and you have to show that you had all these in place throughout and so I'm going to flag something a lot of people don't think about the sock 2 which is that the scoping is up to you so at my startup I am currently working

with Auditors to Define what our scope is and I would like it just to be AWS we're going to leave user endpoints out because we don't allow health information to leave our AWS account and so we Define our scope there it's up to us I have to explain to the Auditors why I think this is a valid scope but I can dictate it and keep that in mind when we come to fedramp because uh spoiler alert is a little different so in terms of defining your controls this is something that you will sit down and look at the Trust Services criteria you can basically take the wording they have in that internet from like the

entity does to like my company does this a good auditor will be able to work with you um you can hire Shea uh to come in and help you build your control set and you want to basically have controls that work with how your company actually works I'm going to just flag that there's a difference between type 1 type 2 type 1 is a point in time I've done these controls at least once I could do them type two the auditor will look for time stamped evidence to show that the controls are continuously in place throughout the audit period so the security principle is really the biggest one um you have some flexibility in the

pieces of it that you do but there's some commonality like you pretty much need to have a pen test you need to be doing some vulnerability management you can use dependabot I've used dependabot for several stock 2 audits but you have to show why it's legit essentially to do most of your vulnerability management through that you need to do instant response tabletops and so forth but really so long as you are checking enough of the boxes in the principles your control set is pretty much written by you uh risk register and risk management is a huge part of stock 2. do you know what the rest of your organization are and is your management aware and briefed on

them there's a lot also of business controls here um do you have a code of conduct for your employees one that I like because I have to comply with HIPAA is I can show that we have a sanctions policy in place and that gives me credit for my sock too also so that's more of an administrative sort of thing that sock 2 wants to look at a well-run organization and does management understand what is happening on the ground level you have to show that um you interview people and you hire them you're not just pulling people off the street and bringing them in you have to do performance reviews and so forth and so the security principle is a

little bit more than just um are you patching your machines and running an incident response program if you're on AWS availability is a lot of pass-through you just have to show that you know you can scale uh show that you're doing some level of backups and restoration usually using AWS uh tooling there are a couple these are the principles that you have to implement your controls for um showing that you know we measure our usage and we can handle searches if it's going to come and we're forecasting our growth and so management is not going to be shocked when next year we're like oh yeah we need to completely scale up our S3 usage confidentiality is also another one that

if you're on a cloud provider is almost you know an easy add-on easy because you are using their destruction of machines you can rely on their stock too if you open up a stock too for someone who's on AWS and they've done confidentiality principle you see a lot of AWS controls listed and so you're pulling from their sock too and so the type of things that you are responsible for instead of the cloud provider is that if your user endpoints are in scope you need to show that you're destroying those either through you know cryptographic uh destruction where you change the password to file Vault or so forth or getting them shredded by someone that

gives you a certificate of Destruction and you have data classification in place and you know where stuff goes so I have a data classification policy in place and I know that Phi can only go into certain HIPAA approved systems within AWS and I have to make sure that my Engineers follow that and that I can enforce it and make sure it's being followed so that is stock two in like three minutes um if you have specific stock two questions uh we're gonna touch on some of these a little bit more later you can come talk to us but the meat of this is going to be fedramp and so I'm going to give this to Shay

thanks Wendy so um what exactly is fedramp and this will be kind of breakdown of what it is and and a little history government history lesson as well so um initially released uh by the US federal government in 2011 um based on this 853 um and it provides both a standardized assessment process for people looking to get authorized and a standardized authorization process and the idea behind both of those is that if you want to sell a product to say five different agencies hopefully you don't have to get assessed five different kinds the idea is that your initial authorization theoretically can be reused by other agencies that you're looking to um looking to work with

um any of the federal infants Focus specifically on um what the program refers to as cloud service providers so selling it cloud-based oops selling a cloud-based offering to one or more federal agencies um a couple of terms um organizations you will hear about and deal with in the process um fedrap jab is the joint authorization board um I'll get into exactly what the joint authorization board is in a little bit so just kind of stay tuned on that um fedramp pmo administers um everything and then you may you will eventually be dealing with one or more agencies through the process so um the fedrap authorization um will give you the ability to provide services to one or more agencies there

are a couple of different paths that you can go um either what's called an agency authorization which I'll explain details on or what's called a provisional ATO or authority to operate on provisional atos are provided by The Joint Advisory Board um and then uh authorizing officials or AOS are basically the people that will sign off on your authorization so um if you've looked at fed ramp at all you've heard about veteran blow and moderate and high and a few other things that we'll get into later um that's referred to as the impact level and it's really a measure of potential risk for the system um so determining uh impact level is done typically by the cloud service

provider very early on in the process uh using fips 199. um looking at the CIA not the intelligence Community CIA CIA Triad uh you'll examine for each one of those pieces if um if a breach occurs um if focused on that particular item what's the impact going to be and fifth 199 gives you some guidance on how to figure out you know what what classifies as moderate so on and so forth one thing to note on that is you use the high water mark So if two out of those three you judge the impact as low and one is judged as high you have to categorize the system as high impact I mentioned there were a couple of other

things um talk very briefly about fedramp tailored um we're really focused on low moderate and high for the purposes of this talk um Federate tailored is for very low risk um systems that can't contain any pii um technically and and they can only be SAS offerings um technically with Frederick Taylor you're required to follow all of the controls for bedramp low however you can self-attest to the majority of them there are between 29 and 51 that you will need to have an outside party validate your compliance with and that's really dependent on number of factors in terms of things like where are you hosting the the application those sorts of things um Wendy I'm going to hop in here uh because I

actually went from federamp tsoc too and I did my first stock too audit I was like what is this nonsense where I get to tell you guys what my audit scope is that is not a thing that exists in federampland um if the systems have data that need to meet a certain classification congrats that's in scope there is no real wiggle room on that unless I could redesign your systems it's mandatory stock two uh one of my friends always jokes that you could do a sock 2 audit a cocktail napkin if you really wanted to if you really wanted to pay an auditor to do that for you um and then I'm going to turn over to

Shay to talk about uh fedramp data in the US I believe the answer is no it doesn't have to be but you're going to be in a world of pain um thanks buddy yeah so and this is a question I get a lot is you know do we have to have everything hosted in the U.S um if we're hosting with AWS do we have to only use U.S availability zones that sort of thing the technical answer is no you can host it anywhere specific agencies may have their own requirements about where it's hosted and the other place that hosting location will figure it for fedramp is depending on um Staffing used by your provider as to

whether or not they're US citizens or not and again there's a good deal of flexibility technically in fedramp on that um but individual agencies may have specific requirements about Staffing as well um and the other thing about fed ramp is I really hope you like paperwork um ephedrent pmo is taking some steps to provide some degree of automation for um your assessment package and those sorts of things but the general rule of thumb that I've experienced is about a thousand pages for all of your documentation for a moderate impact system um a number of years ago I was working for a cloud service provider and um we were putting our authorization package together and you'll often go

through several revisions of it and the sponsoring agency in question who shall remain nameless um insisted on paper copies of the authorization package and in triplicate for each revision so every two weeks or so during the process I would go to my office with a rollerboard suitcase I'd fill it up with binders take the train into DC drop it off the agency and then leave the agency with an empty suitcase it's not at all sketchy no not at all um so what if I told you fedramp is only the beginning um cmmc is in the they've been in the news a lot recently um it has been somewhat in flux um it is certainly not something instead

of fed ramp but handles somewhat similar but but different materials specifically for DOD contractors um that are handling any sort of controlled unclassified information um based on Nest 800 171 in a lot of cases contractors can self-attest to compliance with that um as I said been in flux knock on I think this is wood knock on wood that is settling down I can certainly talk about that more after the talk or something like that if someone wants to and the other kind of other piece that I want to talk about is uh what's referred to as fed ramp plus which is used for cloud service providers that are going to be providing services to the dod

um and you can look at that somewhat as a overlay on top of bedramp um the dod doesn't really like it when you say overlay on top of the on top of fedrent but I'm going to go ahead and say it um so it start it it uses numbered impact levels um there is a reason why there's no level one and there's no level three um they merged levels and decided not to remember it's the short version so um impact level two is equivalent to fedramp moderate satisfying Federate moderate technically satisfies the requirements of impact level two um and um il-4 again there's a correspondence between that and uh and fedramp high or you can use something that satisfies

aisle two and then add on specific controls related to kui and then you'll get more and more rigorous as as you go up to impact level six can you touch on what MCI and NS says uh I don't remember what MCI is um and um NSS is referring to National Security information basically that is not yet at the um it is National Security information but in this context it's not yet at a classified level so um emerging from that little rabbit hole that I just took us down we'll return to fedramp um so I already talked about the the paperwork burden you're likely to deal with um so talking about uh preparation there's really um two ways you can do that you can run

it yourself um if you have experience in the area I think that's great um mandatory disclaimers that I work for Professional Services Company we do federal Consulting so I've invested interest obviously in people doing um getting outside assistance it can be very valuable if you're limited in terms of resources and expertise that's all I'm going to say on that um so I mentioned before you have the joint Advisory Board which can issue you a provisional ATO or you have an agency authorization um with the joint Advisory Board issuing a provisional ATO it doesn't specifically authorize you to work with any specific agencies the idea is the Joiner Advisory Board which is made up of csos from various agencies within the

federal government that sort of thing has evaluated your authorization package has said this looks good and we're attesting to potential agency buyers that we think this is this is reasonable to to use um there is also a program called fedramp Ready which there are a couple of different contexts you can use that and get into that in just a second that is not showing that you are fully compliant but that an outside party has evaluated things and is confident you could make it through the FED ramp process um rather than Reinventing the wheel I took this in the next slide from the Federate pmo website um this is stepping through what the workflow is like for the job

authorization process so um the jab only selects a small number of csps to go through the process each year so you have to basically make a business case to the jab here's why we should do this rather than an agency authorization um that is typically based on whatever our offering is is likely to be utilized by a wide range of agencies within the federal government um you're then under um under a jab authorization process you're required to get a Readiness assessment which is the veteran ready piece that I mentioned um earlier on CE that's done you're listed on the federal Marketplace as ready um which can be used to talk to agencies about you know we're moving along in the

process um following that you will have a full security assessment um security assessments are done by uh one of a group of um licensed outside parties referred to as three paos third party assessment organizations and you will then put together your security authorization package which is that thousand Pages for a moderate authorization I mentioned before and then you'll go through the authorization process with the jab which is them evaluating your authorization package um looking at you know communicating with you about any remediation you need to do that sort of thing um and then you'll be listed as having a provisional ATO on the veteran Marketplace and then you move on to continuous monitoring which put a pin in that we'll

come back to that in a little bit um so for agency authorization it's a lot of similarity here um one thing to call out is fedramp ready is not required for an agency authorization um it is strongly encouraged um that can back in my day when I started fedramp there was no fedramp ready um having gone through the authorization process multiple times I would strongly encourage doing doing fedramp ready because not only is it going to demonstrate as I said before that you there's some confidence you can make into the process but it also gives you a good indicator of where things stand for you and the sort of things you might need to implement those sorts of things

um so then again you'll go through a full security assessment the security assessment for a jab authorization and an agency authorization is identical no difference there and then much like the jab um evaluating your authorization package the sponsor initial sponsoring agency will do the same thing and then um issue you a ATO and then you again you'll move on to continuous monitor so looking at fed ramp low um there are roughly 125 controls in fedramp low currently um going to provide a two examples here um so requirement that you provide incident response training to users in your organization um you get to pick what how frequently you provide training and um and you also get to pick how soon after

they start in an appropriate role you have to provide training I called out ir3 which is incident response testing to mention that for fedramp Lowe there's no requirement for incident response testing this will come up later slides um so as Wendy mentioned earlier in a stock too you're going to need to handle vulnerability management um you're still going to have to handle that but it's more stringent more rigorous in terms of the sort of things you need to do about vulnerability management um again same thing with um with monitoring and alerting more rigorous requirements and your Access Control requirements are kind of a step up from what the specific requirements are for sock 2. uh moving on to fedramp moderate we have

almost more than doubled the number of controls um and uh ir3 is now is now in place and requiring you to be incident response testing um again you get to define the frequency as long as it's at least annually and um and you get to determine what sort of testing you want to do um one note here as we've indicated is if it's a jab authorization the jab has to approve whatever your test plans are for that process um and we're starting to then with moderate get into a good deal of requirement for automation of processes moving on to fedramp high we've jumped up to four around 425 controls um again more rigorous um there's a lot

more requirements for functional testing rather than tabletop testing um as we see in ir3 now the change has been um you have to do testing at least every six months and once a year at least once a year you have to do functional testing um and again um the um if you're doing a job authorization the jab has to approve any test plans you're using and I'm going to turn it over to Wendy all right so I'm going to talk to you a little bit about how you go from a sock 2 to fedramp um I'm going to warn you it's a lot of work especially if you've only done a sock 2 type 1 this is a huge amount of maturity

uplift uh sock 2 is not the most prescriptive control framework out there a good auditor will make sure that you're following good Cloud security practices but you can always justify to them and depending on who the auditor is they'll give you more or less leeway with your control set that's something that I talk a lot to organizations about and when I interview Auditors I will sometimes say I'm coming in with my own control set and I am not an auditor so I can't attest that these fully implement the cloud service or the csps but you know I'd like to use my control set versus sometimes Auditors will come in and be like this is what we need to see you

doing before we are going to give you a sock 2 certification um so that varies a lot the idea with fedramp the 3pio is this much more standardized everybody knows what the controls are you're not playing games with controls um federal office government only versus the stock too really is an Enterprise sales tool you're doing that because you want to bypass vendor security questionnaires where you have a sales contract requirements and so forth that you have a stock 2 or a ISO 27 000 certification stock 2 really looks at how your organization functions are you briefing your board of directors do the managers communicate goals down to your employees fedramp doesn't completely ignore management but it doesn't really care in

the same way that sock 2 does so a lot of those pieces of evidence you collect for your sock too like I have to pull slide decks from quarterly briefing of our CTO down to our developers to show like what our goals are for the next quarter I would never use those for a fedramp thing maybe for risk management a little bit but it's not in the same way um really fedramp is very prescriptive on the technical side for a sock 2 I can decide if I'm going to do Access Control reviews only annually I will tell you when I get a stock T report and it says that the reviews were only done annually

I got a heck of a race eyebrow um and when they say they had no security incidents over the last year I'm going to do even more of a raised eyebrow at what their monitoring and alerting is because stock 2 says you need some but it doesn't tell you what federamp is going to be very very strict about what happens there and you need to show a much more rigorous sort of stuff there than you can do for a stock too so it's going to be a big maturity uplift

so about that government only thing um so fedramp is designed to be used by federal agencies um and he is officially from the federal government point of view limited to that um when once you have your authorization and you're looking to work with a new agency they will request a copy of your authorization package from OMB Max um only um only existing agencies and their contractors can estab can request that so if it's random private company you're trying to do business with they can't um they can't request that we will okay cool um that all that said you as a cloud service provider control that authorization package and you have your own copy of it so if you're looking to

sell the same sort of service to um to a private company um you can you're free to provide them a copy of your authorization package if you want if it will facilitate the sales process um the one caveat there is going back to the issue of what data is being stored where um if you're in a situation where you're doing that you're really going to want separate enclaves for data between your federal clients and your Private Industry clients um going down a very small Rabbit Hole here there is something called State ramp which is intended for cloud service providers looking to provide services to State and Municipal governments um it is based very heavily off of

fedramp it's run by a non-profit organization um rather than any of the individual state governments that sort of thing um State ramp is a very new not every state uses it um certainly not every municipality is going to use it so we mentioned continuous monitoring as being one of the big pieces with bedramp and this is also one of the things that in my experience has tripped people up the most in terms of maintaining authorizations um so pre-2010 um before they started developing fedramp um you would receive a uthorization to operate not through the FED rank program but from the individual agency and three years later you would get assessed again and you would get

accredited um technically speaking nothing had to happen in those three years um with the release of fedramp it they introduced the concept of continuous monitoring so you receive a authorization to operate and then there are a large number of controls that are related to how are you maintaining the system um those need to be done on an ongoing basis you need to provide updates to that uh on a monthly basis uh depending on what the information is and you also get periodic assessments so the first two years after your initial uh authorization you get assessed against a sample of the applicable fed ramp controls and then in the third year you basically get an authorization

assessment from scratch [Applause] um so what do you need to do with that um the uh fedrent pmo requires um within your authorization package what's called a continuous monitoring plan that provides details on exactly how you're going to meet all of the requirements of continuous monitoring and um and how you're going to maintain that over the course of your authorization um kind of high level pieces you'll you'll need to deal with their vulnerability management threat monitoring and change control you'll be reporting that as I mentioned earlier on a monthly basis the other piece in there is What's called the poem or a plan of actions and Milestones and that's that's really listing all of the

items where you're not compliant where things need to be remediated what the risk is how you're going to remediate that any compensating controls you have in place until you can get it remediated um and all of that will be reviewed on an ongoing basis um by different parties depending on on which sort of authorization you have so um so our advice really is to start with bedramp low low is a lot fewer controls I totally understand low medium highs basically driven by what data you have in your system from the agency but if you have it all flexibility you want to start with low and you should have a pretty mature sock 2 program you need to

already be automating your evidence collection you need to be on the higher stringent end of what's happening with your controls like you if you're still only doing annual Access Control reviews you are not ready for fedramp even fedramplow you need to have a pretty mature incident response program have really dialed in your uh your monitoring your security monitoring program and so forth and you should know uh what sort of risks your business faces and be tracking them um and be doing more for vulnerability management than just like oh I just have depend about Auto merging and stuff you're going to be very behind in the paperwork and you need to have a pretty good pen test happening so not just you

know oh we hired you know a Joe Hacker off the street to poke at our web app for for 48 hours because when the 3pio comes in they have some requirements how they're going to do the pen test and how they're going to be looking for this and to give a little bit of a look ahead sock 2 evidence collection varies a lot by the auditor but it's usually do you have screenshots where you're showing dates and so forth to show things happen it's going to be a big change when you get in the room of the federal auditor 3pios have a whole system that they are required to follow by the pmo

so where does this leave us um we yes we were just talking about differences but we'll talk about similarities somewhat um at a high level both sock 2 and fedramp cover many of the same high-level areas um they both require you set up a an organized information security program and they both involve some third party assessing that program with differences obviously between a stock 2 auditor and a 3pao as as Wendy just described um other similarities I really hope you like Microsoft Excel because you're going to be living in it a lot um still definitely some differences um you know as we've talked about earlier at a high level they're they're definitely meant for very different

audiences um you know fed rank is much more prescriptive than uh sock 2 is um and uh we you know talked about kind of differences between the approach of a 3pao and a CPA auditor um and as Wendy described earlier um your evidence collection strategies are going to have to be very different between the two um a look so what happens a lot with the stock 2 for evidence especially in pandemic times um is I get a tool from the auditor and they have all my controls and they have an Evidence ask and I go collect screenshots and upload them their images I sometimes do screen share they sometimes capture them but mostly you're taking your own screenshots uh I would

love to see someone try that with a 3pio they'd be like yeah LOL no um I haven't done a fedramp 3paio audit since before the pandemic so I'm not sure how a little I assume it's a little bit more virtual now but they would want to sit in the room demonstrate the process to me can you take that screenshot I'm taking that screenshot let's get that log they do not trust you to just upload your own screenshots to it it's there's much more Integrity sort of controls that happen during the audit yeah just kind of one little side note on that um the first uh fed ramp assessment I went through as a cloud service provider there was at

least a week-long period where literally eight hours a day every day sitting in a conference room with the auditor preparing live screenshots basically [Music] um so um what are some of the strategies for achieving fedramp authorization um prepare early as we talked about now um you know given things like the uh paperwork burden we talked about and having to schedule the 3pao that sort of thing what you don't want to do is be in a situation where you have an agency that says we'd like to work with you but we need you to start in a month um it's not it's not going to happen um generally fedramp fed ramp moderate is if everything falls into place right

um about a year-long process start to finish um you won't identify resources that you have resources that you need this ties into kind of what I talked about before in terms of do you want this to be self-run or do you want to bring in outside services to help you prepare and get through the process and if you're an organization that doesn't have a lot of available resources to cover that you may want to explore that that Avenue um and looking at what sort of mapping and crosswalk you can do of um of controls for controls from stock 2 versus controls from fedramp there's a good deal of freely available information out there about that I believe

the aicpa specifically has a sock 2 to nist 853 crosswalk that you can get for free um and then there may be some areas but you're somewhat Limited in this in terms of if there's any evidence you can reuse some of it you can um there's a good deal of policy controls in fedramp you're obviously the the 3pio is not going to ask you to write the policy on the spot so you can use the same policy in most cases if it's written properly that you've been using for sock 2. and with that we are at questions

so what is the strategy for what would be the strategy if you don't have a customer that's willing to wait a year or you have a federal contractor who also is in a month long or a six month long procurement cycle how can you even go about getting started Etc so they're they're really kind of two answers to that question depending on exactly who thinks oh sorry the question was um if you don't if you don't have an um agency um identified or you have an agency and they're like well we need it in you know six months or something like that um what I'd advise in that case is is going back and looking at fedramp ready

um you know you've still got a good deal of work to do after Federate ready but if you're in a position now with the former where it's you don't have an agency identified um going through the federal ready process will give you a good Watermark of how much further you need to go and you'll also be listed on the federal Marketplace as Federate ready which can be used to communicate to agencies to say you know we we're not all the way there yet but we've you know the 3pao is confident we couldn't make it all the way to you know whatever sort of authorization it is

say thanks for doing the presentation um what's the longest Federal amp authorization you've been involved with and what could have been done to smooth out the process you I'm guessing you may have a longer I might have a longer one um I came in in the middle so I uh worked on some that were extremely extensive um bringing in so basically there was um most of the applications on the SAS were already authorized and we were uplifting to high and bringing in some new ones well over two years I would say I think um I say I feel like I need to give Shay like a shot of whiskey or bourbon before I really asked him he has better War

Stories than I do on some of these um but as I guess Wendy actually wins on the longest one I think the longest one that I've been involved with was about 18 months um that was a it was a federal of high authorization but it was a relatively simple authorization in terms of kind of number of moving pieces that that sort of thing and they were also the other thing we didn't really talk about is um if you are hosting whatever service you're looking to provide on a cloud provider that already has fedramp authorization at the right level you can actually leverage a large number of their implementations of of the controls which will then you know drastically

reduce depending on how many it is your the applicable control set and make it a lot easier in the in the case of the federal High authorization that I worked on that was about 18 months that's one of the reasons we were able to we were able to achieve it in that sort of time frame

all right thank you for the talk nice to see you both um oh can you characterize the difference in kanman between moderate and high what are the big uplifts to the kanman process when you get to hide I will be completely transparent and say not off the top of my head um there there is a great deal of commonality there and really the biggest differences are going to be less that you need a different kanman program and more that there may be more controls applicable but like exactly what the Delta is I I don't know off the top of my head one thing that does sort of touch on that and say I don't know these numbers

off top of my head when you Thrice you're allowed to have a certain number of like essentially open poem issues so like you know maybe a patch is not applied um or a common one that I tell people to take is as a requirement to lock out accounts and the wrong password has been put in uh 10 times and it's like people will just go fuzz the sysadmin accounts lock out the sys admins and then go do their nonsense and so I'm like you do not ever want to you know really be following that control in that way um and so there's only a certain number you can do and the number that you can

have open at authorization affects the number you can keep open later so you're sort of locked to a certain percentage of where you were at authorizations like I think I'm going to make these numbers up Center number specifics if you got authorize a five you can never have more than seven open and so kanban is going to be doing that you're going to have to patch things to keep your number of open issues below that seven number and so forth and what that number is gets smaller as you go from low to medium to high so that feeds into it the specific numbers I do not remember I would have to look on the pmo

website for it in I also don't know the numbers but one thing I wanted to add was um in terms of the poem specifically um you know as I mentioned earlier on one of the goals with federamp is for this to really be reusable authorizations essentially um that said as I talked about earlier agencies are free to have different risk appetites different interpretations of what they want so one agency may say you know these poem items are okay with the compensating controls you have in and another agency may say no you know if we're going to give you an authorization you have to fix these things before the authorization

so so my uh my company doesn't do any business with agencies but it does do a lot of business with or tries to do business with contractors that do do business with agencies and they ask us a lot oh are we've had or we've had rapid client from this process if we're not doing business with an agency there's no way we can be Frederick like no the no one would give us that that certification what should we do and what are these like contractors actually asking for and what do they need from us yeah so and and you're not in in those um in it or anything like that correct sorry what

so it depends is the short answer but you may well actually need a Fed rip authorization um you know kind of abstracting this out a little bit because Wendy talked about using sock 2 kind of in the sales process and you know for identifying a baseline you know one of the other things you could look at doing if it's determined that you don't actually need a fedramp authorization but you're getting these requests from customers is to look at doing the state ramp authorization well you're not necessarily looking to sell to um state governments or that sort of thing really anyone can go through that process

foreign

it's it's hard to tell um you know the the question was um you know could you could you go to the federal pmo or the jab and say you know we have this request can we go through the federal process it's hard to tell the other thing I will say is this is kind of an end run but you could go through the fedramp ready process now you're limited in how long you can maintain fed ramp ready but you could it obviously doesn't give you the same degree of assessment but you might because anyone can go through that with no sponsorship you might be able to do that to provide some sort of demonstration to those clients that you

at least know what's going on with vetramp so I'm going to throw out a really stupid idea uh sock 2 does give you a huge amount of flexibility of controls and I know some people who got tired of doing High trust and did a sock 2 with very high trusty type controls you can basically do a sock too with 853 controls um it would be dumb it would be a lot of Overkill you're not getting the same level of auditing I mean I'm sure there's Auditors would be happy to say like sure we'll be super stringent um but that would be a dumb sales thing you could try to do

thanks a lot um we'll both be around for the rest of B sites if uh you know if you think of anything later please feel free to come find us thanks