(Season One Episode 20) We've talked about the connection between CMMC and FedRAMP, now it's time to discuss what MSPs need to know about FedRAMP, while on their journey of CMMC. Bobby is joined by Karen Stanford to discuss this topic. With Karen's expertise on FedRAMP, she expresses her recommendations for the MSP community, when climbing the hill of CMMC.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:00] Welcome back climbers, I'm your co-host Kaylee Floyd and this is another episode of Climbing Mount CMMC
[00:00:11] In today's episode we're joined by Karen Stanford. Karen is a seasoned cybersecurity professional with over 20 years of experience
[00:00:19] She is the president and founder of Arcstone security and she also has the CMMC Provisional Assessor
[00:00:26] Certification. She has extensive knowledge on conducting FedRAMP assessments
[00:00:31] Bobby and Karen are diving into the topic what you need to know about FedRAMP when tackling CMMC
[00:00:37] We're so excited for you guys to join us and we hope that you enjoy today's episode
[00:00:42] Okay folks, we are joined again by Karen Stanford if you didn't hear our previous podcast where we talked a lot about
[00:00:48] security protection assets and data which are very controversial topics today
[00:00:51] We're going to be talking about FedRAMP and the connectivity between CMMC
[00:00:55] Now if you're like me and you kind of got into this whole thing through the CMMC path because of the fact that I service clients that
[00:01:02] Are going to require that
[00:01:04] Uh, you know a few years ago. I realized that and I started getting involved in it
[00:01:07] Uh, but I didn't quite know a lot about or much about FedRAMP
[00:01:10] And as I started getting to CMMC, I realized I needed to know this and I thought who better to bring on than Karen Stanford
[00:01:17] So thank you for joining us again Karen
[00:01:20] So Karen before we kind of get into that topic specifically
[00:01:23] Can you just kind of speak to the experience you've had with FedRAMP for for those who may not know you very well?
[00:01:28] Sure, so I was um one of the one of the very early members of the
[00:01:34] The premier I guess that you know, we always did the most FedRAMP assessments, but I started at Veris Group
[00:01:40] Which was the leading 3pao assessor till they were acquired by coal fire and I spent seven years doing mostly FedRAMP stuff
[00:01:47] Um
[00:01:48] While I was there I did a lot of FedRAMP advisory
[00:01:51] So I would work with clients from the moment they decided they needed to do FedRAMP until you know, sometimes I would actually
[00:01:57] You know help walk them through
[00:01:59] Uh, the debrief with the with the FedRAMP PMO, etc. So I'm good at uh, you know
[00:02:05] telling folks what they need to do to become FedRAMP compliant and um
[00:02:10] You know interpreting all the controls that are associated with that framework which are
[00:02:14] You know, I always say you kind of need a lawyer
[00:02:17] If you're going to go into the FedRAMP space because it's just there's so many little things to understand
[00:02:21] Well, and one of the things that I didn't really understand and and if you could maybe kind of clarify is just not anyone can get FedRAMP
[00:02:28] Like there's there's some requirements before you got to do that. Um, and it's not ZMMC. They're very different in a lot of ways
[00:02:35] Yeah, and there's two paths. So um,
[00:02:38] You know, it's it's true that not everyone can get a FedRAMP jab accreditation because for that you need to submit an application
[00:02:45] And they kind of prioritize it by how many clients you're serving
[00:02:48] So if you're brand new to the space, there's almost zero chance
[00:02:51] That you're going to be able to get a FedRAMP jab accreditation
[00:02:55] That's the most stringent the least risk, you know, the least risk tolerant
[00:03:00] Um, you have to basically be perfect to do the jab
[00:03:03] And then there's an agency ato, which is a little bit more flexible
[00:03:06] And as long as you've got a partner that you can work with who is willing to sponsor your accreditation
[00:03:12] That becomes a little bit easier
[00:03:14] The partner would has to be a government organization, right?
[00:03:17] Agency and not all of them opt to sponsor, you know FedRAMP. So
[00:03:22] Uh, that's the thing, you know, it's it's a bigger thing now
[00:03:25] It seems sponsor shopping when people have a product and they know they're not going to be able to do the jab
[00:03:29] route because they don't have any federal customers
[00:03:32] And they need to
[00:03:34] Find a sponsor and people are like, well, I don't really need your products. So why would I you know?
[00:03:38] Why would I be your sponsor?
[00:03:40] But I think for FedRAMP equivalency, which is the the recent term that came out, you know
[00:03:45] That is not going to be as big of an issue. That's when you want to get the full FedRAMP accreditation
[00:03:50] That's when you have to find a sponsor or go the jab route
[00:03:54] yeah, and and so
[00:03:56] Grip you for wrong kind of FedRAMP was was started
[00:03:59] Because of the fact that a lot of these federal organizations wanted to use cloud-based solutions, right and and they
[00:04:07] They didn't have a means to do it that was authorized by the government and
[00:04:12] Right. I think the the core, you know, the core concept behind cloud is that it's one size fits all
[00:04:18] And before the government used to you know, used to have an individual contract to provide
[00:04:22] You know to develop a system or to to use the services where you can dictate all of the controls
[00:04:27] That you wanted them to do to meet the federal requirements and
[00:04:30] That's not what happens when you sign up for, you know, 365
[00:04:34] You don't have a special custom contract where the government can push its requirements down
[00:04:38] So they kind of created this to help
[00:04:41] You know the federal government understand that yes
[00:04:44] They do understand the controls and they are meeting them and they've been independently evaluated as having met them
[00:04:49] sufficiently, you know, so that's kind of how it started
[00:04:52] So so we we've kind of established, you know FedRAMP is this, you know cloud-based
[00:04:57] Credited process typically right that is is helping
[00:05:02] organizations say okay
[00:05:04] Now I can work with the government and do those types of things and I've been accredited to do that
[00:05:09] now
[00:05:10] We've got CMMC like how do the two connect together?
[00:05:14] And and how did they sort of evolve? How's that connectivity between those two?
[00:05:20] Well, I think they're similar in that they are both frameworks that are applied to people who aren't
[00:05:25] You know under federal control. So the 853
[00:05:29] Control framework that FedRAMP is based on the feds have been, you know
[00:05:34] Complying and configuring their systems to comply with that framework forever
[00:05:39] And they have their own internal process to do that
[00:05:41] So both of them are similar in that they are now trying to force federal regulations onto somebody who doesn't have that
[00:05:47] Direct relationship of being a fed
[00:05:49] So it's confusing. I think they're they're similar and they're they're confusing for anyone who's trying to implement
[00:05:55] Um, but there's been some some recent additional attention on the fed ramp due to the equivalency memo that came out from the dod
[00:06:03] um, which is basically saying that
[00:06:07] They do expect fed ramp equivalency for any cloud service providers now
[00:06:11] This isn't new but the the memo has begun has kind of
[00:06:15] You know the requirements to use a fed ramp equivalent cloud provider for cui's been in place since I think
[00:06:22] 2016 or something but then the recent memo has indicated that you must
[00:06:27] You know to to status, but there was nothing to tell you what what did that look like, you know what?
[00:06:32] You know, obviously if you have an accreditation you're equivalent
[00:06:34] But what does equivalency look like otherwise? So they put out a memo that is causing quite a bit of consternation
[00:06:39] I guess in that
[00:06:41] They are um, they've you know, the dod has announced that they would like to have an independent
[00:06:47] 3pao so like in cmmc. You have c3 paos fed ramp has three paos independent processors
[00:06:53] They're asking that you use a fed ramp 3pao to conduct an assessment on your system
[00:06:58] And you are not considered fed ramp equivalent until you have no findings and that's the controversial
[00:07:04] Because that is not the way any of this works in fed ramp, you know, I've never had any any client ever test perfectly
[00:07:11] So it's a super high bar and I don't know that that's you know
[00:07:16] A it's super expensive that the cost differential is at least three times somewhere to do it
[00:07:21] You know at cmm. Sorry if bed ramp versus cmmc assessments and
[00:07:26] to to not have the ability to
[00:07:29] You know fix a few things
[00:07:31] And and and keep you know, keep a poem a plan of action in milestones where you have things that you fix
[00:07:37] Is is not really sustainable. So that's why it's cost a lot of
[00:07:41] Concern in in the industry. So just to kind of take a little bit more back to the basics with cmc
[00:07:48] The d-fars requirement refers to fed ramp equivalencies
[00:07:52] and a lot of people were trying to
[00:07:55] Still participate in the ecosystem by saying our cloud solution is fed ramp equivalent
[00:08:01] And because there wasn't a very good definition of what equivalent to fed ramp
[00:08:07] So I guess to make a little bit easier term like fed ramp
[00:08:12] You know
[00:08:13] Right
[00:08:15] The the memo came out a few
[00:08:18] Maybe a month or so ago. Is that right something like that from the time of this recording?
[00:08:23] I think it was published early january. Yeah, so and it basically said
[00:08:28] The bar for equivalent is almost perfection really and it pretty much just
[00:08:33] Took anybody that was trying to hide underneath that umbrella off the table
[00:08:38] Because nobody in their right mind would try to pursue that
[00:08:41] Yeah, I mean it's it's a little bit of a contradiction in terms because
[00:08:46] Risk management ongoing risk management is part of fed ramp, you know
[00:08:50] So you were required to scan for vulnerabilities monthly and track anything that
[00:08:55] You know, you have you can fix it can take you
[00:08:58] You know several months to fix some of the lower impact
[00:09:01] You're allowed to you know, take a while to fix lower impact vulnerabilities and those are tracked as poems, you know
[00:09:06] And so to say that you can't have any
[00:09:09] Is basically saying you have to stop doing this
[00:09:13] Which is is causing a lot of confusion
[00:09:15] Right. Yeah
[00:09:17] Yeah
[00:09:17] And that that's that's really frustrating
[00:09:19] So you can kind of see how all of a sudden now cmmc and and fed ramp are getting that connection because
[00:09:26] If you want to do stuff in the cmmc ecosystem, you're you're following the 800 171 and 171 a
[00:09:33] Processes and you're using tools
[00:09:36] When you start to do those types of things that are cloud based
[00:09:40] That's when people start talking about well, you might have to use fed ramp stuff
[00:09:45] Can you kind of talk about that connectivity and why so many people have to utilize fed ramp
[00:09:51] In their cmmc journey and maybe also talk about some
[00:09:55] Some things they should perhaps know it and when they're doing that
[00:09:59] right
[00:10:00] So the first is and I don't even know how to
[00:10:05] How this is going to resolve
[00:10:07] But they've kind of with the with the recent rulemaking and the in the dod equivalency memo. They've kind of
[00:10:13] Taken off the table their prior
[00:10:17] Uh acceptance of anything with a fed ramp
[00:10:20] Accreditation is being okay. So they've kind of rolled that back a little bit and everything is really, you know
[00:10:26] Not locked in stone and interpret
[00:10:28] You know everyone's interpreting all of this differently
[00:10:30] but they've kind of taken fed ramp equivalency off the table with the recent updates and
[00:10:37] Have simultaneously published the requirement for fed ramp equivalency to be perfect. So
[00:10:42] Um with respect to using fed ramp products, I still do recommend it
[00:10:47] I mean, it's hard to you know, the rest of the federal government is using
[00:10:50] Yeah, that's industrial based camp
[00:10:53] So if you have a need that you need to and you're attempting to get accredited
[00:10:58] I would still go ahead and use fed ramp accredited products to the extent possible
[00:11:03] Um, and then we you know, we talked a little bit earlier about how does a managed service provider who doesn't necessarily even have a
[00:11:09] Prime contract with the government and is you know, how can they even get fed ramp accredited?
[00:11:17] You know without
[00:11:19] Any business based in the federal government
[00:11:22] Because a lot of these are through second or third party
[00:11:25] prime subcontractor relationships. So
[00:11:28] so
[00:11:29] You know, I think use fed ramp accredited products to the extent that you can but I also have some significant concerns about that in that
[00:11:36] The defense industrial base tends to do a lot of manufacturing and some of the software as a service used for that
[00:11:42] Is not heavily represented in the fed ramp portfolio. You know, there there aren't solutions that you can use that are fed ramped for a lot of this stuff
[00:11:49] so
[00:11:50] um right now what they are
[00:11:52] What the process is now is for these organizations who have a cloud service product
[00:11:57] To hire a fed ramp accredited third party assessment organization and to conduct an assessment and for it to
[00:12:05] You know, I guess for it to be presented when they are perfect
[00:12:08] They are in that
[00:12:09] You know brief period of time where they have no problems and at that point then the dod will accept the equivalency
[00:12:16] But absent that, you know, I think if you are in this boat and you aren't certain what to do. I think that
[00:12:24] You know, especially if you're managed service provider, you're not cloud your focus should be on
[00:12:28] Attaining compliance with whatever cmmc level you are seeking to
[00:12:33] To comply with but for fed ramp
[00:12:37] You know, I think the objective if you are attempting to get fed ramp equivalent
[00:12:42] Your your number one thing would probably be to do to get a gap analysis from somebody who understands the framework
[00:12:48] They're they're super different. It's really hard for anyone in the commercial space to understand all the fed ramp requirements up front
[00:12:55] So if you're in the boat of you know, you're being told by your clients that
[00:12:59] You know, you need to become fed ramp equivalent
[00:13:02] I think your first thing that you're going to need to do is understand what that means and what are some
[00:13:07] Significant roblox that you might have in attaining that because there are a lot
[00:13:11] Yeah
[00:13:12] And I think part of the challenge is going to be that
[00:13:16] As a managed service provider like me
[00:13:18] um
[00:13:20] i'm going to have
[00:13:21] Uh a real time trying to find tools
[00:13:25] That are going to work for what we're trying to do for cmmc because of those
[00:13:31] requirements
[00:13:34] That they've taken equivalency off the table and that it's either in the fed ramp ecosystem or if it's a cloud-based tool
[00:13:41] Or it is
[00:13:44] You know not collecting cui at all and you have to go through validating of that process
[00:13:50] um, and it it's just really uh difficult
[00:13:54] Because I mean, I'm not sure how long how long's fed ramp been out now. I don't know off top my head, but it's been
[00:14:01] You know, I don't think the assessment started rolling for maybe even before then
[00:14:06] But it's no you know that marketplace is not
[00:14:09] Falluminous by any stretch. I mean it's not it doesn't have a ton of providers
[00:14:13] I mean, I think the unfortunate thing is that um, you know, I worked at coal fire and we really did a lot of
[00:14:19] Fed ramp assessments, but there are only a few big players in that space and
[00:14:24] they aren't you know
[00:14:26] Fortune 500 companies with it with an incredible bench strike. So I don't think
[00:14:31] It's going to be easy to find even a practitioner to help you for some of this stuff
[00:14:35] Right. Yeah, right now. So as a main and service provider, you know
[00:14:39] That's where you're going to start seeing a lot more people just trying to keep stuff in-house or working with
[00:14:44] organizations that have been
[00:14:46] Level two credited themselves if they're not going to be containing the cui
[00:14:50] If they're going to be just perhaps grabbing data that might be security protection data or stuff like that that would be
[00:14:57] that but the um, what are some other ways that
[00:15:02] Um, that organizations are gonna have to to be mindful of fed ramp in their cmmc journey
[00:15:08] What are other than?
[00:15:10] Tool data going that way. Is there other other things they need to be
[00:15:14] Mindful or know about in relation to fed ramp?
[00:15:17] Yeah, I think one of the first well
[00:15:19] There's two things as if you are new to fed ramp and you are attempting to get
[00:15:24] Fed ramp accredited or equivalent in this situation
[00:15:27] um, I think one of the first important distinctions if you are software as a service is to understand that fed ramp accreditation
[00:15:34] Is not focusing on your software as a service app. It is focusing on the underlying infrastructure
[00:15:40] so
[00:15:41] That kind of ties into my second point most of the federal or most of the organizations that have currently gotten
[00:15:46] A fed ramp accreditation have carved out a very small
[00:15:50] um fed ramp boundary that is distinct from the rest of their corporate environment you do see that sometimes in cmmc, but
[00:15:56] um
[00:15:58] You will typically see a very tiny footprint for it. Well, you know with respect to users and programs
[00:16:04] It's really stripped down to what you absolutely need for the environment
[00:16:07] So I think one of the you know the key distinctions a lot of people will come in with their software as a service and they get upset that we're testing
[00:16:15] um
[00:16:16] Stuff on a windows host or a linux server because they think we should be testing it on the on the software as a service
[00:16:23] But no, we have to you know, it's defense and death. We have to
[00:16:26] Test everything at every level of the system unfortunately. So the first is to understand that
[00:16:32] You know the underlying infrastructure matters
[00:16:35] And then I think the second thing is to understand a lot of folks
[00:16:39] There's a term in fed ramp called a low impact software as a service where
[00:16:44] um, if you have an accredited cloud service provider then a sass application is sitting on top of for example
[00:16:51] Uh that they don't have to go through the full gamut of the testing because the
[00:16:55] Most of the controls are provided by the the platform that they're sitting on and there's another common misconception that
[00:17:01] You can go in as a low impact sass if for example, you're sitting on aws or you're sitting on azure
[00:17:07] Which is not the case
[00:17:10] Because you don't have an accreditation for your infrastructure that's right. So that's you know, those are the two
[00:17:17] Two significant misconceptions I think
[00:17:19] and um, but aside from that
[00:17:24] The problems with fed ramp I will say especially with the phips
[00:17:27] Validation is if you have an existing commercial service offering phips is probably going to break a lot of stuff
[00:17:32] so some folks
[00:17:35] So folks who um
[00:17:37] Some folks will actually stand up a fully separate environment because to establish phips for their existing commercial
[00:17:43] base may break things for their customers. So those are some
[00:17:47] Some critical stumbling box blocks out of the gate
[00:17:50] So let's talk about maybe some some commonalities between cmc and fed ramp more specifically about its evolution
[00:17:59] Of where its origins sort of came from from the tome that we know is 853, right?
[00:18:04] so this this massive
[00:18:06] uh
[00:18:08] tool chest of controls that is very very large. I'm not even sure how many controls are in that sucker
[00:18:18] Okay, well, I know jacob, uh horn had joked about sometimes he would actually print it as a prize for some people
[00:18:27] And that's that's just I couldn't imagine getting like where would you even store that but the uh
[00:18:32] The cmc in the 800
[00:18:36] 171 and 171 a
[00:18:38] NIST standard and fed ramp those all have
[00:18:42] Some common
[00:18:44] Ancestry can you talk a little bit about that?
[00:18:47] And I think actually jacob did a good post about this recently, but you know the the 800 171 is um, it's supposed to be a
[00:18:57] you know a
[00:18:59] distillation of the key core requirements from 853
[00:19:03] And I think the the most distinct difference that you have is it's a lot easier to assess with the 800 171 than it is with the
[00:19:10] 853
[00:19:11] uh because especially for fed ramp because
[00:19:15] um when you are testing for fed ramp you need to care about all the different platforms all the different component types and
[00:19:21] um
[00:19:22] For cmc you don't necessarily at the evolution of it
[00:19:27] You know the 800 171 came out about at the same time as the d-fast clauses did and
[00:19:33] It's you know, it's basically cmc light or i'm sorry fed ramp light
[00:19:39] it's just a distillation of those requirements but
[00:19:43] um for the most part the core concepts related to what you need to do to manage your users what you need to do to manage changes
[00:19:50] What you need to do to ensure that your system is hardened and functioning is intended
[00:19:55] All of that is kind of preserved but some of the more nitpicky ones are taken out and you don't have to test quite as
[00:20:01] vigorously I guess for for um
[00:20:04] For 800 you know for cmc right as you do for a fed ramp
[00:20:08] Well, and one of the things I think is also important for for people to realize if you're newer into the cmc ecosystem
[00:20:14] while there isn't
[00:20:16] level two certifications happening technically right now for cmc
[00:20:20] uh
[00:20:21] the 853 and those controls have been tested and validated in certification processes for fed ramp for years now and have been going on
[00:20:30] and those controls are like you said were distilled down into a smaller subset so
[00:20:36] um
[00:20:37] They there are a lot of people around if you know the right people like yourself karen
[00:20:42] Who have been testing and running these for a lot of years and they understand the spirit of what those controls are really trying to accomplish
[00:20:48] So tapping into that knowledge as you're trying to do your cmc journey could be very helpful for you, right?
[00:20:55] I think so it's um
[00:20:58] It's good and bad if you have familiarity with the 853 and that uh, you're used to
[00:21:03] Expecting to see certain things so when I do my interviews
[00:21:05] I'll start to ask all the questions because I understand what i my objectives were to assess for 853
[00:21:11] But in cmmc. I'm like, okay never mind. I don't
[00:21:15] It's just for that. I went a little too far and I think that um
[00:21:20] I think one of the things i'm seeing with cmc from folks who don't really
[00:21:24] Have that background is that uh
[00:21:27] Like I understand exactly where every single requirement comes in, you know
[00:21:31] Where you need data loss protection where you need certain things because in fed ramp there's you know, there's fed ramp moderate
[00:21:36] There's fed ramp high there's fed ramp
[00:21:39] Impact level four five and six, you know
[00:21:42] so new requirements get added for all of those and
[00:21:45] I think it's it's pretty common
[00:21:47] In cmc for for someone to think that a requirement is in scope for cmc that i'm like not until your il 5
[00:21:54] You know fed ramp il 5 does that actually come into play?
[00:21:57] so
[00:21:59] but
[00:22:00] You know overall the 853 is what the foundation for 800 171 is so if you have a good understanding of those
[00:22:06] Controls and it's going to be pretty easy to you know to translate it to a her 171
[00:22:12] And the reverse may not be as true
[00:22:14] Yeah, I
[00:22:15] When I was kind of starting my journey and I was looking
[00:22:18] I'm like man. Where's this coming from and then I started digging into
[00:22:22] 853 and started looking at some of those and started listening to people talk about it
[00:22:25] Then I started understanding a little bit more about what they were trying to do and they distilled it
[00:22:29] And it's not necessarily very clear
[00:22:31] And reading 853
[00:22:33] Uh, it does not read just like 171 and 171 a because of the way that they
[00:22:40] Conjugated stuff together and compressed it down. They're changing that in the newer reverber rev versions of of nist 800 171
[00:22:49] right, but
[00:22:50] They they look different and so as I first started
[00:22:54] You know experiencing cmc through 800 171 that standard that that it's based off of
[00:22:59] When I went to look at 53. I was like what the heck is this? This is very different from
[00:23:03] What I was used to and it really threw me for a loop and um, I think if you're just really patient and you you keep
[00:23:10] Trying to listen to others that have a lot more experience with 853 you start reading it once you start
[00:23:17] Getting in there the rosetta stone starts to unlock and you start getting better understanding of it
[00:23:21] But it's not it's not very clear right off the release. It wasn't for me as I was going through doing that
[00:23:25] It's not for anyone and I feel like sometimes it's harder for me because I started, you know
[00:23:31] 853 came out in 2005. I think or 2006
[00:23:37] So I'm pretty used to it, but it is designed to be accommodating of multiple different technologies
[00:23:42] so
[00:23:43] You can read a control over and over again, and it doesn't make any sense until you realize it
[00:23:47] Perhaps it's it's intended for a component that does
[00:23:50] Transmissions versus, you know an operating system and it's really hard to kind of track that
[00:23:56] um
[00:23:57] I will say if you're in that boat and you're like, what are you talking about?
[00:24:01] specific control if you go into the 853 there is um,
[00:24:05] Usually some supplemental guidance that might talk through a few different scenarios that could help
[00:24:10] But it's yeah, it's different and it's designed to be
[00:24:14] very
[00:24:16] You know very agnostic, you know, they don't use terms like um dns sec
[00:24:22] But they describe the capability in there
[00:24:25] So
[00:24:26] That's tough for folks who are like, what are you talking about?
[00:24:31] Yeah, so so in those situations with with fed ramp and the commonalities in
[00:24:37] In that commonality mainly kind of coming right from 853, which is the the the source material if you will
[00:24:45] That that things were were based off of
[00:24:48] um
[00:24:50] I just feel that the evolution for cmc is going to be really challenging
[00:24:56] as they are trying to to to really kind of
[00:25:00] Guide that path because you have a new revision
[00:25:03] Of the 800 171 coming out the new revision of 853 that's sort of coming out
[00:25:08] And then the rulemaking with some other things like security protection data. We hadn't quite heard about
[00:25:14] It's like, you know people in this are just like, whoa, you know, what's sort of going on?
[00:25:19] It it really it really makes your head spin
[00:25:21] it does it does and
[00:25:24] um
[00:25:25] You know, I think
[00:25:27] I think that the the intent for the 800 171
[00:25:32] And for fed ramp both were to to kind of simplify things and that is just not always the case
[00:25:36] you know 853 was designed because previously this would put out all these different publications
[00:25:42] here's a publication on incident response or configuration management and um
[00:25:47] Before 853 we had to just kind of go through and figure out if they were compliant otherwise
[00:25:52] So, you know, it was even if 53 was nice and it gave us a thing
[00:25:56] To go through basically that would hit all of the requirements
[00:26:00] And you know cmc is is kind of like that but overall I think
[00:26:05] It's just confusing to have to look at this and think about it from the context of your information system
[00:26:11] You know of your boundary all of the terms that they're going to use in in these
[00:26:15] Frameworks such as a boundary are just completely alien to anybody who hasn't been in the space
[00:26:20] So it's just it's it's unfortunately, it's a it's a learning curve
[00:26:24] so for someone that is kind of
[00:26:27] Maybe trying to wrestle the the beast of cmc to the ground
[00:26:32] and
[00:26:33] What are some some good source material or things that you would see that they should to think about
[00:26:39] About fed ramp that they should
[00:26:41] They should know or go read this book or go look at this article or go listen to this individual or individuals
[00:26:47] But to help them kind of level up as quickly as possible in context to how that might relate to cmc so that they're not
[00:26:53] I mean, you don't want to become a doctor just so you can take a cold medicine
[00:26:57] Right, you don't want to have to go through that whole learning process to do all that
[00:27:01] So what can you like maybe have some distilled knowledge that they should go check out just so they can kind of become more
[00:27:08] Understanding of what fed ramp is and how it relates to cmc
[00:27:11] So I think you know the free route is that cmm's or sorry fed ramp has some training and some materials that are on their website
[00:27:18] That are of great interest. I think you know, there's specific requirements on what you need to do for vulnerability scanning continuous monitoring
[00:27:25] What your three pao will do as they conduct penetration testing which is required under this framework
[00:27:32] And they also have templates and and I think the first thing that anyone who's looking at this probably should download is the
[00:27:39] Fed ramp modern ssp template and any of the associated parameters because in there
[00:27:44] It'll break out all of the things that you need to address in your ssp
[00:27:49] Each of
[00:27:51] I think this is true for both cmmc and fed ramp in that there are the
[00:27:55] requirements in
[00:27:57] 171 and 853 and then there's two additional publications the 800 171 a in the inner 53 a
[00:28:04] And that's where you see the tests that your auditor will do
[00:28:07] And so what is happening for both is that if you just address the control requirement
[00:28:12] You may not even talk about some of the tests that are going to be done by your assessor
[00:28:16] So your first starting point for fed ramp would be to go look at that ssp template and look at what you have to
[00:28:23] You know you have to describe the controls in place and this will tell you exactly what they are
[00:28:28] So I think that's the first thing
[00:28:31] If you have if if you're serious about this initiative
[00:28:34] I strongly suggest if you are you know if you're going into fed ramp equivalency or fed ramp
[00:28:39] Accreditation itself your first step would be to do some sort of a gap analysis with an experienced provider
[00:28:44] Who can tell you exactly what's working?
[00:28:46] What's not going to work how you can architect your boundary to minimize the footprint and the impact on your corporate environment?
[00:28:53] So that would be another thing to do but then I'm going to put out actually a list of
[00:28:58] podcast or a youtube series on
[00:29:01] missed 853 control interpretations, which i'm hoping will help anyone who is trying to go into the fed ramp space
[00:29:07] Who's trying to you know be an assessor or is to try is trying to prepare as well as trying to understand the meaning of the controls
[00:29:14] Because they do tend to be confusing
[00:29:16] So that that was more from the perspective of them becoming
[00:29:19] For the fed ramp journey, but what if they were just staying in cmc and they just want to understand how fed ramp relates?
[00:29:26] Is there so how it will lay? Yeah like is there some knowledge that they could
[00:29:31] Some places they could look to just try to understand how they connect together right?
[00:29:36] And and and where they need to know that
[00:29:38] Initially they had published a roadmap between the two that somehow went away. I don't remember where
[00:29:45] I don't and I also don't remember if that was the cmmc framework, but
[00:29:48] um
[00:29:49] There isn't there's definitely a relationship between all of the 800 171 controls and all of the fed ramp control
[00:29:56] So you need to just basically
[00:29:58] Look it in detail
[00:29:59] You know find the finally control it at maps too and go look at the 853 to get a full understanding as to what they want
[00:30:05] You to do keep in mind though that you don't need to do all
[00:30:09] You just kind of you know it can sometimes help you clarify what the objective. What are you trying to you know?
[00:30:13] What's the concern here? What's the risk?
[00:30:17] I that's a great point
[00:30:18] I think if you can if you can start getting a little more comfortable
[00:30:21] My my level of comfort with cmc increased dramatically as I started getting better at looking at
[00:30:27] 853 and then referring back and then going back and forth and it took me
[00:30:31] Months and getting used to it. I'm a little slower. I guess than some but
[00:30:34] I
[00:30:35] Everyone yeah, I was just you know going back and forth and reading it and luckily I had you know individuals like yourself and people to talk with
[00:30:42] That's trying to ask some questions and it helped me out tremendously
[00:30:45] But you have to be vulnerable. You've got to be able to ask questions and say hey, I'm adrant in this spot
[00:30:50] Yeah
[00:30:51] And I would be lying if I felt like I I really understood everything
[00:30:54] I don't I'm still going through this process of learning and you really do have to
[00:30:58] I think especially with with fed ramp is that you know in the age of 53 is that
[00:31:04] There's not only all those controls, but there's the application for all the different technologies. So it's like a never-ending
[00:31:10] Knowledge, you know nobody's perfect at fed ramp
[00:31:15] So, you know, I wouldn't feel bad if it's tough if it seems tough as you're going through it because there's
[00:31:20] Literally some of the best people in the world right now may disagree on some control interpretations
[00:31:24] I would tell
[00:31:27] I'd like to close with this
[00:31:29] Well, not really close, but the last topic I guess specifically to talk about which is really important
[00:31:34] And I think a part of the reason why another area of connectivity between cmc and fed ramp is
[00:31:40] There's a good chance in your cmc journey. You're gonna have to leverage some solution like for us, for example
[00:31:47] Reason gcc high for us
[00:31:49] You may be using another cloud provider
[00:31:52] there's a lot of wisdom in
[00:31:55] Referencing the fed ramp
[00:31:58] Accreditation that the organization that you're utilizing is now you can't you touched on this beautifully that you just because you're in
[00:32:06] Just because i'm in gcc high does not mean i'm fed ramp all of a sudden
[00:32:09] I have to
[00:32:11] I can only inherit a little bit
[00:32:13] But can you talk a little bit about how that inheritance works in your cmc journey?
[00:32:17] And what would be the appropriate way to reference that in your security plan?
[00:32:22] So that it can be appropriately ingested in your cmc assessment
[00:32:26] Sure, and this is also a little bit of a hot topic. So
[00:32:30] And i'm saying this is someone who worked at a you know an a fed ramp 3pao
[00:32:36] It is hard to get the answers as to who's responsibility. Everything is
[00:32:42] There are some organizations like azure that will put out a blueprint that says you get you know
[00:32:46] If you you can enter what services you are using and it'll tell you what
[00:32:51] You know what you can inherit from them that is not the case for for most of them
[00:32:56] So unfortunately, it's hard to get an understanding as to what you can inherit from another cloud service provider
[00:33:01] There's a means that you can use if you go on to
[00:33:05] The omb maxite you can request a package but it has to be authorized
[00:33:10] But overall it is hard to get those answers because like I literally may have tested on a system
[00:33:16] You know four months ago, but I don't have the means anymore to access the package where those answers are because they're kept under lock and key
[00:33:23] And the current problem I think is that that answer the control
[00:33:27] control implementation summary that lists the customer responsibility
[00:33:32] Is part of the fed ramp package which is only to be distributed to people who are in the federal government
[00:33:37] Unfortunately, so it's harder to get it if you are out in
[00:33:41] You know in the commercial space
[00:33:43] You may ask for it. They may provide it, but they may not so it's tough and I think
[00:33:49] It's the cmmc is not going to solve this problem. It's been a problem forever
[00:33:54] To to understand what those cloud adherence and heritances are
[00:33:57] I think fed really needs to change and make that information public
[00:34:01] But the you know, I don't the reason I don't think that will happen
[00:34:05] Is that a fed ramp system security plan for every single write up about how a control is implemented will include something that says customer
[00:34:12] responsibility so for every single control that's in there and every single sub part
[00:34:17] Um, the fed ramp system security plan will explain that inheritance and that is super sensitive data that you can't just distribute
[00:34:24] Outside, you know to anyone who wants to thinking about getting a cmmc accreditation
[00:34:29] They don't they don't need microsoft's system security plan sitting on their network
[00:34:34] So how would how would they uh, let's say that you were using
[00:34:39] uh a
[00:34:41] A fed ramp
[00:34:42] product
[00:34:44] That's approved that has gone through
[00:34:46] And you wanted to utilize that in your system and you wanted to reference it in your system security plan
[00:34:52] And maybe you're not able to get uh their ssp to the level like how would you
[00:34:59] As like say my i'm doing that like what advice would you give me on on how I could reference that
[00:35:05] in the
[00:35:07] In my security plan
[00:35:09] So in the security plan, I think it comes down to understanding what you do and don't configure
[00:35:13] You know a lot of times you're going to need to go to the vendor documentation
[00:35:16] But let's say you're using a sats application that has fed rep accreditation and you're not under you know
[00:35:22] You don't know who is providing the encryption
[00:35:25] You know, do I have to configure the specifics for encryption or is that provided as part of the solution?
[00:35:30] So if you are the one doing the
[00:35:34] You know doing the implementation trying to get fed ramp equivalent
[00:35:38] Uh, you need to understand what you do and don't configure
[00:35:40] You know, so it involves a lot of heavy lifting with your admins who are setting it up
[00:35:45] And a lot of evaluation. You know, if you have
[00:35:48] Um some sort of sass product and you're uploading data
[00:35:50] You need to understand is the data that i'm uploading into it. Does that live locally or is that over in the cloud?
[00:35:55] So it's a lot of work and it's you know, it's why they're why organizations
[00:36:01] Have entire divisions dedicated to help folks figure that out, but unfortunately it's not always easy and
[00:36:08] I guess that also helps you that should be something you consider when you're picking
[00:36:12] Uh, you know a cloud or sass based app that you're you're going to go. Okay great
[00:36:16] They're fed ramp I can lean on them
[00:36:17] But if they're not going to give you the information
[00:36:20] To help you
[00:36:22] It's just unfortunate in that it is bundled in with such sensitive data right now, you know, but
[00:36:27] Um, unfortunately like since fed ramp happened. This has been a perpetual
[00:36:32] Where you don't understand yet what what you will see is most of the managed service providers
[00:36:36] Who are trying to get the accreditation or something will assume that they inherit something from the cloud and they don't necessarily
[00:36:43] um
[00:36:44] so
[00:36:46] You know, I don't have a lot of advice. I'll be honest. This is something I have been struggling with because I write system security plans for federal
[00:36:52] you know feds who are using
[00:36:54] These products or for other organizations who are attempting to get fed ramp accreditation who use these products
[00:37:00] It has always been a manual lift
[00:37:02] You know almost all lanes
[00:37:04] There are some typical things that you could you could probably write into your
[00:37:08] System security plan that I don't think an auditor
[00:37:12] Reasonably would push back because you could just reference the fed ramp accreditation of the product
[00:37:17] You're utilizing for example physical security for that vendor that you're utilizing
[00:37:22] Um and those types of things I'm sure
[00:37:25] Most auditors if you just reference the fact that you have fed ramp and just kind of point to that would probably be
[00:37:31] Okay with most of those things but when you start getting into like say for example, it's a sem solution that's utilizing
[00:37:38] um
[00:37:39] The aggregation of data
[00:37:41] They're gonna want to the auditor's gonna want to know more than hey, they're fed ramp. They're probably gonna want to know where that data is being
[00:37:47] Say they're gonna want to know where it lives. They're gonna want to know how it got there
[00:37:50] Is it encrypted and transit? Is it encrypted with?
[00:37:53] validated
[00:37:54] in transit, you know
[00:37:56] And those are the questions that you know quite honestly i've made a career off of health compliance
[00:38:03] You know you have to actually know what the product does
[00:38:06] So if you know if you're seeking services, you know in this field
[00:38:10] You want to get someone who's got a lot of experience because they may be able to just know
[00:38:14] That you're you know, they're not gonna offer that for you
[00:38:17] I can't get the matrix right now, but I well I had access to in the past and I know that that's not you know
[00:38:22] That's not an option
[00:38:24] But yeah, it's tough. It's it's been tough and I don't see it getting easier unless they separate that matrix out
[00:38:30] Well, it's the same because I think vendors could probably create
[00:38:34] You know and so you know a
[00:38:37] Testation documents that have specific types of reference with letterheads and I'm sure most assessors because the fact that they are as you know that they are
[00:38:45] Federal and accredited that they're not going to really push you too hard as long as you have
[00:38:51] To them a valid understanding of what you need to know about how you're utilizing that product
[00:38:55] And that you have the appropriate documentation from from those things, but I think there's
[00:39:01] You could definitely do it without having to share that sensitive information
[00:39:05] It's just really up to the vendor
[00:39:07] To to provide that ease for you, but not all do
[00:39:11] I think it's always going to be a little bit of a manual process in that
[00:39:15] Having written I've written many of the control implementation summaries and customer responsibility parts, but um
[00:39:22] You have to understand that when you're when a cloud service provider is writing that they're talking
[00:39:26] They're talking about their system. They're not talking about your system
[00:39:29] So if I feel like you can inherit this they're talking about what their infrastructure and especially with cmmc
[00:39:38] Just because you can inherit something because you have it in azure, you know, and that's legit
[00:39:43] You may also have a component in headquarters that has the same function in the boundary
[00:39:48] And you need to worry about that, you know, so it's um
[00:39:51] It's been gray since inception, you know, there's there's just no simple answers here
[00:39:57] Um, but I think
[00:39:59] Having someone who knows what they're talking about work with us an experience, you know the admin who may understand exactly how the tool
[00:40:05] You're talking about works
[00:40:07] You can get there. Yeah. Yeah, that's a good point
[00:40:10] Well, Karen, thank you so much for joining us today and going through this very uh,
[00:40:16] Which might at first seem uh,
[00:40:18] relatively simple to kind of discuss but as you start getting to like most things in cmc under the hood
[00:40:24] It starts to get a lot more complicated
[00:40:27] Given the history of the connectivity with 853 about how all this ties a lot of the things together
[00:40:34] So I appreciate you so much for joining us
[00:40:37] Absolutely
[00:40:38] So if you guys are new to the podcast and or haven't really had a lot of experience with uh,
[00:40:45] How you know where Karen's come from and her experience she's going to be doing a youtube channel soon
[00:40:51] So, uh, hopefully um when you have that share it with us
[00:40:54] We'll we'll circle back around on any media that we've got and try to tag that on the content so that those people can see it
[00:41:01] because I think uh
[00:41:04] Karen you're the stuff that you're going to be sharing about your knowledge of fed ramp is going to be hugely helpful
[00:41:10] Can you just talk a little bit about for if someone hasn't heard about it yet about what it is that you're going to be doing?
[00:41:15] Sure, so I think you uh, you and I've talked a lot about the fact that the 853 and in some instances the 871 are confusing
[00:41:22] And so my objective with i'm launching a youtube series called
[00:41:27] missed control freak where we go through the each of the controls and evaluate
[00:41:33] What does he ask you? You know, what are they specifically looking for?
[00:41:37] How would you assess it and how would you implement it? So I think that is um,
[00:41:42] You know the 853 like we said is designed to be
[00:41:45] Technologically agnostic and it's it's sometimes hard to figure out and I'm hoping to dispel some of that for the folks
[00:41:51] A who are trying to become fed ramp accredited because I've done this in the space
[00:41:55] And I know exactly what where people fall apart with understanding the controls
[00:41:59] And so i'm going to try and hit the most confusing controls first
[00:42:02] But overall if you have anything to do with fizmo fed ramp or 800 171
[00:42:07] You want an understanding of the control that the 800 170 control evolved from I think it would be a great starting point
[00:42:13] to understand, you know what what the intention of the security requirement is
[00:42:18] Well, I think if we go if we fast forward five or six years
[00:42:23] And we look back to today. We're like man those guys were and gals were pioneers like they
[00:42:28] They're they're basically digging minds with chisels in their teeth. You know, I mean that's about pretty much it
[00:42:34] And and I I am looking forward to that
[00:42:38] That what you're going to be releasing because I wish I would have had
[00:42:42] You know 50 or 60 videos of those for me to just go back and refer and look at so i'm really looking forward to you having that content out
[00:42:49] It's really really needed
[00:42:51] And thank you so much for doing that and please
[00:42:55] Let you know, you're always welcome on the show. We look forward to having you back
[00:42:58] And uh check out Karen if you're not, you know following her on linkedin. Please do she's always posting great stuff
[00:43:05] It will be well worth your while make sure to follow us on linkedin and youtube to stay up to date on the latest
[00:43:11] cmc news
[00:43:12] We hope you guys enjoyed today's episode and listen out for the next one
[00:43:16] But until then keep on climbing