SlideShare a Scribd company logo

FedRAMP Is Broken (And here's how to fix it)

Wendy Knox Everette
Wendy Knox Everette

Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say. We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist? Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry. Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.

Technology
1 of 45
Download to read offline
FedRAMP is Broken (And here’s how to fix it) Shea Nangle & Wendy Knox Everette Shmoo 2024
What is FedRAMP? Created 2011 as a way for agencies to vet the security of cloud services (IaaS, PaaS, and SaaS products) for their internal use.
When Do You Need FedRAMP? “It Depends” ● You should have it if you’re selling cloud services ● What happens if you don’t? ○ You get told you should move to FedRAMP
Program Goals FedRAMP says their goal is to “Reduc[e] the time, cost, and effort associated with initial assessments of commercial cloud service offerings (CSOs)”
What about now? OMB: “FedRAMP has worked well for that purpose, but the FedRAMP framework was built for a smaller job at a simpler time, and today’s cloud challenges are different. In the last decade, the security environment has become more complex, and the diversity of cloud services has grown dramatically.”
Who are we?
So let’s enumerate some issues
Systemic • Do we even need FedRAMP? • FedRAMP as it is or as it should be? • Has FedRAMP met its goals?
Process ● Prepare ● Assessment ● POA&M ● Authorization ● Continuous Monitoring ● Repeat Forever
Ad break: Wendy wrote a paper with some friends on why poorly written/evaluated compliance standards can lead to security issues
In the Real World Microsoft skeleton key lifted from crash dump • lacked complete logs of exfil because of log retention • should have been expired but could be used • was used by China to access State department email Have FedRAMP
I got more hacks for you • CircleCI had customer data stolen • “To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session.” • malware on endpoint • Have FedRAMP https://techcrunch.com/2023/01 /14/circleci-hackers-stole- customer-source-code/
Ok, let’s talk about controls
There’s a lot of them https://events.afcea.org/AFCEACyber19/CUSTOM/pdf/safelogic_tl.pdf
Our friend FIPS FedRAMP references “FIPS Publications 140-2,” despite 140-3 replacing it in September 2019.
Change them passwords • IA-05(01) requires organizations to enforce password expiration policies that NIST SP 800-63 rescinded in 2017
•MP-05(04) outlines protection mechanisms for media, but it does not include protection mechanisms for keys or passwords used to encrypt the stored data. •Sending passwords in cleartext emails or SMS would drastically reduce the efficacy of password-protected devices that have been intercepted by an adversary.
Tamper controls •SC-08(01) mandates that systems enforce data integrity checks during transmission, but does not consider tamper controls against those checks
Warning, this system… • AC-8: SYSTEM USE NOTIFICATION requires a message to users about system use limitations…. • ….meanwhile SC-13 doesn’t really say anything about customer specific encryption keys • We have Opinions on which one of those is a useful security control…..
Encryption, yo •There are loopholes that permit direct access to encryption keys and passwords could allow nation-states to bypass privacy controls….and are HSMs required?
Scanning RA-05(01) mandates the use of vulnerability scanners and SI-03 mandates the use of malicious code scanners. Both solutions should be FedRAMP compliant and would require privileged access to data and systems to perform their intended functions.
Access Control • AC-04 controls information flow between interconnected systems but provides for local-network transmission of unencrypted controlled information • AC-01 and AC-03 allow an organization to develop its own access control procedures and policies. These serve as the basis for most other controls within FedRAMP.
Use of data •Privacy risks: None of FedRAMP’s encryption controls prohibit business access to private data, or use in, say, targeted advertising
Why are problems? •“ compliance standards are often presented as a proven metric for improving security” (Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards) • Concerns about specific technologies: can be not a good fit for some programs; can get out dated; may force companies to buy $$ tooling. OTOH, without enough guidance people will ignore important aspects of security programs • Damnit, FIPS 140-2!
Why are more problems? • Your 3PAO is financially incentivized to work with you, at the end of the day. You’re paying them.
What about more? • Security is very complex currently, implicit trust • Is it ok to leverage another CSP’s FedRAMP authorization? • AWS/Azure/GCP are MAGIC! • Hosted enclave all the things?
Resources & Maturity • You need $$$ / You need resources • Is the barrier to entry a problem?
Why doesn’t Tailored fix some of these?
Is inertia an issue? • Rev4->Rev5 • Rev5 published Sept 2020 • As of May, 2023: • In planning: use rev 5 • Under contract, can use rev 4 until Sept 1, or issuance of ATO/PATO - need to ID delta between r4 & r5 & document plans to address in SSP/POAM • In conmon: by Oct 2 need to update plans based off leveraged SSP information, but can use whatever SSP has as schedule for implementation • For CSPs w/ last assessment Jan 2, 2023 - July 3, 2023 have 1 year from last implementation to complement implementation & testing • July 23 - Dec 15, complete all implementation & testing no later than following annual assessment
More inertia • Should we revisit IA-05(01) in light of NIST guidance? • “Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];”
POA&M • What is POA&M meant to do • Document why issue cannot be resolved, mitigated • AO must approve
Are there POA&M problems? • Huge amount of paperwork / large time burden for maintenance • What happens if AO doesn’t approve? • What happens if AO1 approves, but AO2 does not?
One Stop Shopping/Repeatable?
Should GovCloud be a Thing? •OPM says “FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use” •Neither of us think this is remotely realistic.
Are there fixes?
Some patches • Ditch FedRAMP • Overhaul FedRAMP • Incremental Improvement
Fixing things… • Specific fixes • We can have ideas, but rev 4 to rev 5 shows us that change is slow
Some suggestions • Require not always the same 3PAO • Require that it be a one-stop shop • Reduce barriers to entry • Cost • Paperwork
POAMs • Make POA&Ms actually work • Make POA&Ms not suck the lifeblood out of you • Huge amount of time for maintenance
ConMon Improvements ● Should be single repository ● Opportunities for automating reporting ● AO can be unreasonable about patching unexploitable issues
Tailored ● Make Tailored more useful? ● Lessons learned from Tailored for other levels?
Faster Iterations on Control Tweaks • But how to control the chaos? • Admin law problems
Questions?

Recommended

Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Andy Milsark
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
 
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017Andrew Miller
 
IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 

Recommended

Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Andy Milsark
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
 
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017Andrew Miller
 
IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Jason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdfJason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdfAWS Chicago
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionWorkday
 
Anything as a Service - Factors to Consider
Anything as a Service - Factors to ConsiderAnything as a Service - Factors to Consider
Anything as a Service - Factors to Considersnewell4
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Dpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalnsDpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalnsebuc
 
Secure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecurestorm
 
You're Not Ready for Internal Cloud
You're Not Ready for Internal CloudYou're Not Ready for Internal Cloud
You're Not Ready for Internal CloudBMC Software
 
How a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderHow a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderAutoRABIT
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleMartin Thompson
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalAndrew White
 
Six Things About "The Cloud"
Six Things About "The Cloud"Six Things About "The Cloud"
Six Things About "The Cloud"Peter Coffee
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud ComputingJoseph Williams
 
Why You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow CloudsWhy You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow CloudsStave
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy AutomationTufin
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 

More Related Content

Similar to FedRAMP Is Broken (And here's how to fix it)

Jason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdfJason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdfAWS Chicago
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionWorkday
 
Anything as a Service - Factors to Consider
Anything as a Service - Factors to ConsiderAnything as a Service - Factors to Consider
Anything as a Service - Factors to Considersnewell4
 
Dpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalnsDpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalnsebuc
 
Secure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecurestorm
 
You're Not Ready for Internal Cloud
You're Not Ready for Internal CloudYou're Not Ready for Internal Cloud
You're Not Ready for Internal CloudBMC Software
 
How a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderHow a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderAutoRABIT
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleMartin Thompson
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalAndrew White
 
Six Things About "The Cloud"
Six Things About "The Cloud"Six Things About "The Cloud"
Six Things About "The Cloud"Peter Coffee
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud ComputingJoseph Williams
 
Why You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow CloudsWhy You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow CloudsStave
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy AutomationTufin
 

Similar to FedRAMP Is Broken (And here's how to fix it) (20)

Jason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdfJason Nelson_Rapid AWS Service Enablement.pdf
Jason Nelson_Rapid AWS Service Enablement.pdf
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
 
Anything as a Service - Factors to Consider
Anything as a Service - Factors to ConsiderAnything as a Service - Factors to Consider
Anything as a Service - Factors to Consider
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Dpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalnsDpa sam ltrk-marts2013_arturs_lazdekalns
Dpa sam ltrk-marts2013_arturs_lazdekalns
 
Secure Cloud Adoption - Checklist
Secure Cloud Adoption - ChecklistSecure Cloud Adoption - Checklist
Secure Cloud Adoption - Checklist
 
You're Not Ready for Internal Cloud
You're Not Ready for Internal CloudYou're Not Ready for Internal Cloud
You're Not Ready for Internal Cloud
 
How a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a LeaderHow a Salesforce CI/CD Suite Positions You as a Leader
How a Salesforce CI/CD Suite Positions You as a Leader
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloud
 
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
 
Six Things About "The Cloud"
Six Things About "The Cloud"Six Things About "The Cloud"
Six Things About "The Cloud"
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
 
Why You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow CloudsWhy You (& Your Enterprise) Should Care About Shadow Clouds
Why You (& Your Enterprise) Should Care About Shadow Clouds
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation
 

More from Wendy Knox Everette

Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"Wendy Knox Everette
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Wendy Knox Everette
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Wendy Knox Everette
 
SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeWendy Knox Everette
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
 

More from Wendy Knox Everette (13)

Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
 
SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & Me
 
Green Locks for You and Me
Green Locks for You and MeGreen Locks for You and Me
Green Locks for You and Me
 
An Encyclopedia of Wiretaps
An Encyclopedia of WiretapsAn Encyclopedia of Wiretaps
An Encyclopedia of Wiretaps
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

FedRAMP Is Broken (And here's how to fix it)

  • 1. FedRAMP is Broken (And here’s how to fix it) Shea Nangle & Wendy Knox Everette Shmoo 2024
  • 2. What is FedRAMP? Created 2011 as a way for agencies to vet the security of cloud services (IaaS, PaaS, and SaaS products) for their internal use.
  • 3. When Do You Need FedRAMP? “It Depends” ● You should have it if you’re selling cloud services ● What happens if you don’t? ○ You get told you should move to FedRAMP
  • 4. Program Goals FedRAMP says their goal is to “Reduc[e] the time, cost, and effort associated with initial assessments of commercial cloud service offerings (CSOs)”
  • 5. What about now? OMB: “FedRAMP has worked well for that purpose, but the FedRAMP framework was built for a smaller job at a simpler time, and today’s cloud challenges are different. In the last decade, the security environment has become more complex, and the diversity of cloud services has grown dramatically.”
  • 6.
  • 8. So let’s enumerate some issues
  • 9. Systemic • Do we even need FedRAMP? • FedRAMP as it is or as it should be? • Has FedRAMP met its goals?
  • 10. Process ● Prepare ● Assessment ● POA&M ● Authorization ● Continuous Monitoring ● Repeat Forever
  • 11.
  • 12. Ad break: Wendy wrote a paper with some friends on why poorly written/evaluated compliance standards can lead to security issues
  • 13. In the Real World Microsoft skeleton key lifted from crash dump • lacked complete logs of exfil because of log retention • should have been expired but could be used • was used by China to access State department email Have FedRAMP
  • 14. I got more hacks for you • CircleCI had customer data stolen • “To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session.” • malware on endpoint • Have FedRAMP https://techcrunch.com/2023/01 /14/circleci-hackers-stole- customer-source-code/
  • 15. Ok, let’s talk about controls
  • 16. There’s a lot of them https://events.afcea.org/AFCEACyber19/CUSTOM/pdf/safelogic_tl.pdf
  • 17. Our friend FIPS FedRAMP references “FIPS Publications 140-2,” despite 140-3 replacing it in September 2019.
  • 18. Change them passwords • IA-05(01) requires organizations to enforce password expiration policies that NIST SP 800-63 rescinded in 2017
  • 19. •MP-05(04) outlines protection mechanisms for media, but it does not include protection mechanisms for keys or passwords used to encrypt the stored data. •Sending passwords in cleartext emails or SMS would drastically reduce the efficacy of password-protected devices that have been intercepted by an adversary.
  • 20. Tamper controls •SC-08(01) mandates that systems enforce data integrity checks during transmission, but does not consider tamper controls against those checks
  • 21. Warning, this system… • AC-8: SYSTEM USE NOTIFICATION requires a message to users about system use limitations…. • ….meanwhile SC-13 doesn’t really say anything about customer specific encryption keys • We have Opinions on which one of those is a useful security control…..
  • 22. Encryption, yo •There are loopholes that permit direct access to encryption keys and passwords could allow nation-states to bypass privacy controls….and are HSMs required?
  • 23. Scanning RA-05(01) mandates the use of vulnerability scanners and SI-03 mandates the use of malicious code scanners. Both solutions should be FedRAMP compliant and would require privileged access to data and systems to perform their intended functions.
  • 24. Access Control • AC-04 controls information flow between interconnected systems but provides for local-network transmission of unencrypted controlled information • AC-01 and AC-03 allow an organization to develop its own access control procedures and policies. These serve as the basis for most other controls within FedRAMP.
  • 25. Use of data •Privacy risks: None of FedRAMP’s encryption controls prohibit business access to private data, or use in, say, targeted advertising
  • 26. Why are problems? •“ compliance standards are often presented as a proven metric for improving security” (Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards) • Concerns about specific technologies: can be not a good fit for some programs; can get out dated; may force companies to buy $$ tooling. OTOH, without enough guidance people will ignore important aspects of security programs • Damnit, FIPS 140-2!
  • 27. Why are more problems? • Your 3PAO is financially incentivized to work with you, at the end of the day. You’re paying them.
  • 28. What about more? • Security is very complex currently, implicit trust • Is it ok to leverage another CSP’s FedRAMP authorization? • AWS/Azure/GCP are MAGIC! • Hosted enclave all the things?
  • 29. Resources & Maturity • You need $$$ / You need resources • Is the barrier to entry a problem?
  • 31. Is inertia an issue? • Rev4->Rev5 • Rev5 published Sept 2020 • As of May, 2023: • In planning: use rev 5 • Under contract, can use rev 4 until Sept 1, or issuance of ATO/PATO - need to ID delta between r4 & r5 & document plans to address in SSP/POAM • In conmon: by Oct 2 need to update plans based off leveraged SSP information, but can use whatever SSP has as schedule for implementation • For CSPs w/ last assessment Jan 2, 2023 - July 3, 2023 have 1 year from last implementation to complement implementation & testing • July 23 - Dec 15, complete all implementation & testing no later than following annual assessment
  • 32. More inertia • Should we revisit IA-05(01) in light of NIST guidance? • “Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];”
  • 33. POA&M • What is POA&M meant to do • Document why issue cannot be resolved, mitigated • AO must approve
  • 34. Are there POA&M problems? • Huge amount of paperwork / large time burden for maintenance • What happens if AO doesn’t approve? • What happens if AO1 approves, but AO2 does not?
  • 36. Should GovCloud be a Thing? •OPM says “FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use” •Neither of us think this is remotely realistic.
  • 38. Some patches • Ditch FedRAMP • Overhaul FedRAMP • Incremental Improvement
  • 39. Fixing things… • Specific fixes • We can have ideas, but rev 4 to rev 5 shows us that change is slow
  • 40. Some suggestions • Require not always the same 3PAO • Require that it be a one-stop shop • Reduce barriers to entry • Cost • Paperwork
  • 41. POAMs • Make POA&Ms actually work • Make POA&Ms not suck the lifeblood out of you • Huge amount of time for maintenance
  • 42. ConMon Improvements ● Should be single repository ● Opportunities for automating reporting ● AO can be unreasonable about patching unexploitable issues
  • 43. Tailored ● Make Tailored more useful? ● Lessons learned from Tailored for other levels?
  • 44. Faster Iterations on Control Tweaks • But how to control the chaos? • Admin law problems