Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
1. FedRAMP is Broken
(And here’s how to fix it)
Shea Nangle & Wendy Knox Everette
Shmoo 2024
2. What is FedRAMP?
Created 2011 as a way for agencies
to vet the security of cloud services
(IaaS, PaaS, and SaaS products) for
their internal use.
3. When Do You Need
FedRAMP?
“It Depends”
● You should have it if you’re selling
cloud services
● What happens if you don’t?
○ You get told you should move to
FedRAMP
4. Program Goals
FedRAMP says their goal is to
“Reduc[e] the time, cost, and effort
associated with initial assessments
of commercial cloud service
offerings (CSOs)”
5. What about now?
OMB: “FedRAMP has worked well for that
purpose, but the FedRAMP framework was
built for a smaller job at a simpler time,
and today’s cloud challenges are different.
In the last decade, the security environment
has become more complex, and the
diversity of cloud services has grown
dramatically.”
12. Ad break:
Wendy wrote a paper with
some friends on why
poorly written/evaluated
compliance standards can
lead to security issues
13. In the Real World
Microsoft skeleton key lifted from crash dump
• lacked complete logs of exfil because of log
retention
• should have been expired but could be used
• was used by China to access State department
email
Have FedRAMP
14. I got more
hacks for you
• CircleCI had customer data stolen
• “To date, we have learned that an
unauthorized third party leveraged
malware deployed to a CircleCI
engineer’s laptop in order to steal a
valid, 2FA-backed SSO session.”
• malware on endpoint
• Have FedRAMP
https://techcrunch.com/2023/01
/14/circleci-hackers-stole-
customer-source-code/
16. There’s a lot
of them
https://events.afcea.org/AFCEACyber19/CUSTOM/pdf/safelogic_tl.pdf
17. Our friend FIPS
FedRAMP references “FIPS
Publications 140-2,” despite
140-3 replacing it in September
2019.
18. Change them
passwords
• IA-05(01) requires
organizations to enforce
password expiration policies
that NIST SP 800-63 rescinded
in 2017
19. •MP-05(04) outlines
protection mechanisms for
media, but it does not include
protection mechanisms for
keys or passwords used to
encrypt the stored data.
•Sending passwords in
cleartext emails or SMS would
drastically reduce the efficacy
of password-protected
devices that have been
intercepted by an adversary.
21. Warning, this
system…
• AC-8: SYSTEM USE NOTIFICATION
requires a message to users about
system use limitations….
• ….meanwhile SC-13 doesn’t really say
anything about customer specific
encryption keys
• We have Opinions on which one of
those is a useful security control…..
22. Encryption, yo
•There are loopholes that permit direct
access to encryption keys and
passwords could allow nation-states to
bypass privacy controls….and are HSMs
required?
23. Scanning
RA-05(01) mandates the use of
vulnerability scanners and SI-03 mandates
the use of malicious code scanners. Both
solutions should be FedRAMP compliant
and would require privileged access to
data and systems to perform their
intended functions.
24. Access Control
• AC-04 controls information flow between
interconnected systems but provides for local-network
transmission of unencrypted controlled information
• AC-01 and AC-03 allow an organization to develop its
own access control procedures and policies. These
serve as the basis for most other controls within
FedRAMP.
25. Use of data
•Privacy risks: None of FedRAMP’s
encryption controls prohibit business
access to private data, or use in, say,
targeted advertising
26. Why are
problems?
•“ compliance standards are often presented
as a proven metric for improving security”
(Compliance Cautions: Investigating Security
Issues Associated with U.S. Digital-Security
Standards)
• Concerns about specific technologies: can
be not a good fit for some programs; can
get out dated; may force companies to buy
$$ tooling. OTOH, without enough
guidance people will ignore important
aspects of security programs
• Damnit, FIPS 140-2!
27. Why are more
problems?
• Your 3PAO is financially incentivized to
work with you, at the end of the day.
You’re paying them.
28. What about
more?
• Security is very complex currently,
implicit trust
• Is it ok to leverage another CSP’s
FedRAMP authorization?
• AWS/Azure/GCP are MAGIC!
• Hosted enclave all the things?
31. Is inertia an
issue?
• Rev4->Rev5
• Rev5 published Sept 2020
• As of May, 2023:
• In planning: use rev 5
• Under contract, can use rev 4 until Sept 1,
or issuance of ATO/PATO - need to ID delta
between r4 & r5 & document plans to
address in SSP/POAM
• In conmon: by Oct 2 need to update plans
based off leveraged SSP information, but
can use whatever SSP has as schedule for
implementation
• For CSPs w/ last assessment Jan 2, 2023 -
July 3, 2023 have 1 year from last
implementation to complement
implementation & testing
• July 23 - Dec 15, complete all
implementation & testing no later than
following annual assessment
32. More inertia
• Should we revisit IA-05(01) in
light of NIST guidance?
• “Enforces password
minimum and maximum
lifetime restrictions of
[Assignment: organization-
defined numbers for
lifetime minimum, lifetime
maximum];”
33. POA&M
• What is POA&M meant to do
• Document why issue
cannot be resolved,
mitigated
• AO must approve
34. Are there
POA&M
problems?
• Huge amount of paperwork
/ large time burden for
maintenance
• What happens if AO
doesn’t approve?
• What happens if AO1
approves, but AO2 does
not?
36. Should GovCloud be a
Thing?
•OPM says “FedRAMP should not
incentivize or require commercial
cloud providers to create separate,
dedicated infrastructure for
Federal use”
•Neither of us think this is
remotely realistic.
39. Fixing things…
• Specific fixes
• We can have ideas, but rev
4 to rev 5 shows us that
change is slow
40. Some
suggestions
• Require not always the same
3PAO
• Require that it be a one-stop shop
• Reduce barriers to entry
• Cost
• Paperwork
41. POAMs
• Make POA&Ms actually work
• Make POA&Ms not suck the
lifeblood out of you
• Huge amount of time for
maintenance
42. ConMon
Improvements
● Should be single repository
● Opportunities for automating reporting
● AO can be unreasonable about
patching unexploitable issues