Friday, August 14, 2020

From Fuel Headquarters

Commonly referred to as FedRAMP, the Federal Risk and Authorization Management Program “is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.” In an effort to modernize IT, FedRAMP allows agencies to quickly adapt from old and insecure IT to “mission-enabling, secure and cost-effective cloud-based IT.”

FedRAMP primarily applies to groups or companies that are looking to sell a cloud services product to the federal government. Cloud service providers (CSPs) are able to apply for FedRAMP authorization for their cloud service offerings at Low, Moderate and High Impact levels. The Low Impact level consists of the LI-SaaS Baseline, which accounts for low-impact SaaS applications that don’t store personal identifiable information (PIIP), and the Low Baseline authorization. The Moderate Impact level accounts for roughly 80% of CSP applications and is for CSOs “where the loss of confidentiality, integrity and availability would result in serious adverse effects on an agency’s operations, assets or individuals” (FedRAMP, 2017). The High Impact level is for sensitive, unclassified data in the cloud environment such as life and financial information.

Prisma Cloud is a Palo Alto Networks cloud service offering that is currently in the process of becoming FedRAMP authorized. Once authorized, Prisma Cloud will be a Moderate Impact level cloud service offering.

Fuel recently spoke with Matt Chiodi, chief security officer of public cloud at Palo Alto Networks, to learn more about FedRAMP, authorization considerations and the process of getting Prisma Cloud FedRAMP authorized.

What considerations need to be taken when looking at becoming FedRAMP compliant?

It is not easy to become FedRAMP accredited. Before organizations even start going down the path of trying to get their FedRAMP accreditation, they need to go in with eyes wide open. What I mean by that is there is typically a large cost that comes with this and organizations need to make sure that if they are going after this, they at least have a ballpark estimate of what the cost might be upfront.

What should people be aware of in regards to timing for the FedRAMP authorization process?

Timing depends on what impact level you’re going after. Because Prisma Cloud was born in the cloud and we are a cybersecurity company, it has definitely helped. If you’re going after High Impact, there’s a lot of work you need to do to get there. Whatever impact level you’re going after, I recommend viewing the FedRAMP controls that are required for each impact level; before you even engage with anyone outside your organization, do your own assessment. Then you can understand how much work you need to do to get there. The other factor to consider is the complexity of the application that you’re trying to get FedRAMP accredited.

Currently, Prisma Cloud is in the process of becoming FedRAMP authorized. What does the timing of that process look like, and when did you start?

It’s been just about a year since we started kicking off the process. We are currently tracking for calendar year Q4. That is when we anticipate getting our authority to operate (ATO).

In your opinion, how can Prisma Cloud help organizations?

I think it can help with FedRAMP overall, but it can help the most by helping to address the FedRAMP continuous monitoring requirement. FedRAMP requires a multistep process where you have to look at how often you’re monitoring. It requires continuous evidence collected monthly, annually, every three years and on an as-needed basis after ATO is granted*. I believe this is where Prisma Cloud could very much help organizations because it is a comprehensive cloud-native security platform and we have broad security and compliance coverage.

For someone starting from scratch with FedRAMP, what advice would you give them?

If you’re going after FedRAMP, it’s a big project. Make sure everyone’s aligned and fully understands the costs and the timelines, because the process is going to touch every in-scope area of your platform.

*For monitoring requirements and specifics Chiodi mentions, view the FedRAMP Continuous Monitoring Strategy Guide here.